Joint Commission Issues Alert on Patient Safety After a Cyber-Attack

Robinson+Cole Data Privacy + Security Insider

On August 15, 2023, the Joint Commission issued a Sentinel Event Alert entitled “Preserving patient safety after a cyberattack,” which provides “tips on what organizations can do to prepare to deliver safe patient care in the event of a cyberattack.”

The Alert outlines the growth of cyber-attacks and information system breaches in the health care industry and how they have increased over the past several years. Some cyber-attacks, including ransomware attacks, have been reported to the Joint Commission, which noted that “[s]ome of these events were associated with harm to patients (e.g., delays in care).”

The Alert notes that “all staff-not only IT-must be prepared” for a cyber-attack so the organization can operate during a cyber emergency. In addition to implementing continuity of operations plans and disaster recovery plans, hospitals “must annually evaluate their emergency management program.” The actions suggested by The Joint Commission include:

  1. Prioritize hospital services that much be kept operational and safe for an extended downtime.
  2. Form a downtime planning committee.
  3. Develop downtime plans, procedures, and resources.
  4. Designate response teams.
  5. Train team leaders, teams, and all staff on how to operate during downtimes.
  6. Establish situational awareness with effective communication throughout the organization with patients and families.
  7. After an attack, regroup, evaluate, and make necessary improvements.

Many of the items suggested by The Joint Commission may be included in an organization’s Incident Response Plan, but specifically planning for downtime and lack of access to systems during an emergency is not always included. Planning for downtime and pivoting during an attack is critical to being able to respond to a cyber emergency and continue to operate and provide patient care. Reviewing existing plans and procedures to specifically address downtime and prioritizing the operational areas that involve critical patient care is necessary to avert delays in patient care in the event of a cyber-attack.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide