Protecting patients in a cyberattack: Guidance from The Joint Commission

With scores of cybersecurity attacks affecting healthcare organizations, industry analysts say it’s imperative for hospital leaders to focus on emergency response plans.

Since many health systems are likely to be attacked, if they haven’t already, it’s vital to develop plans to ensure patient care can continue, even if systems are down.

The Joint Commission published some guidelines last week for hospitals and health systems to respond to cyberattacks and continue caring for patients.

In 2022, there were 707 health data breaches exposing more than 51 million patient records, the commission notes, citing federal statistics. More than 300 breaches were reported in the first six months of this year, according to data from the U.S. Department of Health and Human Services.

• Read more: Here are the 10 biggest health data breaches in the first half of 2023

Cybersecurity attacks are affecting patient care, according to healthcare leaders and IT professionals.

Here are some key recommendations from the Joint Commission.

Be ready to be down

Health systems must focus on developing plans to ensure patient services can continue for an extended period. Those services include intensive care units, medical records, pharmacy, laboratory, oncology, and services for vulnerable patients, including infants.

Hospitals must figure out how to work without access to their electronic medical records. And they should plan to continue care beyond a few days.

“Organizations should be prepared to have life- and safety-critical technology offline for four weeks or longer,” the commission suggests.

Health systems need to develop contingency plans if they manage electronic records from a central location, and if disruptions are occurring at multiple hospitals.

• Read more: Paying the ransom: A special report

Form a planning committee

Hospitals should form committees to develop plans for operating if and when systems go down.

The committees should include members from across the organization, including leadership, IT experts, hospital emergency managers, inpatient units, nursing, pharmacy, operating rooms, and food services, among others. Basically, every department should be included.

The committee could also include key vendors.

Develop procedures

Hospitals must establish procedures to follow if systems are compromised in a cyberattack. Some of those plans should involve moving to faxes and pen and paper. Hospitals should try to match paper resources that are similar in format to electronic systems, instead of using old paperwork.

Pharmacies will need enough fax machines (and paper) to handle orders, including a dedicated fax machine for STAT orders, the commission suggests.

Hospitals will need to develop procedures for scheduling, processing and documenting patient visits. And they’ll also have to collect information such as allergies, medications and family histories.

They’ll also need to figure out how to maintain the ability to perform essential tests in the laboratory.

Hospitals will need to establish plans to transfer patients if necessary. Hospitals should form partnerships with other hospitals and systems to enable transfers in the event of a cyberattack. When Scripps Health suffered a ransomware attack in 2021, other hospitals were affected. Nearby hospitals had to accept an influx of stroke patients.

Establishing response teams

Hospitals should form teams that are assigned to respond to cyberattacks.

The team would be tasked with analyzing the damage of the attack and whether the hospital should move fully to downtime procedures. The response team also communicates with the system’s leadership and works to ensure patient safety.

The commission notes that Massachusetts General Hospital employs two response teams: one to assess the attack and its impact, and another team is designed to manage the crisis.

Train for downtime procedures

Hospitals will have to train staff - and leaders - in operating under downtime procedures for an extended period, the commission says.

The training should include anyone involved in patient care or essential services, including part-time staff, temporary employees and even volunteers.

Hospitals must develop drills for downtime and practice them on a regular basis, the commission says. Those drills could be done annually or even quarterly.

Health systems should have “clinical continuity” plans to treat trauma, stroke and heart attack patients without typical imaging technology, along with plans to continue radiation therapy and chemotherapy for cancer patients.

Communication is critical

Hospitals must communicate which systems are affected in a cyberattack, as well as those that are still functioning. Communication plans should include reaching out to staff, patients, families and clinical affiliates.

Health systems should offer frequent updates on response steps and the progress of restoration efforts.

Assuming the cyberattack hasn’t affected the system’s website, hospitals should post communications and status updates online.

Inside the hospital, leadership should check in on departments affected by the attack, and staff should have frequent huddles. Hospitals can also schedule town hall meetings or email newsletters to keep staff informed.

Post-event analysis

When the situation has stabilized, hospitals should evaluate their response to a cyberattack and identify what went right and what went wrong.

Health systems should replace affected hardware and software if needed, and employ password resets after an attack.

In this video, cybersecurity experts and leaders talk about the question of paying ransom demands.