How Would Johns Hopkins Medicine Respond to a Cyber Incident?
In an industry that relies heavily on information technology, including electronic medical records, cyber outages and breaches, such as the cyberattack at MedStar Health last March that led to the shutdown of the health care organization’s IT system, have brought to light an interesting question. How can health care organizations and hospitals operate during an IT outage?
A tabletop exercise was conducted Jan. 24 to determine how Johns Hopkins Medicine would handle a prolonged information technology, telecommunications or cyber outage. The exercise included representatives from various departments from all Johns Hopkins Health System hospitals, the Johns Hopkins University School of Medicine, Johns Hopkins Community Physicians and Johns Hopkins Home Care Group. The exercise was facilitated by Dianne Whyne, CEPAR’s director of operations.
“With electronic systems used to manage virtually all aspects of daily operations at many hospitals and health care organizations, the health care sector is finding itself uniquely vulnerable to system breaches, failures and unplanned downtimes,” Whyne says. “This exercise was a critical test to determine how we would react in such a situation.”
The scenario began with smoke detected in one of the data centers at Mt. Washington, which led to a series of events that caused power to shut down at both data centers for about 48 hours. In the exercise, various software applications and computer-related aspects were not functioning, including Epic and email. The scenario allowed each organization to determine its strengths, areas of improvements, and enhancements on how to communicate, respond to and recover during this major information technology and telecommunications exercise.
“It is essential for every employee to be knowledgeable with what, when and how to activate, implement and maintain downtime and backup procedures to continue patient care responsibilities and services. It is also essential for Johns Hopkins Medicine and each of its organization’s departments and groups, such as information technology, clinical informatics and the incident command center, to know how to coordinate response and recovery procedures during major IT outages, especially extended ones,” says Howard Gwon, senior director of the Johns Hopkins Medicine Office of Emergency Management.
This is the first in a series of exercises designed to inform, define and revise IT outage policies and procedures.