On August 15, 2023, the Joint Commission issued a Sentinel Event Alert entitled “Preserving patient safety after a cyberattack,” which provides “tips on what organizations can do to prepare to deliver safe patient care in the event of a cyberattack.”

The Alert outlines the growth of cyber-attacks and information system breaches in the health care industry and how they have increased over the past several years. Some cyber-attacks, including ransomware attacks, have been reported to the Joint Commission, which noted that “[s]ome of these events were associated with harm to patients (e.g., delays in care).”

The Alert notes that “all staff-not only IT-must be prepared” for a cyber-attack so the organization can operate during a cyber emergency. In addition to implementing continuity of operations plans and disaster recovery plans, hospitals “must annually evaluate their emergency management program.” The actions suggested by The Joint Commission include:

  1. Prioritize hospital services that much be kept operational and safe for an extended downtime.
  2. Form a downtime planning committee.
  3. Develop downtime plans, procedures, and resources.
  4. Designate response teams.
  5. Train team leaders, teams, and all staff on how to operate during downtimes.
  6. Establish situational awareness with effective communication throughout the organization with patients and families.
  7. After an attack, regroup, evaluate, and make necessary improvements.

Many of the items suggested by The Joint Commission may be included in an organization’s Incident Response Plan, but specifically planning for downtime and lack of access to systems during an emergency is not always included. Planning for downtime and pivoting during an attack is critical to being able to respond to a cyber emergency and continue to operate and provide patient care. Reviewing existing plans and procedures to specifically address downtime and prioritizing the operational areas that involve critical patient care is necessary to avert delays in patient care in the event of a cyber-attack.