BLOG

Keeping Your Clinical Documentation Safe, Secure and Accessible: a Business Continuity Checklist For The New Now

In June 2017 a massive NotPetya cyberattack crippled clinical documentation systems worldwide resulting in weeks of dictation and transcription outages for healthcare provider organizations, and $98 million in lost revenue for Nuance.

The company quickly remediated the situation by offering customers temporary access to its other clinical documentation technologies. But the disruption for end users, including physicians, was massive.

Since then there have been numerous direct ransomware and malware attacks on hospitals and health systems. Attacks perpetuate disruption, hinder access to clinical documentation, and increase risk to care.  

Business continuity strategies to combat these attacks, though advanced compared to past practice, remain an ever-evolving commitment. And with every step forward, bad actors and cybersecurity threats keep pace. For example, hacking incidents in healthcare rose by 42 percent in 2020 and the total number of patient records breached by hacking has surged according to a recent survey by Protenus, a Baltimore-based healthcare analytics company. 

Lyndon B. Johnson once said, “No experience is a bad experience unless you gain nothing from it.” Since the event, Nuance’s clinical documentation services business line, has invested heavily and worked tirelessly to ensure the safety and resilience of its systems—and the satisfaction of physician users.  On March 1, 2021, DeliverHealth was created as the spin out of Nuance’s HIM business. DeliverHealth carries forward the mission to ensure safe, secure and accessible clinical documentation, and continues to build upon it through education, support and industry guidance. Our guiding principles include: 

  • Develop business associate (BA) business continuity and disaster recovery processes, procedures, and protocols to ensure system and service resilience.
  • Implement protective technology to manage whatever comes your way including adopting multi-tenant system cloud computing, Azure-hosted security (or equal accountability), redundancy, active-active failover, and regular third-party access monitoring and failover drills on production systems.

Now is the time to check your dictation, transcription, scribing, EHR, and other clinical documentation systems before the next cyberattack threatens your health system’s PHI.

Protecting your clinical documentation systems is not a once-and-done action. It’s an ongoing marathon against cyberattacks for your BAs and internal IT teams.

As such, every clinical documentation solution should deliver the following modernized capabilities to ensure resilience to maintain your business continuity.

Modernizing Your Clinical Documentation Systems 

During the Office of the National Coordinator (ONC) annual meeting in March 2021, the need for data modernization was cited as the best path forward to meet U.S. health challenges. Clinical documentation systems are no exception to this important initiative.

Modernized clinical documentation systems include built-in technology protections to detect hacks, provide active-active failover capabilities, and eliminate business continuity risks. Testing mechanisms and “fire drill” disaster recovery plans with trusted BAs are incorporated into service agreements. Your internal IT team runs business continuity drills all the time—and so should your vendor partners. Demonstrating resilience is a two way street.

While some upfront work is required of hospital IT departments, it is in their best interests to modernize clinical documentation systems.  These system vendors should do the heavy lifting when it comes to training, conversion, privacy, security, redundancy leading to resilience, and failover testing. New capabilities are baked into modern systems to reduce long-term cost, time, and resource demands. They serve as best-practice hallmarks for business continuity and disaster recovery.

Six-Point Checklist for Clinical Documentation Safety: Inspect What You Expect

When considering a modernized clinical documentation partner, there are six specific checklist items to evaluate. These six criteria work together to protect data against disruption and ensure consistent access to your systems.

  1. Cloud computing: Cloud-based computing is the first step to ensure high availability, redundancy, and resilience of your clinical documentation systems and data. With a cloud solution, the vendor is responsible for the clinical documentation platform—not your overburdened IT team. Systems are managed in real time and all data is encrypted using current standards. Facilities are SOC 2, SOC 3, and HIPAA compliant, and offer tier 3+ security (armed guards and bioscan for entry).
  2. Azure-hosted security center: Azure is Microsoft’s cloud computing service division. While many vendors use Azure, it is important to make sure your clinical documentation partner optimizes the platform’s full potential. And while Azure isn’t the only approach, vendors should at least meet its level and standard. For example, all systems should be monitored continuously with real-time dashboard watching. Any security gaps or irregular traffic can be flagged, and mitigation advice provided. Samples of Azure reports are available here: https://status.azure.com/en-us/status/history/.
  3. Redundancy through multiple data centers: Clinical documentation must be available to physicians 24/7/365. Interruptions are not acceptable. Uptime is essential to patient care, physician satisfaction, and downstream revenue cycle processes. Data centers located in multiple geographic regions protect uptime and replicate data to ensure full redundancy and business continuity.
  4. In an inevitable event, the focus on redundancy shifts to system and data recovery through recovery time objective (RTO) and recovery point objective (RPO) commitments from the BA. Ask your vendors about RTO and RPO performance. RTO is the time needed to recover core tenets of a disaster recovery strategy. RPO describes data loss and helps to inform the development of a backup strategy. For clinical documentation systems, RTO and RPO should be measured in minutes, not hours.
  5. Active-active failover: Failover is the foundation to business continuity. Active-active failover is paramount to acceptable RTO and RPO. Technically, active-active is a high availability (HA) clustering configuration whereby at least two nodes actively run the same system or application simultaneously. This serves to support more effective load balancing to improve throughput and response times. Best practice is to perform failover tests in production regularly. Your partners should be able to perform these tests at any time upon your request, or at the time you review all BA business continuity plans.
  6. Redeployment: Compromised systems must be redeployed quickly. This includes servers, cloud native resources, and networks in minutes, not hours. Infrastructure as code and infrastructure release pipelines are critical to this.

Staying Safe, Secure, and Accessible Means Staying Ahead

Threats against your clinical documentation systems are ever present. If something disrupts these systems, your vendor must have proper resilience to recover. And you have an obligation to ensure your BAs can deliver this level of resilience. Patient data, system uptime, physician satisfaction, and revenue cycle are all at stake.

Keeping your clinical documentation safe means your organization stays on the path to proper reimbursement and uninterrupted patient care. For more information, download DeliverHealth’s latest infographic on clinical documentation resilience here.

AUTHOR

Klas Andreasson

Director, Product Management

Explore our vision for smarter healthcare.