In the wake of increasing cyberattacks in healthcare, The Joint Commission issued a Sentinel Event Alert on August 15, 2023, to help hospitals respond to cyberattacks and potential periods of electronic system inaccessibility, or "downtime", to ensure patient safety and continued operations. For hospitals, cyberattacks can lead to breaches of patient protected health information (PHI) and can render care systems inaccessible, impacting hospitals' ability to provide effective patient care. In connection with cyberattacks, hospitals must prepare to quickly and effectively respond to attacks, be prepared to quickly transition patient care and to comply with reporting obligations.

The Joint Commission recommendations

First and foremost, The Joint Commission's Sentinel Event Alert recommends that all hospital staff, not just hospital information technology (IT) staff, should be prepared to respond to cyberattacks. Cybersecurity vulnerabilities exist at each point that an employee accesses the hospital internet or IT network, and thus, it is crucial that all employees are prepared to address and respond to cyberattacks.

The Joint Commission requires hospitals to conduct hazards vulnerability analyses (HVAs), which include analyses related to cybersecurity risks. The Joint Commission also has Emergency Management Standards that require hospitals to have: (i) a continuity of operations plan; (ii) a disaster recovery plan; and (iii) an emergency management and training program. Through development of these plans, hospitals can ensure that they are prepared to tackle cybersecurity risks and respond to cyberattacks.

Evaluation of HVA findings

In connection with HVAs, The Joint Commission states that hospitals should prepare to operate entirely offline for at least four weeks. Hospitals need to assess the ramifications of losing access to electronic health records (EHR) and other essential technologies. Further, hospitals should ensure that their analysis extends to a situation in which a cyberattack leads to a disruption beyond a single facility, as cyberattacks could lead to disruptions for entire geographical areas.

Form a downtime planning committee

In order to address cybersecurity risks and prepare to respond to any downtime resulting from a cybersecurity attack, hospitals should develop downtime planning committees. The Joint Commission recommends inclusion of a broad range of hospital personnel, including IT experts, hospital leadership, hospital emergency managers, scheduling, medical staff and nursing, among others. This committee should be responsible for developing an IT risk assessment plan and evaluating and developing cybersecurity and downtime procedures.

Develop plans and procedures

Hospitals should develop plans and procedures to ensure the maintenance of hospital operations in the event of a cyberattack resulting in limited to no access to electronic systems. Hospitals should prepare to utilize fax capabilities as well as paper and pen for operations in the event that systems are down. Hospitals should develop the ability to maintain operations offline, including functions such as making pharmacy orders, conducting lab tests, scheduling/checking in patients and printing medical records. 

Coordinate response teams

Hospitals should designate individuals from various areas of the organization to serve on a response team. This team will work together to evaluate and respond to cyberattacks. Further, this team will work to ensure patient safety and communicate any cyberattacks to hospital leadership.

Effectively train staff

Hospitals should train team leaders and staff generally on the type of incidents that could lead to a downtime and how to effectively respond to such incidents. Training should include drills that enable staff to become familiar with downtime procedures and processes.

Communication systems

In the event of a cyberattack, hospitals should communicate as quickly as possible which systems are impacted and what procedures should go in place. These communications should extend to key affiliates, off-site providers and patients as well as their families. Hospitals should prepare statements and talking points for use in such circumstances.

Evaluation post-cyberattack

Following a cyberattack, hospitals should ensure that system protections are reinforced by resetting passwords and/or replacing any hardware or software compromised by the attack. Hospitals should take steps to ensure that any records taken with pen and paper are transferred into EHR. Hospitals should address vulnerabilities revealed by the cyberattack to strengthen security against any future attacks.  

Breach reporting requirements

In connection with any breach of unsecured PHI, the Health Insurance Portability and Accountability Act of 1966 (HIPAA) requires covered entities to notify the Secretary of the United States Department of Health and Human Services (HHS). A "covered entity" means an entity that is either a (i) health plan, (ii) health care clearinghouse or (iii) a health care provider who transmits any health information in electronic form. See 45 CFR § 160.103.

Breach reporting requirements vary depending on the amount of individuals affected. Generally, covered entities must notify any affected individual. For breaches affecting less than 500 individuals, a covered entity must notify the Secretary of the breach at least 60 days prior to the end of the calendar year in which the entity discovered the breach. For breaches affecting 500 or more individuals, a covered entity must notify the Secretary within 60 days of the discovery of the breach. Additionally, covered entities that experience breaches affecting more than 500 residents of any state or jurisdiction must report the breach to prominent media outlets that serve the state or jurisdiction in which the breach occurred. See 45 CFR § 164.400 et seq.

In conclusion

Norton Rose Fulbright's healthcare and cybersecurity teams have the capacity to assist hospitals in planning for and responding to cyberattacks. In the realm of cybersecurity, the best approach is one that is proactive. Please let us know if we can be of assistance.



Contacts

Chief Integration Partner, Life Sciences and Healthcare, United States
US Head of Technology and US Head of eDiscovery and Information Governance

Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .