Joint Commission Issues Sentinel Event Alert on Cybersecurity in Health Care
As industry stakeholders know, cyberattacks and breaches have been on the rise in the health care industry. IBM Security’s 2023 annual report notes that the average health care data breach has reached $10.93M and that health care is the industry with the most expensive data breaches for 13 years running (by a lot). U.S. Department of Health and Human Services data indicates that in 2022 alone, data breaches exposed more than 51.9M patient records affecting every size of health care entity. While cyberattacks may have begun with typo-laden, obvious social engineering and phishing email schemes, the attacks are now complex and sophisticated and can quickly disable critical IT systems and bring patient care to a halt (or worse, result in patient harm). The increase in incidents is driven in part by the increasing dependence on internet-connected devices and systems throughout the patient care experience.
The Joint Commission (TJC) recently issued a sentinel event alert addressing patient safety after a cyberattack. TJC guidance is useful even for entities not directly TJC regulated. Specifically, those standards include:
- Emergency Management (EM) Standard EM.11.01.01 requires a hospital to conduct a hazards vulnerability analysis that includes human-caused hazards such as cyberattacks.
- Standard EM.13.01.01 requires a continuity of operations plan.
- Standard EM.14.01.01 requires a disaster recovery plan.
- Standard EM.15.01.01 requires emergency management education and training.
TJC’s specific directives include the following:
- Evaluate Hazards and Set Priorities. Organizations should be prepared to have life- and safety-critical technology offline for four weeks or longer. To prepare for potential downtime, organizations should prioritize services for focused emergency operations consistent with the entity’s Emergency Operations Plan. Systems to consider include:
- Pharmacy (medication order entry systems that provide dosage scrutiny, drug interactions, allergy information, reconciliation, etc.)
- Lab, radiology, pathology, and other high volume and high acuity service lines
- Vulnerable systems like admissions, patient movement and transfer within the facilities, patient discharge, and referral
For such systems, outages may affect broad geographic areas rather than isolated facilities. Prioritizing resources for these emergencies is critical.
- Form a Downtime Committee. This committee should represent all stakeholders, e.g., IT, operational leadership, emergency managers, admitting/scheduling offices, human resources, key outside vendors (e.g., your attorney), etc. The committee should develop preparedness actions and mitigation, including proactive tasks, real-time coordination with the emergency management team, and post-mortem/root cause analysis.
- Implement Downtime Plans. These plans would inform workforce members on specific steps to take during downtime and should be regularly revisited and updated. The plans might require compiling “downtime packages” with materials and resources to be followed during downtime, including when to declare downtime, shut down systems, or limit/cancel elective services. For example, consider fax capabilities, paper and pen resources for orders, warm handoffs, engaging with law enforcement and regulators, use of personal devices to access web-based references, and more. Paper forms should match current electronic systems. Downtime packages should be accessible offline. Remember that certain downtime packages may increase privacy and security risks, which should be factored into downtime committee planning.
- Create a Response Team. This interdisciplinary team would be tasked with evaluating the severity of the cyberattack, determining whether to enter downtime, directing staff on downtime procedures, and communicating with leadership.
- Train All Staff, not just IT Professionals. Historically, IT staff alone were tasked with preparing for and responding to a cyberattack. For maximum preparedness, all staff providing services, including volunteers, students, and contract workers, should be trained early and often about downtime operations. This training may also include specific clinical planning for services that may be difficult to provide without imaging and lab services, e.g., how to treat stroke, trauma, and heart attack patients without the availability of normal imaging technology and catheterization labs, and how to continue delivering radiation oncology and chemotherapy. The clinical continuity plan (unlike an IT business continuity plan) should be a key part of training.
- Establish Internal and External Communication Methodologies. Providing clear information and consistent updates is key to keeping stakeholders informed throughout a cyberattack. Entities should consider preparing template communications (e.g., alert messages and talking points), as well as plan for communicating without email. In addition to staff alerts, planning for patient and family alerts should include information about day-to-day patient activities (such as procedures and medication), with additional information provided to patients who may have a medical device affected by an incident. Consideration should also be given as to how to handle media and ensuring accurate information is disseminated to the public. We recommend working with legal counsel in developing template messaging and communication strategies.
- Conduct a Post-Mortem and Make Improvements. A key part of recovery is restoration of systems with current and accurate data, including authentication of transcribed orders. Once recovery is complete, external reporting requirements are met, compromised hardware/software is replaced, and systems are restored, organizations are not yet done with incident response. Entities should regroup and assess what worked, what did not work, and what opportunities exist for improved response when the next incident occurs—and make necessary improvements.
Health care entities are at increasing risk of experiencing a cyberattack that affects patient care. With focused planning, targeted staff training, and calm, consistent communication, entities can ensure that safe patient care remains at the forefront.
For assistance in incident preparedness, response, or recovery, please contact any member of the Quarles Data Privacy & Security Team, your Quarles attorney, or:
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Sarah Coyne: (608) 283-2435 / sarah.coyne@quarles.com
- Kaitlyn Fydenkevez: (202) 780-2642 / kaitlyn.fydenkevez@quarles.com
- Ben Lockwood: (414) 277-5661 / ben.lockwood@quarles.com