09-11-13 | Blog Post
A recent EHR outage affecting numerous medical facilities, physician offices and clinics was a result of an issue with the software that managed user access to the EHR, provided by Epic Systems. After a planned upgrade took the system down for eight hours, a few days later, the EHR system went down for about a day. After applying a software patch that evening, their IT team was able to resolve the issue and restore user access.
While the California Nurses Association (CNA) calls for the complete abolishment of the system due to previous user errors, EHR implementation can be handled better by those involved to make the learning process and workflow easier and improve accuracy, instead of creating more problems. While the Epic system cost nearly $1 billion to implement, staff training is just as important as IT integration when it comes to improving patient care.
Since the U.S. administration is prioritizing health IT not only with incentives but also deadlines, the focus should be on putting policies and procedures, and preventative measures in place around the IT systems – not petitioning to remove them completely and resort to paper records.
A few ways to help with unplanned outages includes establishing a tested IT disaster recovery plan – when the EHR system went completely dark for many Sutter hospitals, cutting off physician and clinical staff’s access to patient information (including medication requirements, patient history and more), a cloud-based disaster recovery solution may have helped recover data quickly; a life-saver at hospitals.
Timely patch management is also important to ensure applications are updated and managed properly. Without consistent patch updates to correct ongoing and known security vulnerabilities with the software, the entire system can fail. Using a web application vulnerability scanning tool to detect outdated versions of software, web apps that aren’t securely coded, or misconfigured networks can help your team identify issues quickly to reach a resolution faster.
The HIPAA Security Rule Administrative Safeguards states that covered entities must:
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].
A vulnerability scanning tool can be used to proactively test system security, as recommended by the National Institute of Standards and Technology (NIST). Check out the other technical security tools a healthcare organization could use to help prevent or avoid prolonged downtime.
Read our HIPAA Compliant Hosting white paper as it explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and HIPAA hosting vendor selection criteria.