- Best practices for ransomware attack mitigation and prevention, along with general contingency planning, were recently discussed in updated SAFER Guides from the ONC.
First published in January 2014, the SAFER Guides “provide an easy-to-use template for voluntary provider self-assessment of EHR safety related vulnerabilities,” according to an ONC blog post.
“The Guides are compilations of evidence-based, expert-recommended practices for a key focus area, in a checklist-based format. Each Guide includes recommendations, checklists, and note templates that can be used by teams to thoroughly assess the safety and usability of EHRs while lessening data-related burdens,” wrote several ONC employees, including Acting Deputy National Coordinator for Health IT Andrew Gettinger, M.D.
The Contingency Planning SAFER Guide specifically discusses how healthcare organizations can best approach planned or unplanned EHR downtimes. This could include the fallout from a ransomware attack, or even hardware infrastructure failures.
“Such unavailability can introduce substantial safety risks to organizations that have not adequately prepared,” ONC explained on its website. “Effective contingency planning addresses the causes and consequences of EHR unavailability, and involves processes and preparations that can minimize the frequency and impact of such events, ensuring continuity of care.”
EHR unavailability can also lead to numerous potential issues, such as medication errors, unavailability of images, and canceled procedures. There must be substantial contingency planning, including a contingency planning team working with practicing clinicians, ONC noted.
Clinician and staff member collaboration is also emphasized in the guide, which includes a self-assessment to “enable an accurate snapshot of the organization’s EHR contingency planning status (in terms of safety).” The guide also maintains that the self-assessment “should lead to a consensus about the organization’s future path to optimize EHR-related safety and quality.”
HIPAA compliance must still be maintained, in addition to adhering to the contingency planning guide, according to ONC. There may be some overlap with the HIPAA Security Rule standards and implementation specifications, but organizations should note that the guide does not equate to HIPAA compliance.
“Creating a contingency plan as required by the HIPAA Security Rule will address many, but not all, of the recommended safety-oriented practices in this guide,” ONC pointed out. “We encourage coordination of completion of the self-assessment in this SAFER Guide with contingency planning for purposes of HIPAA compliance to provide a uniform approach to patient safety and data protection.”
Another updated SAFER Guide recommended improvements for communication of abnormal results to patients, based on recommendations from the National Academy of Medicine. The Test Results Reporting and Follow-Up SAFER Guide discusses safety practices for EHR technology for the electronic communication and management of diagnostic test results.
“In the EHR-enabled healthcare environment, providers rely on technology to support and manage the reporting and follow-up of test results,” ONC stated on its website. “This guide offers recommended practices related to the content and communication of test results to the clinician, as well as recommended practices related to the documentation and follow-up of test results.”
ONC also recommended that healthcare organizations “optimize the safety and safe use of the EHR with respect to diagnostic testing.” Collaboration between clinicians and staff members is also essential in the second guide’s self-assessment.
Specifically, the self-assessment “should lead to a consensus about the organization’s future path to optimize EHR-related safety and quality: setting priorities among the recommended practices not yet addressed, ensuring a plan is in place to maintain recommended practices already in place, dedicating the required resources to make necessary improvements, and working together to mitigate the test results-related safety risks introduced by the EHR.”
Federal agencies are working to ensure that healthcare organizations can properly prevent and mitigate ransomware attacks.
HHS released guidance in 2016, explaining that conducting a risk analysis, regular user training, and maintaining an overall contingency plan will help in ransomware prevention.
“Organizations need to take steps to safeguard their data from ransomware attacks,” wrote Jocelyn Samuels, OCR Director at the time of the guidance release. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”