OIG: 60 percent of hospitals reported unplanned EHR disruption - before rise of ransomware
Nearly 60 percent of hospitals have experienced an EHR outage. According to a new report from the Health and Human Services Office of the Inspector General, in fact, 25 percent of those that have had EHR downtime said it delayed patient care.
Put another way: 15 percent of hospitals have had a dysfunctional EHR negatively impact their ability to treat patients and 9 percent were forced to reroute patient care. What’s more, 20 percent of the outages lasted more than eight hours.
OIG found that the top cause of EHR outages is attributable to hardware malfunctioning, internet connectivity problems, power failures, natural disasters and it’s worth noting that hacking attacks only accounted for 1 percent of EHR downtime incidents.
[Cybersecurity Special Report: Ransomware to get worse, hackers hit whales, medical devices and IoT trigger new vulnerabilities]
Therein lies the rub: OIG’s data was collected in 2014. Before hackers stole medical records from Sony, before cyberthieves made off with data on some 80 million Anthem patients – and prior to ransomware becoming a household phrase in healthcare.
“Since we administered this review awareness of cybersecurity threats, health information technology has grown,” HHS Inspector Daniel Levinson wrote in the report. “Stakeholders in government, healthcare, and information technology sectors have raised concerns about vulnerabilities in networked medical devices that may put hospital networks and EHR systems at risk.”
Thickening the plot, HHS Office for Civil Rights began the second wave of HIPAA audits in March of this year, which includes EHR contingency plans, and in mid-July released guidance on ransomware, essentially saying such attacks can be considered HIPAA breaches and subject to penalties.
The good news is that 95 percent of healthcare organizations have contingency plans in place for EHR disruptions and most of those address three of the four HIPAA requirements of having data backup, disaster recovery and emergency operations plans, while 68 percent have the fourth HIPAA measure of testing and revision procedures in place.
“Disruptions to EHRs from these and other threats can present significant safety risks to patients,” Levinson wrote. “Contingency plans are crucial because they are designed to minimize the occurrence and effects of such disruptions.”
OIG recommends that in addition to putting HIPAA measures in place, hospitals should continuously update their contingency plans and institute a cyberscecurity framework from the National Institute of Technology and Standards or follow the Office of the National Coordinator’s SAFER Self-Assessment recommended practices.
And the Inspector General has some words of advice for OCR, too.
“OIG previously recommended that OCR fully implement a permanent audit program to assess compliance with HIPAA requirements,” Levinson wrote. “And recent events underscore the importance of this recommendation.”