Physicians felt the pain this summer when a malware attack hit Nuance Communications, a voice transcription service for healthcare providers.
Some physicians couldn’t use the company’s technology, which added dictated notes into electronic health records (EHRs), as a result of the cyberattack on the company.
The incident shows that a physician can have problems with his or her EHR even if they’re not a victim on a direct cyberattack, said Cliff Baker, chief executive officer of Meditology, a health IT security services company.
In fact, there are many threats besides a direct cyberattack that could bring down or cripple an EHR, health IT experts said.
Fires and floods can take out onsite computer servers running the EHR software. Construction mishaps and power surges can knock out electricity or Internet connections. Faulty system upgrades and corrupt code can cause a system crash. Baker said he saw one system failure caused when someone unplugged a piece of critical hardware.
“It’s a likelihood that you won’t have access to your clinical information at some point for any number of reasons, so you need to think through what you would do without it,” said Andrew Gettinger, MD, chief medical information officer and director of the Office of Clinical Quality and Safety for the Office of the National Coordinator for Health Information Technology.
Certainly, physicians will need to contact their EHR vendor as well as their IT providers if their EHR crashes.
But experts said that action alone will not enough to ensure the practice can continue to operate while systems are down.
Gettinger said physicians should determine in advance what other steps to take in case of a system failure and formalize them in a disaster recovery-business continuity plan based on their risks and requirements.
Key strategies to work into a plan include:
- Backup files and information on how to access them. Gettinger said backups, whether cloud-based or on discs or tapes, should be held outside the geographic region that houses the main system, so if a local event takes out the main EHR, it won’t take out the backup system as well.
- An uninterruptible power supply, an electrical device that provides near-instantaneous emergency power to computer hardware for a short duration for time, and/or an emergency generator to power systems if electricity is out.
- Contracts that specify in detail what the EHR vendor is required to do in such events.
- Paper charts. Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society North America, said physicians should draft chart templates in advance, drawing on their own work processes to determine what information they want to have in front of them about any given patient. “Make sure you have every data point you need on that template,” Kim added.
- A plan to ask scheduled patients to bring printed copies of relevant records if they can access them via a patient portal from their own computers.
- A way to adjust schedules until full functionality is restored. “Your efficiency will be lower, so you’ll want to account for that – perhaps by stretching out time for each appointment,” Gettinger said.
- Regular drills. “One should consider practicing in advance, because the more you practice for things, the more likely it is to go smoothly when you do have an outage.” Gettinger said.