Cyberattacks are at an all-time high, with health care consistently in the top five industries targeted by cyber criminals. Health records continue to be a valuable commodity and total health care data breaches rose by greater than 55% in 2020. Because health system pharmacies rely heavily on networks, software and electronic processes, they have wide exposure to these cyber intrusions.
In our last blog, we outlined the five steps pharmacy leaders can take to prepare and protect against cyber intrusions and limit the impact when they occur. Now that you’ve raised awareness, built in redundancies, understand the current workflow, have a seat at the planning and recovery tables and have leveraged workers’ knowledge of paper systems, it’s time to prepare a pharmacy downtime plan (while computers are off-line) should a cyber intrusion event occur at your organization.
Why have a downtime plan
While health systems in areas of significant risk of natural disasters (e.g., hurricanes, wildfires, tornados) generally have robust downtime procedures, even these may not be adequate for cyber-related downtimes which often have repercussions for several weeks.
One industry report found that downtime from ransomware-associated events has increased to an average of 21 days. This type of downtime can be the costliest part of a cyber-attack and having a plan can help mitigate that risk and support the continuity of quality patient care through uninterrupted medication services. Begin your plan by evaluating your risk.
Start your plan by considering how the pharmacy and health system would be impacted during a downtime that lasted several days or weeks. Create a list of all software applications used by the pharmacy and the operations they support. Assess each system’s operational risks and challenges that would result from downtime intervals beyond 24 hours and begin to plan how the pharmacy would provide service without those systems.
For example, downtime likely means that you cannot print paper medication administration records and order sets and medication labels. Do your physicians and nurses know how to write a medication order that is clear, complete and meets regulatory requirements? Do your nurses know how to utilize a paper medication administration records? Can your clinical pharmacy staff identify and monitor their patients? What are your options for downtime label generation if networked printers are down?
Consider if the sterile product preparation and IV room workflow software was down. Do you have resources and procedures available for the manual documentation of sterile compounding? Would your IV production formulas be available? What is the process with nursing and pharmacy staff to ensure critical infusions are available when needed?
Determine how the loss of clinical functionality would be handled. Without an electronic health record or pharmacy system, pharmacists may have to complete manual allergy, drug-drug and drug-disease interaction reviews. Do you have up-to-date print references available to support these functions? You may need to prioritize high risk medications for review.
Think beyond the acute care setting to ensure all areas supported by pharmacy have the tools and resources to support compounding during a down time. How are requests for pharmacokinetic and renal monitoring managed during a down time? How are orders communicated?
Providers and newer nurses may have never been trained in a paper environment; and even when trained, may not have worked with those systems to the point of proficiency. Consider developing on-demand training for nurses and providers, such as how to write an order or outpatient prescription, how to write a progress note or history and physical, and how to chart on a paper medication administration records. Vizient Pharmacy Advisory Services has developed resources to assist your organization in preparing for cyber-attack and extended downtime events. Our Pharmacy Cyber Intrusion Preparedness Toolkit can help you begin to assess your pharmacy’s readiness for prolonged downtime due to cyber or natural disaster. It provides a brief checklist of key system areas of vulnerability with notes to help you evaluate your operational readiness. We also have developed additional resources and reference tools related to paper forms, labels, and manual processes. Feel free to reach out us for this information or if we can assist you in preparing for a cyber incident.
About the authors:
Beth Weisz Riead, PharmD BCPS MHA, is a pharmacy executive director within the consulting division of Vizient Pharmacy Solutions. Beth has more than 15 years of pharmacy clinical and operations experience with focus in areas such as critical care, formulary management, disaster preparedness, diversion program management, medication safety and antimicrobial stewardship.
Gretchen Brummel, PharmD, BCPS is a pharmacy executive director at Vizient and provides support to the Center for Pharmacy Practice Excellence team bringing more than 25 years of experience in health care. Gretchen’s areas of expertise include clinical pharmacy services, pediatric pharmacotherapy, medication quality and safety, disaster preparedness and response, medication cost avoidance strategies, drug shortage and formulary management, medication use policy, clinical research and pharmacy informatics with a focus on pediatrics.
Randy Gerwitz, RPh, is a pharmacy senior consulting solutions director within Vizient Pharmacy Solutions. Randy brings more than 31 years of health care industry experience in the areas of regulatory compliance, formulary management, automation, 340B, investigational drug services, diversion detection, clinical services, disaster recovery and new service development.