The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack

Posted By on Aug 29, 2023

The Joint Commission has issued a Sentinel Event Alert offering guidance on preserving patient safety following a cyberattack. Healthcare cyberattacks have been increasing in number and sophistication and it is no longer a case of if a healthcare organization will be attacked but when.

Cyberattacks can cause considerable disruption to healthcare operations and put patient care at risk so it is critical that healthcare organizations do all they can to prevent cyberattacks, such as decreasing the attack surface, updating software and patching promptly, providing phishing awareness training, and implementing a range of cybersecurity solutions. Healthcare organizations must also plan for the worst case scenario and must assume that their defenses will be breached. They must therefore have a tried and tested incident response plan that can be activated immediately in the event of a cyberattack.

When defenses are breached and unauthorized individuals have established a foothold in internal networks, a great deal of the recovery process will be handled by the IT department; however, all hospital staff members must be prepared to operate during such an emergency and must be included in the incident response planning process. A good starting point is the hazards vulnerability analysis (HVA), which is required by the Joint Commission. The HVA must cover human-related hazards, which include cyberattacks. The HVA helps hospitals identify and implement mitigation and preparedness actions to reduce the disruption of services and functions and ensure patient safety in the event of an attack. The Joint Commission also requires a continuity of operations plan, disaster recovery plan, emergency management education and training program, and these must be evaluated annually.

The Sentinel Event Alert provides recommendations on these processes specific to cyberattacks:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Evaluate HVA findings and prioritize hospital services that must remain operational and safe during extended downtime.
  • Form a downtime planning committee to develop preparedness actions and mitigations. The planning committee should include representation from all stakeholders.
  • Develop downtime plans, procedures, and resources and ensure they are regularly updated.
  • Designate response teams – An interdisciplinary team should be created that can be mobilized following a cyberattack.
  • Train team leaders, teams, and all staff on operating procedures during downtimes. Develop drills and exercises to ensure staff members are familiar with downtime resources.
  • Establish situational awareness with effective communication throughout the organization and with patients and families.
  • Following a cyberattack, regroup, evaluate, and make necessary improvements to the incident response plan and improve protections for systems to address the specific failures that allowed the attack to succeed.

“Cyberattacks cause a variety of care disruptions – leading to patient harm and severe financial repercussions,” said David W. Baker, MD, MPH, FACP, the Joint Commission’s executive vice president for healthcare quality evaluation and improvement. “Taking action now can help prepare healthcare organizations to deliver safe patient care in the event of future cyberattacks. The recommendations in the Sentinel Event Alert, as well as The Joint Commission’s related requirements on establishing and following a continuity of operations plan, disaster recovery plan and more, can help healthcare organizations successfully respond to a cyber emergency.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist