The latest research indicates that ransomware attacks continue to pose a serious risk to U.S. hospitals. According to HIPAA Journal, there were 181 confirmed ransomware attacks on U.S. healthcare providers in 2024, putting hospital downtime system procedures to the test. In the end, the impact of IT downtime in healthcare systems attributable to cyberattacks was staggering:
Healthcare organizations have come to the conclusion that it is only a matter of when, not if, they are targeted by cybercriminals. Furthermore, daily news feeds offer a reminder that not all unplanned IT downtime events are the result of criminal activity. Hospital disaster recovery plans are stretched to the limit each year by hurricanes, tornados, floods, fires and other events. Even something as simple as a burst water pipe can trigger downtime procedures in healthcare environments.
The outcome is the same whether the event is man-made or natural. Whenever healthcare document management processes are compromised, patient safety is jeopardized, the quality of care suffers and organizational efficiency plummets. The question is, how can hospitals go about preparing for IT downtime in healthcare environments? What solutions for hospital downtime are available and how can they be built into hospital disaster preparedness plans?
This blog will explore the topic of downtime procedures in healthcare by focusing on three primary questions:
In the simplest terms, “downtime” refers to any period when a hospital’s systems or services are unavailable or are operating at reduced capacity. While the term is often associated with the impact of IT downtime in healthcare environments, it can also result from ordinary physical infrastructure limitations. For this reason, downtime falls into two basic categories.
Scheduled maintenance, remodeling projects and ongoing upgrades to IT systems can create periods of downtime in a healthcare environment. These are typically communicated in advance to staff and planned for accordingly.
These are the unexpected outages caused by hardware failures, software bugs, cyberattack or environmental hazards (e.g., fire, flood, storm damage) that result in conditions that hinder the delivery of care.
Hospitals operate in a high-stakes environment where every second counts. Regardless of whether the downtime event is planned or unplanned, a trio of negative outcomes is possible.
Electronic Health Records (EHRs) are the backbone of modern healthcare and are used to store everything from patient demographics and medical histories to lab results, imaging reports and medication lists. While a power outage can typically be overcome by the use of an emergency backup generator, EHR downtime solutions require a much more sophisticated approach. That’s because EHR downtime is a potentially catastrophic event for several reasons.
When EHR downtime occurs, clinicians can’t view lab results, imaging studies or medication orders.
Without electronic prescribing, there’s a higher risk of incorrect dosages or drug interactions.
Critical decisions — such as whether to administer a life-saving drug — may be postponed.
Hospitals are required to maintain accurate records for regulatory and legal purposes. Manual documentation during downtime, compiled outside of the EHR system, can lead to gaps or errors.
Given the high stakes involved, hospital disaster recovery plans include detailed hospital downtime system procedures that are designed to ensure continuity of care and minimize patient risk. The following are five common ways of preparing for IT downtime in healthcare — including EHR downtime solutions that help mitigate the loss of an EHR system.
The Joint Commission has proposed a number of ways that healthcare organizations can soften the impact of IT downtime in healthcare — such as that resulting from a cyberattack. Several of their recommendations can be summed up by the concept of planning for the worst-case scenario.
An immediate concern whenever a hospital’s IT network is interrupted is the loss of access to critical healthcare documents. Without them, something as simple as prescribing a medication or discharging a patient requires an error-prone workaround. These risks are compounded when medical procedures requiring informed consent are involved.
A common approach to this risk is to pre-print vital clinical forms and other healthcare documents — including those that otherwise exist only in digital form — and place them in storage to await an unplanned downtime event. While certainly better than nothing, it's worth noting that this strategy is fraught with problems.
One of the best ways of preparing for IT downtime in healthcare environments is to use proactive training aimed at preventing a downtime event from occurring. In particular, research shows that employee training can substantially reduce a healthcare system’s vulnerability to ransomware and malware attacks. The cybersecurity awareness experts at KnowBe4 released a Phishing by Industry Benchmarking Report as a way of measuring an organization’s risk of succumbing to a phishing or social engineering scam.
Likewise, The Joint Commission notes that employees at all levels must be trained in how to respond to a downtime event after one happens. Full-scale exercises can simulate downtime events so staff members know how to access paper-based resources and redundant systems. It’s also wise to train staff in “clinical continuity plans” for the worst case. For example, how to treat a heart attack patient if imaging technology and cath labs are unavailable.
When an IT downtime event occurs, clear and decisive communications are needed in the moment. The incident might very well impact email, intranets and digital telephone systems. Alternate modes of communication including signs, flipcharts, portable radios and public address (PA) systems may be necessary to get the word out.
Regardless of the method, it’s vital that the following types of information be communicated as soon as it becomes available:
The need to communicate doesn’t end with staff members. Patients, visitors and family members must be kept informed every step of the way as well.
Of course, even the best-trained employee can be fooled by a phishing scam and hurricane-force winds can create complications that the most detailed hospital disaster preparedness plan could not envision. Another layer of defense is needed — one that ensures that up-to-date versions of healthcare documents are continuously available no matter what.
As noted in an earlier blog post, IT backup strategies were cited as a key defense against downtime events, including those caused by hospital ransomware attacks. Specifically, healthcare organizations were encouraged to adopt a 3-2-1 approach to backups. That is, save three or more copies of all critical data in at least two different formats with one copy stored entirely offline, inaccessible to cybercriminals (and Mother Nature).
Such backup strategies are currently the most powerful way of preparing for IT downtime in healthcare systems. However, backups are best viewed as complementary to the other approaches noted above. It may be helpful to think of them as concentric circles rather than independent options.
iMedDowntime from Taylor Healthcare is a proprietary solution for hospital downtime events of every type. Part of Taylor Healthcare’s iMedHealth suite of technologies, iMedDowntime empowers hospitals and clinics to maintain normal operations without sacrificing efficiency or the quality of patient care — regardless of IT network status.
Best of all, iMedDowntime makes the stockpiling approach — and all of the drawbacks that come with it — entirely unnecessary. The iMedDowntime software is designed to quietly reside within individual computer workstations and “wait” in the background until needed. If a downtime event occurs, hospital staff simply access the most up-to-date versions of the clinical forms and documents they need to sustain operations.
Looking for ways to upgrade your hospital downtime system procedures? Want to mitigate the impact of IT downtime in healthcare environments? Contact your Taylor Healthcare representative to learn more about iMedDowntime and our iMedHealth downtime preparedness strategies.