The number of cyberattacks and information system breaches in healthcare has grown steadily, escalating from isolated incidents to widespread targeted and malicious attacks.1 In 2022, 707 data breeches occurred, exposing more than 51.9 million patient records, according to data from the Department of Health and Human Services (DHHS).
To help healthcare organizations address this growing patient safety concern, The Joint Commission has issued a new Sentinel Event Alert, “Preserving patient safety after a cyberattack.” The alert focuses on risks associated with cyberattacks and provides recommendations on how healthcare organizations can prepare to deliver safe patient care in the event of a cyberattack.
The alert stresses that preparing for a cyberattack should not only concern hospital IT staff, but instead all hospital staff. Every staff member must prepare to operate during a cyber emergency. Actions suggested by The Joint Commission in the alert include:
- Evaluate hazards vulnerability analysis (HVA) findings and prioritize hospital services that must be kept operational and safe during an extended downtown.
- Form a downtime planning committee to develop preparedness actions and mitigations, with representation from all stakeholders.
- Develop and regularly update downtime plans, procedures and resources.
- Designate response teams. Create an interdisciplinary team to mobilize during unanticipated downtime events.
- Train team leaders, their respective teams and all staff on how to operate during downtimes, including specific incidents that would cause downtime to go into effect.
- Establish situational awareness with effective communication throughout the organization and with patients and families.
- After an attack, regroup, evaluate and make necessary improvements. Take steps to recover and protect systems.
“Cyberattacks cause a variety of care disruptions – leading to patient harm and severe financial repercussions,” says David W. Baker, MD, MPH, FACP, executive vice president for Healthcare Quality Evaluation and Improvement, The Joint Commission. “Taking action now can help prepare healthcare organizations to deliver safe patient care in the event of future cyberattacks. The recommendations in the Sentinel Event Alert, as well as The Joint Commission’s related requirements on establishing and following a continuity of operations plan, disaster recovery plan and more, can help healthcare organizations successfully respond to a cyber emergency.”
The Sentinel Event Alert also reviews related Joint Commission requirements and provides resources and references. The full alert is available on The Joint Commission and The Joint Commission Journal on Quality and Patient Safety websites. It may be reproduced if credited to The Joint Commission.
1Upendra P. Selecting a Passive Network Monitoring Solution for Medical Device Cybersecurity Management. Biomedical Instrumentation and Technology, 2021 Nov 1;55(4):121-130.