- Researchers have found that healthcare providers are doing a good job of implementing recommendations in the ONC SAFER Guides’ contingency planning guide, which was updated last year to incorporate strategies for ransomware attack mitigation.
Last year, the ONC updated its SAFER Guides to include contingency planning best practices that healthcare providers should adopt to lessen the impact of ransomware attacks and other EHR system downtime events.
Researchers from a range of US universities and institutions recently conducted a study examining to what extent eight healthcare organizations were implementing recommendations from the SAFER Guides, initially published by ONC in January 2014.
The nine SAFER Guides are compilations of evidence-based, expert-recommended practices. Each guide includes recommendations, checklists, and note templates that can be used to assess the safety and usability of EHRs.
The researchers found that adoption of the contingency planning guide was strong, even though across-the-board adoption of the SAFER Guides was weak, with only 25 of 140 recommendations, or 18 percent, being fully implemented by all the organizations studied.
The contingency planning guide came in third in terms of recommendations fully implemented by the organizations, behind system interfaces and patient identification guides. Notably, all contingency planning recommendations were fully implemented by at least one organization.
Particularly relevant for ransomware attacks, the recommendation that patient data and software application configurations crucial to the organization’s operations be backed up was fully implemented by all eight organizations.
The contingency planning guide falls under the broader infrastructure category. The researchers found that the eight organizations fully implemented 81.7 percent of the infrastructure recommendations, while they only fully implemented 71 percent of the clinical process recommendations.
“Full implementation of the SAFER recommendations will require organizational prioritization, resource allocation, policy changes, and vendor participation,” the researchers concluded.
The eight healthcare organizations studied by the researchers were the University of California San Diego Health System (2 campuses, 800 beds), Virginia Commonwealth University Health System in Richmond (865 beds), Memorial Hermann Health System in Houston (13 hospitals), Harris County Health System in Houston (3 hospitals, 700 beds), Sydney Local Health District in Sydney, Australia (10 hospitals, 4341 beds), University of Michigan in Ann Arbor (3 buildings, 1000 beds), Bronson Healthcare Group in Kalamazoo, Michigan (4 hospitals), and the Cincinnati Veteran’s Affairs Medical Center (268 beds).
In the contingency planning guide, ONC stressed that EHR unavailability for whatever reasons poses significant patient safety hazards, including increased risk of medication errors, unavailability of medical images, and canceled procedures.
“EHR safety and effectiveness can be improved by establishing proper downtime procedures, policies, and practices,” the guide observed.
In addition to backing up patient data and software application, the guide recommended that hardware that runs applications critical to the organizations operations be duplicated and that paper forms be available to replace key EHR functions during downtime.
Other ransomware-related recommendations in the guide include:
• Policies and procedures are in place to ensure accurate patient identification when preparing for, during, and after downtimes
• Staff are trained and tested on downtime and recovery procedures
• Communication strategy that does not rely on the computing infrastructure exists for downtime and recovery periods
• Written policies and procedures on EHR downtimes and recovery processes ensure continuity of operations with regard to safe patient care and critical business operations
• User interface of the locally maintained backup, read-only EHR system is clearly differentiated from the live/production EHR system
• Users are trained on ransomware prevention strategies including how to identify malicious emails
• There is a comprehensive testing and monitoring strategy in place to prevent and manager EHR downtime events
“While this guide focuses on patient safety, many of its recommendations overlap with standards and implementation specifications of the HIPAA Security Rule, which focuses on ensuring the confidentiality, integrity, and availability of electronic protected health information,” the guide explained.
ONC stressed that completing the guide’s checklist does not ensure HIPAA compliance.
“We encourage coordination of completion of the self-assessment in this SAFER Guide with contingency planning for purposes of HIPAA compliance to provide a uniform approach to patient safety and data protection,” the guide advised.