Technology system recovery is understandably a focal point for hospitals and health systems facing a “digital darkness” event, but a new voluntary, free-to-start resiliency program is encouraging healthcare organizations to remember the practical side of sustaining patient care.
The Cyber Resilience Readiness program, unveiled last week by the Joint Commission and the American Hospital Association, is a recognition that the average clinical outage lasts for 28 days and brings substantial safety challenges many organizations may not be ready to shoulder, the former group’s William Walders, EVP and chief digital and information officer, explained to Fierce Healthcare.
“The real question is: ‘When systems go down, can we continue to deliver healthcare?’ That’s the driver,” he said. “We want to change the narrative here about it being a technology problem and [make it] more about clinical care, delivering it safely, doing no harm, and being prepared for the real world.”
The program “was a result of our clinician surveyors recognizing some opportunities, truly, where things may or may not have been working,” Walders explained. It was developed by the pair over 18 months, with feedback from “tens of organizations” that had recently faced and strongly responded to issues ranging from cyberattacks to other events like extreme weather or a vendor-related lockouts, he said.
It begins with a free online self-assessment, applicable to organizations of varying size and scale, that covers multiple domains of an organization’s posture and processes to gauge how prepared they are for an extended technology outage.
The assessment, which Walders said was piloted by partner hospitals, has around five dozen questions and should take half an hour to forty-five minutes to complete, or “worse case” an hour. That said, larger organizations will likely require three or four roles of different domains (risk management, legal, IT security and clinical leadership) collaborating on their responses, the organization said.
From there, groups have the option for the Joint Commission and AHA’s experts to give them “a tailored debrief” of the results with recommended next steps for a one-time fee of $2,000, according to the program’s website. Later in the summer, the pair plan to offer additional advisory or educational services covering participants’ identified gaps, while the Joint Commission alone will offer a new “Cyber Resilience Readiness Certification” for organizations “to take credit and attest to the fact that you’ve got the processes in place,” Walders said.
In the few days following last week’s reveal, Walders said he’s seen a “significant level of interest” in the program and use of the assessment among the “small community” of fellow healthcare chief information officers.
He said he’s sympathetic to the “fiscal pressures every health organization is facing” as they decide where to spend their time and money, but contended that “those resources should absolutely be spent [to] prioritize patient care, patient safety.”
At minimum, he pointed toward the free self-assessment and encouraged organizations to “see the level of questions we’re asking, ask yourself those questions and really start to look at your own security programs, your resiliency programs, your corporate continuity programs” and preparations for “regional” threats like hurricanes or wildfires. He said participants should be honest with themselves as they fill out the responses, which are kept confidential but can be used to compare digital darkness resiliency positioning against peers.
Walders said he and others at the Joint Commission and the AHA are already reviewing some self-assessments that have been submitted. Among these, and based on the partners’ work in putting together the program, he said a common pitfall has been for larger organizations to approach resiliency at a system-level but to fall short on regional or individual preparedness.
“A simple question would be ‘When’s the last time I had to write a prescription for someone? When’s the last time had to write a lab for a patient? How would a patient navigate our healthcare system and its complexity absent these digital tools?’ And if you’re not comfortable with that answer, and many won’t be … that would be one thing.”
Walders also reiterated organizations’ tendencies to view digital blackouts purely from a technical lens, and the need to shift ownership away from technology teams alone. He also described a tendency for teams to think of a network outage as an intermittent event with a quick turnaround to recovery, whereas the reality is that healthcare organizations need to weigh whether they can maintain care “in a sustained manner” during any disruptions.