- Healthcare cybersecurity was listed as one of the top safety issues for hospitals and other healthcare facilities, behind severe weather and active shooter incidents, according to a survey of 300 healthcare safety professionals by Rave Mobile Safety.
While top most in the minds of healthcare professionals, cyberattacks did not rank as one of the top day-to-day incidents they have experienced. Instead, system outages and weather-related events were the top incidents.
Survey respondents included personnel involved in healthcare emergency management and preparedness, security, operations, compliance, IT, and environmental, health, and safety.
“During the times of crisis, patients, employees and the larger community expect hospitals to maintain operations without any interruption,” said Middlesex Safety and Emergency Management Coordinator Kevin McGinty.
“An emergency communications process that operates smoothly, quickly and with minimal intervention is key. Maintaining a common operating picture, especially with geographically separate facilities, is critical during events.”
Email is the most common communication channel during a variety of situations, including workplace emergencies and shift coverage, the survey found. At the same time, hospitals and other healthcare facilities use text messaging and phone tree/automated voice mail to communication with on-site employees.
For visitors, hospitals communicate using digital signage (64 percent), intercom communication systems/building alarms (29 percent), and email (19 percent). For traveling employees, 51 percent of hospitals use text message to communicate and 49 percent use automated voicemails or phone trees.
“Healthcare systems are growing at an unprecedented rate and are expanding beyond hospital settings to include clinics, specialty facilities and administrative offices – something we haven't dealt with previously,” said Hartford HealthCare System Director of Emergency Management Patrick Turek.
“We now have hundreds of different departments and a mobile workforce that is moving to various sites throughout our system. They expect that their emergency communications are uniform and on their device of choice, regardless of where they are located.”
Sixty percent of respondents conduct fire drills every quarter, yet only 18 percent experienced a serious fire-related incident in the last two years.
More than half of respondents said they have faced severe weather events in the past two years, yet many have not held a weather-related drill in over a year. By contrast, the Joint Commission on the Accreditation of Healthcare Organizations recommends that hospitals conduct regular testing and drills of emergency response plans and procedures.
“Periodic testing of an emergency operation plan enables organizations to assess the plan’s appropriateness, adequacy, and the effectiveness of logistics, human resources, training, policies, procedures, and protocols. Exercises should stress the limits of the organization’s emergency management system. The goal of this testing is to assess the organization’s preparedness capabilities and performance when systems are stressed during an actual emergency,” the commission explained.
“The healthcare industry is undergoing many changes. Mergers and acquisitions, as well as the decentralization of hospitals and healthcare facilities into smaller outpatient and acute-care facilities, are changing how the healthcare industry operates,” said Rave Mobile Safety COO Todd Miller.
“Healthcare professionals must think about how this will affect security and emergency preparedness across their organizations,” he added.
In an emergency, healthcare organizations should also keep in mind that they still have to comply with HIPAA, unless the HHS secretary issues a HIPAA waiver.
“As a general rule of thumb, my guidance to our healthcare provider clients would be that HIPAA largely still applies in an emergency. But do what's in the best interests of your patients and your community and that will usually put you on the right track to meet your compliance obligations in a disaster situation,” Dave Gacioch, a healthcare attorney with McDermott Will & Emery told HealthITSecurity.com in earlier feature article.
The bottom line is hospitals and other healthcare organizations should seek a balance between disclosing patient information when necessary to respond to an emergency and protecting patient privacy. This balance should be incorporated into a health organization’s emergency preparedness and response plan.