A Real-Life Ransomware Attack: What to Do if Your EHR System Goes Down
What Happens When a Data Center Experiences an Outage?
On April 27th, an EHR system company sent an email to hosted customers detailing a ransomware incident. According to the email, "A sophisticated criminal organization carried out a ransomware attack on some of the hosting vendor’s systems, disaster recovery site, and backups." As a result of this outage, many customers lost access to their EHR system.
What makes this particular data breach unique? The ransomware attack was on the data center that hosts the information, not on the company directly. This event highlights the potential risk to your patient data beyond your office – and even beyond the security and redundancy of your EHR system. When a situation like this occurs and you do not have access to vital health records to treat your patients, even if this is not your fault, it becomes your problem.
It is also your EHR vendor’s problem because the service provider they depend on has gone down. Your vendor will work diligently with their vendor to get services back up and running as soon as possible, but this is completely out of your control and is also out of the control of your EHR vendor.
What to Do to Prevent this from Happening to You
This is why you need to look at your downtime contingency plan. Downtime contingency plans are a set of policies and procedures you can have in place to continue providing quality care to your patients during the time you do not have access to your EHR data.
Here are some questions to address when establishing your plan:
- Do you have the ability to capture documentation during the downtime that will allow you to add encounter data to the patient record when the systems come back online?
- Do you have a list of the phone numbers of each pharmacy in the area to call in prescriptions?
- Do you have prescription pads in a desk drawer?
- Do you have referral forms for ordering lab tests, advanced imaging studies, or sending patients to other providers in the community when a referral is necessary?
- How do you make sure you capture all of the services you provide so that you can bill for those services once your EHR is available?
- What about your schedule? Who is coming in today and what time? How do you schedule additional patients not knowing what your schedule is for today or tomorrow (or longer)? How do you reschedule patients when downtime occurs?
- Is it reasonable to keep a “book” with one page for each patient that lists their medications, allergies, and problems in case your EHR system goes down?
What about fines and cyber coverage?
HIPAA and many state laws require that you have access to your medical records. Your inability to access those records may lead to investigations that result in potential fines. In addition to HIPAA, the 21st Century Cures Act and the Patients Right of Access Rules require you to have access to your medical records in order to provide them to patients and other providers in a timely manner. Not having access to your medical records could find you in violation to these rules and HIPAA violations. One way to be prepared is to have a cyber-policy in place which will put a team behind you to support you in case of an investigation. PICA insureds benefit from having the CyberAssurance coverage endorsement included in their policy at no additional cost, per individual*. If you need cyber coverage or have questions regarding cyber limits and coverage click here.
Want to Learn More? Join PICA and TLD Systems on June 9 for a Town Hall Discussion
Please join TLD Systems and PICA for an interactive town hall discussion about steps you can take to mitigate the impact on your practice and patient care if your EHR system goes down. This virtual event will be held on Wednesday, June 9 (8pm ET | 7pm CT | 5pm PT).
Link to register: https://proassurance.zoom.us/webinar/register/WN_RBljvSymQoOxUyalHs-LZQ
*Note that coverage is not available in all states.