A Framework to Support Healthcare Continuity of Operations in an Information Technology Failure:

Similar documents
3/14/2015. Overcoming Obstacles to Engage Hospital Executives in Preparedness Planning. Healthcare Preparedness Activity (HPA) Audience Poll

Home Care Accreditation Webinar Emergency Preparedness August 20, 2015 Q&A Follow-up

Using Exercises to Measure Preparedness August 6th :00 AM Paul D. Biddinger, MD FACEP Elena Savoia, MD MPH

The Joint Commission s Emergency Management Update

Essential Components of Emergency Management Plans at Community Health Centers Crosswalk of Plan Elements

Barbara Ferrer, Ph.D., MPH, M.Ed Executive Director Boston Public Health Commission

NASCIO STATE RECOGNITION AWARDS 2015

Montana Department of Public Health & Human Services

Creating a Business Continuity Plan for your Health Center

Ontario Pandemic Influenza Plan for Continuity of Electricity Operations

B.1 DISASTER RECOVERY

EMERGENCY SUPPORT FUNCTION 8: PUBLIC HEALTH AND MEDICAL SERVICES PREPAREDNESS

CAPABILITY 7: Mass Care

UNION COLLEGE INCIDENT RESPONSE PLAN

Template introduction:

Beneficial Practices for Improving Biosurveillance Mass Gatherings. February 27, 2014

How To Conduct A Gap Assessment

The Joint Commission Approach to Evaluation of Emergency Management New Standards

I. MISSION STATEMENT. Ensure a comprehensive public health and medical response following a disaster or emergency. SCOPE AND POLICIES

Pilot Nursing Home Emergency Management Assessment Tool

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

TEXAS HOMELAND SECURITY STRATEGIC PLAN : PRIORITY ACTIONS

Hospital Emergency Operations Plan

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Electronic Health Records

CCHC Emergency Preparedness Gap Analysis

Business Continuity Plan CLINICAL DEPARTMENT [Template]

Are Electronic Medical Records Worth the Costs of Implementation?

MODULE III PLANNING &TRIAGE

FACT SHEET: Ransomware and HIPAA

Crosswalk of Model Standards and Key Points within the Three NPHPSP Instruments

Vanderbilt University Medical Center: Who are we? Vanderbilt University Medical Center By the Numbers: Licensed Beds (Sept.2005)

Continuation of Operations Plan

EHR Glossary of Terms

B E F O R E T H E E M E R G E N C Y

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES

Public Health Coalition Exercise Request for Proposal (RFP)

Massachusetts Medicaid EHR Incentive Payment Program

GUIDE TO DEVELOPING AND CONDUCTING BUSINESS CONTINUITY EXERCISES

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

Continuity Planning and Disaster Recovery

CAPABILITY 2: Community Recovery

Disaster Recovery. Stanley Lopez Premier Field Engineer Premier Field Engineering Southeast Asia Customer Services and Support

FY 12 Hospital Preparedness Program (HPP) Performance Measures System Preparedness HPP 1.1:

Arizona Crisis Standards of Care Tabletop Exercise

It also provides guidance for rapid alerting and warning to key officials and the general public of a potential or occurring emergency or disaster.

Continuity of Operations Plan Template

Ohio Supercomputer Center

Top Ten Technology Risks Facing Colleges and Universities

Disaster Preparedness & Response

Implementing and Auditing a Successful Business Continuity Plan

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

What is an Exercise? Agenda. Types of Exercises. Tabletop Exercises for Executives. Defining the Tabletop Exercise. Types of Tabletop Exercises

Continuity of Operations in the Clinical Laboratory

Health-Focused Hazard and Vulnerability Assessment Report for the State of New Jersey 2012

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

CONTINUITY OF OPERATION PLAN (COOP) FOR NONPROFIT HUMAN SERVICES PROVIDERS

Planning for Health Information Technology and Exchange in Public Health

Table of Contents ESF

Unit 4: NIMS Communications and Information Management

May 15, 2013 Joint Committee on Finance Paper #363

Western Washington University Basic Plan A part of Western s Comprehensive Emergency Management Plan

Minnesota School Safety Center. schoolsafety.dps.mn.gov

What is your vision of population/public health practice in an era when the health care of all Americans is supported by EHRs?

Office of the Chief Information Officer

Stage 2 Meaningful Use What the Future Holds. Lindsey Wiley, MHA HIT Manager Oklahoma Foundation for Medical Quality

Why COOP? 6 Goals of COOP. 6 Goals of COOP. General Guidelines for COOP Capability. COOP Program Model 7 Phases. Phase 1: Initiate COOP program

DRAFT. CUNY Pandemic Influenza Response Plan Incident Level Responsibilities

RESTORATION OF LIFELINES

Cisco Security Optimization Service

Minnesota Department of Health Homeland Security Exercise and Evaluation Program (HSEEP) Training Cards

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Bioterrorism & Emergency Readiness

Preparing for the HIPAA Security Rule

Information Security Services

Business Continuity Planning (800)

Hospital Incident Command System Revision Project

IL-HITREC P.O. Box 755 Sycamore, IL Phone Fax

The Medicare and Medicaid EHR incentive

Agenda. Government s Role in Promoting EMR Technology. EMR Trends in Health Care. What We Hear as Reasons to Not Implement and EMR

Disaster Recovery and Business Continuity Plan

Supporting information technology risk management

Build a better hospital. Now, make your new building as intelligent and efficient as the best medical staff

Continuation Guidance Budget Year Five Attachment E Focus Area E: Health Alert Network/Communications and Information Technology

Why Should Companies Take a Closer Look at Business Continuity Planning?

2014 Emergency Preparedness Executive Report: Accomplishments and Next Steps

Continuity of Operations (COOP) Plan Template Instructions. Federal Emergency Management Agency 500 C ST, SW Washington, D.C.

Unit 4: NIMS Communications and Information Management

Ohio Homeland Security Strategic Plan

Recommended Disaster Core Competencies For Hospital Personnel

Meaningful Use and Security Risk Analysis

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Why Fails MessageOne Survey of Outages

Emergency Response Plan

New Mexico Homeland Security and Emergency Management REQUEST TO USE FEDERAL GRANT FUNDS For Training, Conferences or Exercise Activities

September 4, appearing before you today. I am here to testify about issues and challenges in providing for

Business Continuity Policy & Plans

Hospital Authority. Enhanced Contingency Planning for IT System Failures

State of Oregon. State of Oregon 1

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Transcription:

A Framework to Support Healthcare Continuity of Operations in an Information Technology Failure: Lessons learned from a novel exercise series Jendy Dunlop, MPH, CHEP Paul Biddinger, MD, FACEP

http://001yourtranslationservice.com/computer-tips/protecting-your-computer.htm

Workshop Objectives Following today s presentation, participants will learn: Why and how the healthcare system is uniquely vulnerable to information technology (IT) disruptions and the operational consequences of unplanned downtimes; How to apply lessons learned from the exercise series to guide and maximize collaborative preparedness efforts between emergency management and information technology personnel; and How to utilize a planning framework to develop and guide continuity of operations planning for IT system failures and unplanned downtimes at their own institutions.

Introduction Harvard School of Public Health Emergency Preparedness and Response Exercise Program (HSPH-EPREP) Research Mission: Planning To provide public, private, and nongovernmental organizations with the expertise to prepare for and respond to emergencies of all types. Drills and Exercises Training and Education

Introduction Since exercise program inception in 2005, we have conducted over 50 public health and healthcare exercises throughout Massachusetts. HSPH-EPREP Exercises and Participation 2005-Present 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Total Exercises 4 14 8 4 8 12 10 8 24 2 94 Participants 522 2,318 1,361 666 951 808 762 546 885 225 9,044

Healthcare System Preparedness Healthcare System Recovery Emergency Operations Coordination Fatality Management Information Sharing Medical Surge Responder Safety and Health Volunteer Management Community Preparedness Community Recovery Emergency Operations Coordination Emergency Public Information and Warning Fatality Management Information Sharing Mass Care Medical Countermeasure Dispensing Medical Materiel Management and Distribution Medical Surge Non- Pharmaceutical Interventions Public Health Laboratory Testing PH Surveillance & Epidemiological Investigation Responder Safety and Health Volunteer Management Massachusetts Department of Public Health & Harvard School of Public Health Statewide Exercises: Capabilities Demonstrated and Assessed 2006-2014 Public Health (PHEP) Capabilities Hospital Preparedness (HPP) Capabilities Pan-Flu 2006 COOP 2006 Hospital Evacuation TTX Series 2010 Medical Surge TTX Series 2011 HazMat TTX Series 2011-2012 Regional Coalition Series 2012 Medical Surge FE Series 2012-2013 Recovery Workshop Series 2013 NETCFC Exercise Series 2013 Healthcare System Recovery Series 2013 Mass Fatality/FAC Exercise 2014

Background February 2009: Health Information Technology for Economic and Clinical Healthcare Act (HITECH) enacted as part of the American Recovery and Reinvestment Act. Federal investment in health information technology (HIT) Mandates public and private healthcare providers to adopt electronic health records (EHR) Incentives to providers demonstrating meaningful use of systems

Background Since 2009, adoption of EHR systems by U.S. hospitals has more than tripled. Figure 1: Percent of non-federal acute care hospitals with adoption of at least a Basic EHR system and possession of a certified EHR: 2008-2012 (ONC, No. 9, March 2013) Figure 1: Percent of non-federal acute care hospitals with adoption of EHR by levels of functionality (ONC, No. 9, March 2013)

Background Figure 3: Percent of non-federal acute care hospitals with computerized capabilities to meet selected Meaningful Use objectives: 2008-2012 (ONC, No. 10, March 2013) Figure 4: Percent of non-federal acute care hospitals with capability to meet Meaningful Use objectives: 2011-2012 (ONC, No. 10, March 2013)

Electronic systems are used to manage virtually all aspects of daily operations at many hospitals and healthcare facilities: Administration Billing Payroll Communication systems HVAC Security systems Access cards Facilities Management Infant abduction systems Patient Care Medical Records Patient Scheduling Imaging Prescriptions Labs

Background 2013 Meritalk/EMC 2 survey finds that security breaches, data loss, and unplanned system outages cost U.S. healthcare providers more than $1.6 billion per year. In the last year, healthcare organizations have experienced the following: MeriTalk/EMC 2 Global IT Trust Curve Study, (2013).

Figure 1: Common Causes of Unplanned Outages in Healthcare Information Technology Systems Software Failure Data Corruption Loss of Power Hardware Failure Hardware failure (65%) Loss of power (49%) Software failure (31%) Data corruption (24%)

Background Unplanned Outages 40% of healthcare organizations have experienced within past year Average of 57 hours lost to downtime Consequences of unplanned downtime translate to a 45% reduction in employee productivity Average cost of $432,000 per incident Average cost of over $515 million to U.S. hospitals

December, 2011: Gwinnett Medical Center, Atlanta, GA Malware breach led to 3 day outage; Hospital forced to go on total diversion for over 2 days Disrupted connectivity at 2 hospital campuses Delays to patient registration, labs, radiology, pharmacy Implemented downtime procedures and used runners Cause unknown, but believed to be from corrupted thumb drive or use of personal laptop on hospital s network

March, 2013: Boulder Community Hospital, Boulder, CO Primary and backup server malfunctions caused Meditech system crash and resulted in 10 day outage Main hospital campus, satellite campus, 8 labs and 6 imaging centers unable to access patient information Experienced challenges with implementation and use of paper-based methods Caused significant delays in patient scheduling, diagnostic imaging, labs Loss of data from EHR system; even recently backed up data was corrupted

Background With rapid adoption of ever-evolving technology, the healthcare sector is becoming increasingly dependent on information technology as a mission critical resource in support of routine clinical and business operations. As this dependency increases, so does the level of vulnerability to system breaches, system failures and unplanned downtimes.

Open Discussion Has your facility experienced any unplanned IT outages in the past year? What was the approximate duration of the outage? What was the cause? How did this incident impact your facility?

Exercise Series In 2011, a consortium of Boston-area hospitals recognized the threat that such disruptions pose to health system continuity of operations, and in turn, to patient safety. Between 2011 and 2013, HSPH-EPREP was contracted to design and conduct exercises for various Massachusetts hospital systems in order to assess healthcare system operations in light of IT disruptions. Exercised with both robust hospital systems, as well as smaller hospital systems with in-house resources.

Exercise Overview Exercise Design: Tabletop and Functional Exercise Simulated system-wide information technology failure impacting patient care Designed to test individual and collective site response Exercise Play: Simultaneous exercise play across all hospital system sites including acute care hospitals, rehabilitation facilities, home healthcare agencies, and satellite offices Emergency Management and Information Technology Lead Player at each site Hospital System Participation from departments including, but not limited to: Nursing, EDs, ORs, Labs, Radiology, Scheduling, Transport, Dietary/Food Service, Finance, and Information Technology

Exercise Overview Exercise Evaluation: Trained Controller/Evaluator at each site Formal hotwash following exercise play After Action Report and Improvement Plan (AAR-IP) documenting key findings, and recommendations to address areas for improvement

Capabilities Tested TABLE 1. HEALTHCARE PREPAREDNESS CAPABILITIES RELEVANT TO EXERCISE Healthcare Preparedness Capability 1: Healthcare System Preparedness Healthcare Preparedness Capability 2: Healthcare System Recovery Healthcare Preparedness Capability 3: Emergency Operations Coordination Healthcare Preparedness Capability 6: Information Sharing TABLE 2. FEMA/DHS TARGET CAPABILITIES RELEVANT TO EXERCISE Target Capability 1: Planning Target Capability 2: Recovery Target Capability 3: Communications Target Capability 4: Intelligence and Information Sharing and Dissemination

Exercise Objectives 1. Test internal and external notification processes within and among sites following a major IT system failure. 2. Examine the process by which sites assess the scope of impact of the event and maintain situational awareness. 3. Determine the strengths and weaknesses of existing downtime manual processes. 4. Evaluate the procedures for prioritizing restoration of IT systems within and among sites. 5. Evaluate the level of recovery planning/ability to return to normal operations.

Exercise Scenario Snapshot A malware virus has infiltrated the hospital system servers by way of medical devices operating on outdated versions of Microsoft Windows. The widespread infection results in significant degradation to computer systems, applications, and machines, along with a secondary loss of communications capability including internet, email, and phone lines across sites. The incident occurs at the height of flu season, with most hospital Emergency Departments at or near capacity.

What would your facility do? What would your facility do?

Common Challenges EOC & Information Sharing Healthcare Preparedness Incident management & leadership: Who is in charge? Communication between clinical, emergency management, and IT personnel, and across multiple sites Difference between routine outages & outages potentially requiring an emergency response Anticipating when to transition to downtime procedures Knowledge of other departments and sites downtime procedures Realization that downtime procedures would not adequately address needs in an extended outage. Knowledge regarding interconnectedness of systems Healthcare Recovery Leadership & decision making regarding a process for bringing systems back online within and across sites Awareness of clinical and operational needs, and staff roles and responsibilities in recovery Knowledge of HIPPA and other regulations concerning patient confidentiality issues, data loss, reporting, and insurance reimbursement timeframes

Key Lessons Learned

Key Lessons Learned Emergency Operations Coordination & Information Sharing During outages necessitating an emergency response, IT leadership personnel should be incorporated within the existing hospital Incident Command structure. Pre-defined, tested, redundant alerting mechanisms and communication protocols should be developed to promote situational awareness with IT personnel as well as with other sites.

Key Lessons Learned Healthcare Preparedness Unplanned outages/system downtimes should be viewed as a potential emergency event requiring an emergency response. Pre-define triggers and protocol that should be followed to assist staff in recognizing emergent vs. non-emergent outages. When possible, a decision to transition to downtime procedures should be centralized and coordinated across units/departments and/or sites. Pre-define triggers and protocol to alert staff when and how these transitions will occur.

Key Lessons Learned Healthcare Preparedness A thorough risk assessment of systems, system vulnerabilities and interdependencies, and clinical impacts associated with system failures should be conducted in advance of an incident. Traditional downtime processes are often designed for outages of shorter duration (hours, days) and will likely fail to adequately address operational needs during outages of extended duration (multiple days/weeks). Ensure downtime procedures are scalable to address clinical and operational needs in short term and long term outages.

Key Lessons Learned Healthcare Recovery A mechanism to categorize systems and applications within a hierarchical structure, and to prioritize them for repair should be developed in advance of an incident. Recovery planning should begin early on in the response phase, and operate in tandem with response efforts. Best practice: Appointing a branch within the Planning Section to recovery needs/considerations

Preparedness Framework for IT Failures Emergency Management Information Technology ASSESSMENT EVALUATION PLANNING

Assessment Hazard Vulnerability Analysis (HVA) required annually for hospitals by Joint Commission in order to identify potential emergencies that could affect the hospital s demand for services or its ability to provide those services, the likelihood of those events occurring, and the consequences of those events. (EM 01.01.01) No specific tool or resource required to complete All hazards risks; nowhere near specific enough to assess the intricacies of IT systems, the likelihood of and associated impacts of IT failures Most organizations have not recognized the true potential for an internal information systems failure to constitute a true emergency

Assessment Conduct an independent, comprehensive assessment of IT systems, system vulnerabilities, system interdependencies, and clinical and operational consequences of system failures. At a minimum, the assessment should determine the following for each electronic system/process: Interdependent, connected systems; Anticipated clinical and operational impacts associated with system/process loss; Whether downtime/paper procedures exist to address the electronic process; Whether downtime procedures to address the electronic process adequately meet needs in an extended outage; Whether all appropriate staff have been trained to utilize downtime procedures addressing the electronic process; and Extent to which downtime procedures are drilled/tested with staff during all shifts.

Assessment Determine if existing downtime procedures are scalable to appropriately address both short term and long term operational needs. Review the adequacy of downtime training, drills, and exercises for staff. Review incident recognition, alert and notification, response, and recovery procedures between emergency management and IT personnel for a system downtime event. List all anticipated clinical, operational, and financial recovery needs and considerations.

Planning Develop and/or revise alert and notification, communication, and information sharing plans and processes between emergency management and IT personnel in response to a systems failure. Ensure specific triggers exist to indicate when notifications and key decisions should be made. Develop and/or revise plans to address identified gaps in emergency management and IT systems, policies, and procedures.

Planning Based on your assessment of systems, develop a scalable tiered or phased plan for prioritizing specific systems for repair within and across sites. Train staff on all shifts to increase comfort and familiarity in using downtime procedures. Update plans to include long term recovery considerations.

Evaluation Design and conduct periodic drills and exercises through the lens of emergency management plans and procedures. Focus on emergency management and IT response system linkages. Conduct a hotwash to review exercise results, identify remaining gaps in plans and procedures, and determine appropriate solutions. Document successes and lessons learned in an After Action Report and Improvement Plan (AAR-IP).

Open Discussion Has your facility developed any specific plans or protocols as a result of any unplanned downtimes experienced? What do you see as the biggest barrier to facility preparedness for a large scale information technology failure? What would be most beneficial to you to assist you with future planning for preventing, preparing for and responding to IT system outages?

-Thank You- Thank you for your attendance and participation. We are happy to answer any questions you may have. Jendy Dunlop, MPH, CHEP Project Coordinator jdunlop@hsph.harvard.edu Paul Biddinger, MD, FACEP Program Director pbiddinger@hsph.harvard.edu http://www.hsph.harvard.edu/eprep

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information