The latest research indicates that ransomware attacks continue to pose a serious risk to U.S. hospitals. According to HIPAA Journal, there were 181 confirmed ransomware attacks on U.S. healthcare providers in 2024, putting hospital downtime system procedures to the test. In the end, the impact of IT downtime in healthcare systems attributable to cyberattacks was staggering:
- Ransomware-related breaches affected 25.6 million patient records nationwide.
- The average ransom demanded was $5.7 million and the average ransom paid was $900,000.
- A University of Minnesota study found that patient mortality rates increase 20% during ransomware attacks, with the most severe attacks causing 36-55% higher mortality among patients already admitted.
Healthcare organizations have come to the conclusion that it is only a matter of when, not if, they are targeted by cybercriminals. Furthermore, daily news feeds offer a reminder that not all unplanned IT downtime events are the result of criminal activity. Hospital disaster recovery plans are stretched to the limit each year by hurricanes, tornados, floods, fires and other events. Even something as simple as a burst water pipe can trigger downtime procedures in healthcare environments.
The outcome is the same whether the event is man-made or natural. Whenever healthcare document management processes are compromised, patient safety is jeopardized, the quality of care suffers and organizational efficiency plummets. The question is, how can hospitals go about preparing for IT downtime in healthcare environments? What solutions for hospital downtime are available and how can they be built into hospital disaster preparedness plans?
This blog will explore the topic of downtime procedures in healthcare by focusing on three primary questions:
- What does downtime mean in a hospital environment?
- What is EHR downtime and why is it so important?
- What are downtime procedures in healthcare all about and how do they help to ensure effective healthcare delivery? Specifically, we will examine five common strategies related to healthcare disaster recovery and describe how each mitigates the impact of IT downtime in healthcare.
What does downtime mean in a hospital?
In the simplest terms, “downtime” refers to any period when a hospital’s systems or services are unavailable or are operating at reduced capacity. While the term is often associated with the impact of IT downtime in healthcare environments, it can also result from ordinary physical infrastructure limitations. For this reason, downtime falls into two basic categories.
Planned downtime
Scheduled maintenance, remodeling projects and ongoing upgrades to IT systems can create periods of downtime in a healthcare environment. These are typically communicated in advance to staff and planned for accordingly.
Unplanned downtime
These are the unexpected outages caused by hardware failures, software bugs, cyberattack or environmental hazards (e.g., fire, flood, storm damage) that result in conditions that hinder the delivery of care.
Hospitals operate in a high-stakes environment where every second counts. Regardless of whether the downtime event is planned or unplanned, a trio of negative outcomes is possible.
- Patient safety risks increase: Delays in accessing patient histories, allergies or medication orders can lead to errors. (See the University of Minnesota study noted above.)
- Operational disruptions occur: Admissions, discharges and billing processes slow down, creating bottlenecks.
- Negative financial impacts are realized: Downtime costs U.S. hospitals millions of dollars annually, taking yet another slice out of razor-thin operating margins.
What is EHR downtime?
Electronic Health Records (EHRs) are the backbone of modern healthcare and are used to store everything from patient demographics and medical histories to lab results, imaging reports and medication lists. While a power outage can typically be overcome by the use of an emergency backup generator, EHR downtime solutions require a much more sophisticated approach. That’s because EHR downtime is a potentially catastrophic event for several reasons.
Loss of real-time data access
When EHR downtime occurs, clinicians can’t view lab results, imaging studies or medication orders.
Medication errors
Without electronic prescribing, there’s a higher risk of incorrect dosages or drug interactions.
Delayed care
Critical decisions — such as whether to administer a life-saving drug — may be postponed.
Compliance risks
Hospitals are required to maintain accurate records for regulatory and legal purposes. Manual documentation during downtime, compiled outside of the EHR system, can lead to gaps or errors.
What are downtime procedures in healthcare?
Given the high stakes involved, hospital disaster recovery plans include detailed hospital downtime system procedures that are designed to ensure continuity of care and minimize patient risk. The following are five common ways of preparing for IT downtime in healthcare — including EHR downtime solutions that help mitigate the loss of an EHR system.
1) Planning for the worst case
The Joint Commission has proposed a number of ways that healthcare organizations can soften the impact of IT downtime in healthcare — such as that resulting from a cyberattack. Several of their recommendations can be summed up by the concept of planning for the worst-case scenario.
- Organizations should conduct detailed “hazards vulnerability analyses” and then plan for life- and safety-critical technology being offline for a month or more.
- Multidisciplinary planning committees representing every significant stakeholder group in the organization should be created to outline specific preparedness actions and mitigation steps.
- Interdisciplinary response teams should be designated to assess the severity of an attack as it happens, determine whether full “downtime mode” is warranted, and direct staff to act accordingly to ensure patient safety.
- All of these strategies, in turn, should be documented in a hospital disaster recovery plan and updated regularly to ensure a continuous state of readiness.
2) Stockpiling pre-printed clinical forms
An immediate concern whenever a hospital’s IT network is interrupted is the loss of access to critical healthcare documents. Without them, something as simple as prescribing a medication or discharging a patient requires an error-prone workaround. These risks are compounded when medical procedures requiring informed consent are involved.
A common approach to this risk is to pre-print vital clinical forms and other healthcare documents — including those that otherwise exist only in digital form — and place them in storage to await an unplanned downtime event. While certainly better than nothing, it's worth noting that this strategy is fraught with problems.
- Clinical forms are constantly changing. Pre-printing and placing healthcare documents in storage essentially guarantees that outdated forms will be used in the event of a downtime emergency.
- Stockpiling pre-printed documents, especially those prone to frequent obsolescence, is enormously wasteful from the standpoint of healthcare document management. A hospital system will likely need to discard entire pallets full of paper documents as the pre-printed forms become too outdated to use.
- Converting a digital form to a stockpiled paper equivalent contradicts the intent behind the Meaningful Use of electronic health records (EHRs). While it may be necessary to use a paper facsimile of a form during a downtime crisis, it would be best to start with the most current (i.e., digital) version of that form.
3) Employee training
One of the best ways of preparing for IT downtime in healthcare environments is to use proactive training aimed at preventing a downtime event from occurring. In particular, research shows that employee training can substantially reduce a healthcare system’s vulnerability to ransomware and malware attacks. The cybersecurity awareness experts at KnowBe4 released a Phishing by Industry Benchmarking Report as a way of measuring an organization’s risk of succumbing to a phishing or social engineering scam.
Likewise, The Joint Commission notes that employees at all levels must be trained in how to respond to a downtime event after one happens. Full-scale exercises can simulate downtime events so staff members know how to access paper-based resources and redundant systems. It’s also wise to train staff in “clinical continuity plans” for the worst case. For example, how to treat a heart attack patient if imaging technology and cath labs are unavailable.
4) Communicating through every available means
When an IT downtime event occurs, clear and decisive communications are needed in the moment. The incident might very well impact email, intranets and digital telephone systems. Alternate modes of communication including signs, flipcharts, portable radios and public address (PA) systems may be necessary to get the word out.
Regardless of the method, it’s vital that the following types of information be communicated as soon as it becomes available:
- Which systems are impacted, and which are not.
- Which clinical and non-clinical downtime procedures are in place.
- What is being done to address the situation, along with regular updates.
The need to communicate doesn’t end with staff members. Patients, visitors and family members must be kept informed every step of the way as well.
5) Backing up critical data and systems
Of course, even the best-trained employee can be fooled by a phishing scam and hurricane-force winds can create complications that the most detailed hospital disaster preparedness plan could not envision. Another layer of defense is needed — one that ensures that up-to-date versions of healthcare documents are continuously available no matter what.
As noted in an earlier blog post, IT backup strategies were cited as a key defense against downtime events, including those caused by hospital ransomware attacks. Specifically, healthcare organizations were encouraged to adopt a 3-2-1 approach to backups. That is, save three or more copies of all critical data in at least two different formats with one copy stored entirely offline, inaccessible to cybercriminals (and Mother Nature).
Such backup strategies are currently the most powerful way of preparing for IT downtime in healthcare systems. However, backups are best viewed as complementary to the other approaches noted above. It may be helpful to think of them as concentric circles rather than independent options.
- Level 1: Engage health information technology (HIT) professionals to develop a 3-2-1 backup strategy such as that outlined by CISA, the FBI and HHS.
- Level 2: Train all hospital staff members to recognize phishing and social engineering scams on sight and reinforce how to implement hospital downtime system procedures in the event of a downtime event.
- Level 3: Ensure that hospital staff members have instant, uninterruptible access to key healthcare documents in the event of a downtime event — regardless of cause. Doing so is an example of a 3-2-1 backup strategy in action.
iMedDowntime: Preparing you for IT downtime in healthcare
iMedDowntime from Taylor Healthcare is a proprietary solution for hospital downtime events of every type. Part of Taylor Healthcare’s iMedHealth suite of technologies, iMedDowntime empowers hospitals and clinics to maintain normal operations without sacrificing efficiency or the quality of patient care — regardless of IT network status.
- Registrars can search patient records and print admissions packets while the admission, discharge and transfer (ADT) system is down.
- Nurses can print healthcare documents, labels and wristbands — complete with patient demographics and barcodes — while the EHR is down.
- Physicians can access condition-specific protocols and continue to provide the same level of care as if the network was still live.
Best of all, iMedDowntime makes the stockpiling approach — and all of the drawbacks that come with it — entirely unnecessary. The iMedDowntime software is designed to quietly reside within individual computer workstations and “wait” in the background until needed. If a downtime event occurs, hospital staff simply access the most up-to-date versions of the clinical forms and documents they need to sustain operations.
Looking for ways to upgrade your hospital downtime system procedures? Want to mitigate the impact of IT downtime in healthcare environments? Contact your Taylor Healthcare representative to learn more about iMedDowntime and our iMedHealth downtime preparedness strategies.