On July 19, a global Microsoft outage paralyzed the operations of companies, airports, and hospitals for several hours. While such serious failures are rare, every medical facility should be ready for the disruption of information systems.
The blue screen of death
When a blue screen appeared on computer screens on Tuesday, July 19, some affected hospitals reported problems accessing electronic patient records. This led to the cancellation of planned treatments and appointments. Even when Microsoft quickly fixed the problem, it disrupted services that must be timely, including medical services, bank operations, and flights.
The Blue Screen of Death (BSOD) in the Windows operating system is not uncommon. It can occur due to a hard drive error, the use of outdated system versions, malware, or other issues. The global IT outage demonstrated that even the most prominent IT providers are not immune to system errors. Such a critical issue can also happen to electronic medical records systems. Healthcare facilities should get ready since there are many scenarios where a computer might suddenly fail, such as cyber-attacks, hardware damage, power failures, and more.
As medical facilities increasingly rely on IT systems from various vendors, hospitals and clinics must develop emergency procedures in case of IT failure. Even a few minutes of data inaccessibility can make it impossible to check laboratory test results or diagnostic imaging for a patient scheduled for surgery, leading to chaos and stress.
What should be done in such a situation? Two key elements are essential: a proactive strategy to mitigate the risks and their consequences and a plan to maintain operational continuity.
Risk management
As in the case of cybersecurity, medical facilities need a proactive plan for IT disruptions. The first step is to prepare a list of critical IT systems and conduct a thorough risk assessment to identify potential disruptions. Based on this assessment, response plans should be developed, empowering IT professionals to be in control of the situation.
Preparing for emergencies begins as early as selecting the right IT vendor. Although a company with an extensive service network might be slightly expensive, it offers better long-term support. When negotiating and signing a maintenance agreement, it is essential to consider the terms, including customer service response times, in case of errors. Experts recommend focusing on critical failures that could halt ongoing operations. More minor issues can typically be resolved by an in-house IT specialist.
Quality service doesn’t come cheap, much like good insurance. It may never be needed, but it provides assurance that the facility is prepared for any eventuality.
Continuity of administrative operations and care
What happens when computers fail? The facility must have a documented plan detailing the steps to take in such situations. While the IT department works to restore software functionality, employees should follow a contingency plan.
This might involve doctors and nurses recording data on paper according to a specific procedure. Some facilities routinely print out a list of patients' appointments for the day as a precaution. If the system fails, receptionists can quickly call patients and reschedule appointments. Additionally, alternative methods of providing care, such as redirecting urgent patients to other providers in the area, should be considered.
The number one rule is to ensure quick access to data archives. Real-time, cloud-based backups are particularly valuable, as they allow continued access to pre-disaster data and the ability to handle critical cases while the system is being restored.
These procedures should not just be written and forgotten but practiced regularly. In business continuity planning, these practices are often called "fuses." This includes backups, IT system maintenance agreements, and procedures for handling patients without a running IT system. Everyone should know what to do to avoid chaos during a critical situation. Without these precautions, a medical facility risks patient safety, staff stress, and even legal and financial repercussions.
Vendor management
A strong and trustful partnership with an IT supplier is invaluable not only during a breakdown but also in many other situations: when the facility requires changes to IT system settings when the health authority requires a new type of report, or when the integration of external applications is needed.
This approach is known as “due diligence.” Instead of focusing solely on the IT system's functionality and regulatory compliance (e.g., GDPR, integration with P1), the healthcare facility should conduct an in-depth analysis of the IT provider. Key questions during this audit might include:
- What is the IT provider’s capacity for timely system updates?
- What is the provider’s reputation?
- Does it have a local service network?
- What is its financial condition and future business prospects?
- Is it capable of introducing IT innovations that meet administrative requirements and the needs of patients, employees, and management?
Consider implementing SaaS (Software as a Service) solutions to mitigate risks. Instead of installing a system locally, users log into an application available in the cloud. With no installation required, user errors related to software and hardware conflicts are minimized. If a computer crashes, you can use a tablet or another computer to continue working. However, SaaS won’t protect you from outages like the latest Microsoft outage.
Training and internal readiness
A well-prepared contingency plan can mitigate the adverse effects of even the most severe failures. While such failures may be rare, they cannot be ruled out. For the plan to be effective, employees must be familiar with it. Training sessions can be conducted alongside cybersecurity training since many procedures overlap—the result of a cyberattack or an IT system failure is the same: blocked access to computers and data.
The IT department, which is responsible for the smooth operation of IT infrastructure, must promptly inform employees about disruptions, the time needed to fix the failure, possible workarounds, temporary data recording methods, and more. If the facility offers e-health services, such as online appointment booking or access to test results, messages displayed during service disruptions should be prepared in advance.
Failure also tests a medical facility's digital maturity. A good IT department monitors hardware and software performance and responds quickly when problems arise. Cutting on IT professionals can be a risky move in the long run.