While the Department of Health and Human Services Office of Inspector General often is the bearer of bad tidings, a new report published this week focuses on how well hospitals are protecting their electronic health record data.
The agency found that of 400 hospitals, 95 percent had a written EHR contingency plan as required by the Health Insurance Portability and Accountability Act (HIPAA). More than two-thirds (68 percent) reported that their plan addressed the four HIPAA requirements that the OIG reviewed: having a data backup plan; having a disaster recovery plan; having an emergency mode operations plan; and having testing and revision procedures.
Furthermore, most of the respondents indicated taking an extra step by implementing practices recommended by the National Institute of Standards and Technology and the Office of the National Coordinator for Health IT, including maintaining backup copies of EHR data off site, supplying paper medical record forms when EHRs were not available, and training and testing staff on the contingency plan.
That's all well and good. But it's no longer good enough.
What caught my attention was what the OIG revealed toward the end of the report: that these contingency plans are being tested way too often by real life EHR problems. More than half (59 percent) of the hospitals reported an unplanned EHR disruption in 2014, the year before the questionnaire was sent. Of those, 24 percent experienced a delay in patient care as a result. And one-fifth had disruptions of more than eight hours.
That’s a lot of EHR down time. Moreover, of the hospitals with unplanned disruptions, a majority (74 percent) reported three or fewer disruptions within one year. That means that the actual number of incidents is higher than at first glance.
But that was in the halcyon days of 2014, when the biggest reasons for unplanned EHR disruptions were hardware malfunctions or failures (59 percent), internet connectivity problems (44 percent) or power failures (33 percent). Hacking incidents only affected 1 percent of those with unplanned disruptions, according to the OIG. Only 1 percent of hospitals with disruptions lost any data.
Just two years later we’re in a different world. Cybercrime is surging. The HHS Office for Civil Rights estimates that there have been 4,000 daily ransomware attacks since early 2016, a 300 percent increase from 2015. According to one security firm's recent report, 88 percent of ransomware detected in the second quarter of 2016 was in the healthcare industry.
The OIG specifically references this evolving threat and reiterates the importance of having contingency plans, expressing concern about ransomware and that medical devices are now being targeted. That's probably why it chastised OCR by pointing out that the latter doesn’t target EHR contingency plans for review, only investigating one when it comes to its attention due to a breach or complaint.
The Inspector General promised that it will devote “continued attention” to this issue.
The healthcare industry is unique. An inability to access healthcare data does more than affect providers’ operations and finances. It can hurt people.
“Disruptions to EHRs from these and other threats can present significant safety risks to patients," the OIG stated. "Contingency plans are crucial because they are designed to minimize the occurrence and effects of such disruptions."
While it’s a good sign that the hospitals reviewed had some protections in place, the stakes are higher now. I hope that everyone’s EHR contingency plan can tackle the worsening landscape.- Marla (@MarlaHirsch and @FierceHealthIT)