Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack
The Joint Commission has issued a Sentinel Event Alert offering guidance on preserving patient safety following a cyberattack. Healthcare cyberattacks have been increasing in number and sophistication and it is no longer a case of if a healthcare organization will be attacked but when.
Cyberattacks can cause considerable disruption to healthcare operations and put patient care at risk so it is critical that healthcare organizations do all they can to prevent cyberattacks, such as decreasing the attack surface, updating software and patching promptly, providing phishing awareness training, and implementing a range of cybersecurity solutions. Healthcare organizations must also plan for the worst case scenario and must assume that their defenses will be breached. They must therefore have a tried and tested incident response plan that can be activated immediately in the event of a cyberattack.
When defenses are breached and unauthorized individuals have established a foothold in internal networks, a great deal of the recovery process will be handled by the IT department; however, all hospital staff members must be prepared to operate during such an emergency and must be included in the incident response planning process. A good starting point is the hazards vulnerability analysis (HVA), which is required by the Joint Commission. The HVA must cover human-related hazards, which include cyberattacks. The HVA helps hospitals identify and implement mitigation and preparedness actions to reduce the disruption of services and functions and ensure patient safety in the event of an attack. The Joint Commission also requires a continuity of operations plan, disaster recovery plan, emergency management education and training program, and these must be evaluated annually.
The Sentinel Event Alert provides recommendations on these processes specific to cyberattacks:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Evaluate HVA findings and prioritize hospital services that must remain operational and safe during extended downtime.
- Form a downtime planning committee to develop preparedness actions and mitigations. The planning committee should include representation from all stakeholders.
- Develop downtime plans, procedures, and resources and ensure they are regularly updated.
- Designate response teams – An interdisciplinary team should be created that can be mobilized following a cyberattack.
- Train team leaders, teams, and all staff on operating procedures during downtimes. Develop drills and exercises to ensure staff members are familiar with downtime resources.
- Establish situational awareness with effective communication throughout the organization and with patients and families.
- Following a cyberattack, regroup, evaluate, and make necessary improvements to the incident response plan and improve protections for systems to address the specific failures that allowed the attack to succeed.
“Cyberattacks cause a variety of care disruptions – leading to patient harm and severe financial repercussions,” said David W. Baker, MD, MPH, FACP, the Joint Commission’s executive vice president for healthcare quality evaluation and improvement. “Taking action now can help prepare healthcare organizations to deliver safe patient care in the event of future cyberattacks. The recommendations in the Sentinel Event Alert, as well as The Joint Commission’s related requirements on establishing and following a continuity of operations plan, disaster recovery plan and more, can help healthcare organizations successfully respond to a cyber emergency.”