Close to 60 percent of hospitals have experienced an unplanned disruption to their electronic health record (EHR) systems and a quarter of those hospitals experienced delays in patient care as a result, according to a new study released by the Department of Health and Human Services (HHS) Office of Inspector General (OIG).
While recent alleged ransomware attacks at hospitals across the country highlight how disruptions to hospital information systems can disrupt patient care, the OIG study surveyed hospitals in May 2015, before many of the notable ransomware attacks. And, in the study, most hospitals cited hardware malfunctions as accounting for the largest percentage of EHR disruptions, followed by Internet connectivity problems.
The OIG study sought to evaluate how well hospitals are addressing requirements for EHR contingency in light of evolving threats to healthcare information systems. The HHS Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Under the HIPAA Security Rule, all covered entities are required to have a contingency plan for responding to disruptions to EHR systems. Contingency plans specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption.
Disruptions, such as natural disasters or technical malfunctions, can make EHRs unavailable to hospital staff. Prior OIG work found that hospitals experienced substantial challenges responding to the effects of Superstorm Sandy, which included damage to health information systems and curtailed access to patient medical records. And, more recently, cyberattacks on hospitals have similarly prevented or limited access to EHRs.
The study report specifically noted that in 2014 Boston Children’s Hospital suffered a distributed denial of service attack. “Though no data were lost and no patient harm occurred, some of the hospital’s systems lost Internet-based functionality. The hospital relied on its contingency planning and work arounds to continue operating,” the OIG study report stated.
This past January, a hospital in California reported that it suffered a ransomware attack that disabled its network and EHR system for about a week, leading to delayed patient care and the need to divert patients to other facilities. And, the OIG study also noted the suspected ransomware attack at MedStar Health that forced the health system to take computer systems offline throughout its entire system, including 10 hospitals.
While the study found that most hospitals it evaluated were addressing requirements for EHR consistency plans, the OIG study report concluded that “persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans.” And the OIG state that its review, and cyberattacks that have occurred since 2014, underscore its previous recommendation that OCR implement a permanent audit program for compliance.
The OIG study evaluated 400 hospitals that received EHR incentive payments from the Centers for Medicare & Medicaid Services (CMS) by administering an online questionnaire between May and July 2015. The study used four HIPAA-required criteria as well as recommended practices from the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC). OIG researchers also conducted site visits at six hospitals, in order to interview hospital staff and review EHR contingency plans and related documents.
According to the OIG study report, almost all hospitals (95 percent) reported having written EHR contingency plans, and about two-thirds (68 percent) reported that their contingency plans addressed the four HIPAA requirements the agency reviewed, i.e., having a data backup plan, having a disaster recovery plan, having an emergency-mode operations plan, and having testing and revision procedures. And, large hospitals were more likely to report having a written EHR contingency plan than small hospitals.
The study also found that, for the year preceding the questionnaire, 59 percent of hospitals reported unplanned EHR disruptions that made their EHR system unavailable to hospital staff and the majority (74 percent) of these hospitals reported three or fewer disruptions within one year. One-fifth of hospitals with unplanned disruptions reported disruptions that lasted more than eight hours.
As mentioned above, hospitals cited hardware malfunctions as accounting for the largest percentage of EHR disruptions at 59 percent, followed by Internet connectivity problems (44 percent). Other cited reasons for unplanned EHR disruptions included power failure (33 percent), natural disaster (4 percent) and ransomware, although that was cited by only 1 percent of respondents.
Of those hospitals that reported an unplanned disruption, about one-quarter reported an outcome of delayed patient care and 15 percent reported that patients were rerouted due to the disruption, while 1 percent of hospitals reported having lost records.
The OIG study also evaluated hospitals based on whether contingency plans addressed the four HIPAA requirements. Almost all of the hospitals evaluated (99 percent) reported maintaining backup copies of EHR data and 92 percent reported storing backup data offsite. Most hospitals also reported implementing recommended practices such as supplying paper medical record forms for use when the EHR is unavailable and training and testing staff on contingency plans, according the OIG study.
Of the hospital respondents, just over half (57 percent) reported having a read-only EHR system and 32 percent reported having a visually differentiated read-only system.
Of the hospitals that maintained backup copies, almost all reported implementing the recommended practice to back up data at least once per day. “Hospitals may rely on multiple methods to back up data. For example, one hospital we visited told us that it replicated data on a secondary server continuously and backed up data to media―either a tape or disk―every 4 hour,” the study report authors wrote.
With regard to disaster recovery, about three-quarters of hospitals reported having alternate sites, and more than half implemented the recommended practice of having “warm” or “hot” sites to operate their EHR systems when their primary EHR systems malfunction. Almost half of hospitals with alternate sites reported that they can transfer EHR operations within the recommended 8 hours.
In addition, hospitals generally implemented many practices recommended by ONC and NIST for EHR contingency plans. Recommended practices related to backing up, storing, and maintaining data; using paper records; and having alternative power sources (e.g., generators) were among the most commonly implemented (reported by 90-100 percent of hospitals).
When evaluating hospitals on testing and revision of contingency plans, the study found that most hospitals reported reviewing their contingency plans regularly to remain current with system or organizational changes. Eighty-eight percent reported reviewing their EHR contingency plans within the preceding years for any reason, including as part of a regularly scheduled review. Hospitals also reported regularly training staff on how to operate during EHR disruptions. Although most hospitals trained staff on EHR contingency plans in the year preceding the questionnaire, 45 percent of hospitals reported training staff through recommended drills on how to deal with EHR system downtime.
More than half of hospitals reported having policies to review their contingency plans after each planned or unplanned EHR disruption. EHR disruptions allow hospitals to test whether their contingency plans are effective and identify opportunities to improve them. “For example, as a result of activating and reviewing EHR contingency plans, some hospitals reported that they recognized the need to improve communication during EHR disruptions,” the OIG study report stated.
In addition, some hospitals also reported that EHR disruptions allow both clinical and IT staff to become more familiar with EHR contingency plans. For example, during EHR disruptions, clinical staff could practice accessing a read-only system or documenting care on paper records. IT staff could practice transferring the EHR system to an alternate site and bringing the primary system back to functioning status, the study authors noted.
The OIG study also found that OCR considers HIPAA compliance broadly and does not target EHRs when reviewing a covered entity's contingency plans. In fact, HIPAA requirements do not prescribe how covered entities should develop or use contingency plans, the study author noted.
“OIG previously recommended that OCR fully implement a permanent audit program to assess compliance with HIPAA requirements, and recent events underscore the importance of this recommendation. This review provides baseline information on hospitals’ EHR contingency plans and reflects our continued attention to this issue,” the study authors wrote.