Clinical Continuity Planning

Clinical Continuity is the ability to continue to provide clinical healthcare despite disruptive events or to resume clinical healthcare services as rapidly as possible after a disruptive event. A Clinical Continuity Plan puts various incident response strategies and procedures in writing, is continually updated with improved and tested tactics, can be used for training, and is a critical reference when the systems we rely upon fail (e.g., network, computers, power). 

      **Continuity Planning falls under (and is managed by) the department of Information Technology Services**

      Clinical Continuity Planning

      • Risk Assessment

        Ideally, Clinical Continuity plans will be in place for all risks identified on an institution’s Priority Risk List. That said, cyber attacks against healthcare are unfortunately prevalent these days, so Clinical Continuity planning efforts should focus on this risk if a robust plan is not already in place.

        Cyber-attacks can affect data confidentiality, integrity, and availability. Clinical Continuity planning should address all three categories of effects. 

      • Disaster Recovery Tier List (Software & Applications)

        Information Technology Services (ITS) also manages UTMB's Tier Application List, which shows the order that software and applications will be restored/repaired after a catastrophic outage. For instance, work on restoring EPIC electronic medical record system will be prioritized over STATA statistical program. 

        The tiers are bulleted below. Also included are a few examples of each and the target recovery time (RTO) in red.

        • Persistent - UTMB's most critical communications and infrastructure systems (e.g., Epic, Microsoft Exchange & Teams, Corrigo/Onguard).These applications will be brought back online as soon as possible.
        • Tier 1 - Critical and/or institutionally significant applications and infrastructure systems (e.g., PeopleSoft, Kronos/Payroll, Citrix). RTO of no longer than 3 days.
        • Tier 2 - Systems that impact a significant number of customers, departments, or business processes (e.g., Blackboard, Zoom, Landesk). RTO of 3 days to 2 weeks.
        • Tier 3 - Remaining systems that do not require immediate recovery or that impact a small subset of users (e.g., STATA, Question Pro, Maximo). RTO of more than 2 weeks.

        This list factors in the criticality of each application on UTMB's operations, as well as the time/resources needed to restore each one (including the ITS manpower available to do so).

        It is important for every department to do the following:

        1. Ensure Information Technology Services and Information Security departments know what applications you are using. They can't help you diagnose or fix a problem if they don't know what software you have. If they don't know about your application, it won't be on their Tier List, therefore you'll be waiting weeks at the back of the line in terms of restoration.
        2. Know the disaster recovery tier of the software you use. There may be a discrepancy between how important you think the software is and what ITS deems it. Don't be caught thinking your applications will be restored earlier than they actually are.
      Emergency Graphic

      Planning Resources

      Clinical Continuity Planning

      • Clinical Continuity Plan Development: Key Steps

        Commence Project: High-level executive sponsorship and continued oversight is an essential success factor for the project. The planner should understand the executive’s purpose and goals for the project as well as the requirements for reporting back on project status. A formal project charter may be useful in efficient project completion.

        Convene Project Team: Form a multi-disciplinary planning team that includes physicians, nurses, information services, information security, hospital operations, contingency planning, clinical equipment, and supply chain specialists.

        Complete Risk Assessment: Ultimately the Clinical Continuity plan should address all the institution’s priority risks. For now, the focus will be on cyber attack risks. Attacks can:
        • Cut network and communications access.
        • Cause the institution to shut down access to the Internet and network in order to:
          • Mitigate further damage.
          • Prevent data exfiltration.
        • Damage or prevent connected medical equipment/devices from transferring data and therefore interfere with data storage and documentation. This includes wearable/implantable devices.
        • Affect data confidentiality, integrity, and/or availability.

        Complete the Clinical Impact Analysis: The main purpose of the Clinical Impact Analysis is to identify the most important clinical functions that are heavily dependent on connected medical devices that would be disrupted by a loss of network or a direct attack on the equipment in a cyber-attack.  Typically, the critical clinical functions would include: Radiology/Imaging, Laboratory, Cardiology, Clinical Equipment, Intensive Care, Nuclear Medicine, Neurology, et cetera.

        The list of critical clinical functions will vary by institution, so the main purpose of the clinical impact analysis is to determine the prioritized list of critical functions for that particular institution. Prioritization can be based on an assessment of what loss of that function would have on the ability to continue to provide clinical healthcare services. Each of the critical functions (or departments) identified through the Clinical Impact Analysis will need to develop a Clinical Continuity Plan for their function or department.

        With the guidance and assistance of the planning team, the department will continue the impact analysis by identifying and listing the networked equipment/devices that each function uses. Equipment should be listed in priority order based on criticality, vulnerability, availability of manual backup processes for data transfer and storage, or other criteria set by the planning team. A risk assessment for each piece of critical equipment should be completed. This risk assessment could consider e.g., the age of the equipment, compliance with FDA standards for cyber security, availability of manual processes for data communication and storage, etc.

        External Healthcare Service Contractors/Other External Dependencies: The Clinical Impact Analysis must include any external contractors that provide a critical service (e.g. radiology interpretation). 

        Disaster Recovery Tier List: Information Technology Services maintains a tier list of software and applications used at UTMB. They use this list to prioritize recovery efforts (e.g., Epic EMR will be brought back online before most other software). Some software/applications will have a higher time/resource cost to bring back online than e.g., cloud-based services managed by the vendor.

        1. Ensure Information Technology Services and Information Security departments know what applications you are using. They can't help you diagnose or fix a problem if they don't know what software you are using. If they don't know about your application, it won't be on their Tier List, therefore you'll be waiting weeks at the back of the line in terms of restoration.
        2. Know the disaster recovery tier of the software you use. There may be a discrepancy between how important you think the software is and what ITS deems it. Don't be caught thinking your applications will be restored earlier than they actually are.
      • Develop Incident Response Strategies and Tactics

        Each Critical Function Drafts Their Plan: Each Critical Function Plan should identify the actions they would take for a cyber incident. These plans would build on traditional Downtime Procedures and specifically address how clinical care would continue if there were an attack or shutdown of the network or communications systems. This would include addressing how data might be transferred from a piece of connected medical equipment, e.g., if possible, transferring the data or image via hard media; and how those data could be stored for documentation. The collection of data for documentation should be limited to essential information. Once systems and the network are restored, the plan should address how data collected during the incident will be entered into permanent systems.

        Plans should also address any plans for emergency access to the most recent electronic medical record, e.g. cloud-based backup systems that the institution may have.


        Warning:  Notice/No-Notice Incidents: Information Services and Information Security may detect an intrusion and proactively shut down the network to mitigate risk, and in this case, a notification system could be used to warn departments/critical functions that the system is down. It is possible that an intrusion is not detected until a staff member recognizes the anomalous performance of the equipment that might be a sign of an attack. Plans must address both types of warning.

        Internal / External Communications: The Critical Function Plan should include a Communications Plan that includes key staff, departmental officials, On-Call officials, and external partners and contractors. The Communications Plan should include alternative methods of communication that would be available if VOIP phones are down.

        Identify Dependencies and Interoperability Concerns with Other Critical Functions: The Critical Function Plan should attempt to identify any dependencies with other critical functions within the institution.

        Technology Migration Plan: Advanced planning for Clinical Continuity should also include a Technology Migration plan that would help manage movement away from more vulnerable equipment to more secure equipment meeting the highest cybersecurity standards. Another factor for migrating to another technology would be design features that facilitate data transfer backup procedures e.g. via hard media or other methods.

        Train Staff and Test Critical Function Plans: Each Critical Function should develop training, plan tests and exercises to evaluate the effectiveness of the plan and identify opportunities for improvement. 

      • Develop Institutional Clinical Continuity Plan

        Once each of the Critical Functions identified on the Clinical Impact Analysis have drafted their plans, the project team will need to take an institutional view of the interoperability of those plans.  One technique would be to use several scenarios for moving patients through the system while all critical clinical functions are in downtime – and to assure that the workflows function without creating bottlenecks. Traditional process optimization techniques could be applied; and process flow diagrams for moving patients through the system could be useful.

        Institutional Exercises: Once each of the individual Critical Function Plans have been developed and exercised internally (e.g. Radiology/Imaging tests its plan; Lab tests its plan; Pharmacy tests its plan...), an institutional exercise that incorporates all of the Critical Clinical Functions listed in the Clinical Impact Analysis should be conducted. The exercise should be analyzed and opportunities for plan improvement should be identified. If plan changes are made, the changes should be retested to assure that there is in fact an improvement.

        Supply Chain Controls: Ideally procurement processes would not allow procurement of connected medical equipment or devices that are not tested for cyber vulnerabilities, that do not meet current standards for cybersecurity, and that are not approved for connection to the network by the institution’s Information Services and Information Security officials. Proliferation of devices should be limited to the extent that there is at least one knowledgeable official on staff that maintains knowledge on how to respond to an attack on each specific device.  

      Example and Templates

      Clinical Continuity Planning

      • Nursing Plan for Cyber Incidents:

        Strategies for ongoing monitoring of: Behavior, Activity, Mentation, Oxygenation, Vital Signs, Physical Assessments if cyber threats render documentation systems unavailable, such as:

        • Call in additional staff for acute care areas as appropriate (i.e., takes longer to assess a heart rhythm via stethoscope vs. monitor)
        • Prioritize the most essential aspects of physical assessment and secure equipment (battery or manual mode) appropriate
        • Consolidate patients to provide care needed to as few areas as possible
        • Only monitoring procedures for essential or life-threatening conditions to be provided
        • Consider transferring high-risk patients to alternate location for intense monitoring

        • Strategies for administering medication and blood products:

        • Postpone or reschedule medications or blood administration if possible
        • Utilize available resources on time essential administration
        • Obtain medications from pharmacy on as needed basis
        • Ordering and documentation will switch to paper
        • Use alternate equipment if necessary (i.e., gravity drips for blood instead of pumps)
        • Switch to available alternative medications or blood products
        • Limit to essential use only
        • For pump/syringe needle issues: [1]Change to oral form. [2]Use alternative pump or device. [3]Conserve pump use and battery for essential use only. [4]For lack of qualified staff to administer: Switch staff with another department, Use medication nurse role, Limit to essential medications only, and/or Reschedule for later times.

        • Strategies for administering treatments such as:

        • Physician prescribed (which includes wound care)
        • Respiratory Treatment
        • Suction
        • Range of motion
        • Thermoregulation
        • Postpone and/ or delay treatments, if possible, until services are restored
        • If patient needs are not being met, a decision would be made to transfer to another hospital


          Strategies for critical bedside testing such as:

        • Glucose
        • Activated Clotting Time (ACT)
        • Immediately upon loss of utility or equipment failure, nursing will need to prioritize critical bedside testing for each patient and secure equipment (manual or battery mode) necessary for testing.
        • Contact other department, if necessary, to assist (i.e., Respiratory Care Services or Department of Pathology)
        • Send to lab or ABG lab
        • Reschedule test if appropriate
        • Consult with physician if any difficulty arises whereby any critical test cannot be obtained for any reason
        • Consider transferring patients to alternate locations


          Strategies for internal hospital communications:

        • Loss of Computer System would require appropriate forms for orders, labs, documentation etc.
        • MAR will be printed centrally and delivered to each unit
        • Ordering and documentation will switch to paper
        • Instruct staff to utilize existing downtime processes for the systems impacted until normal operations resume
        • Loss of Telephones would require use of AMCOM SmartWeb (paging system) when possible
        • Give patients the telephone number of nurses station and patients can phone for assistance
        • Assign individual to make rounds consistently
        • For high-risk patients place staff at “pods” and visually determine if patient has any requirements or needs
        • Request patient and family to remain on unit until interruption is resolved
        • Start preparations if this short-term outage turns into a long duration
        • If interruptions are limited to one or a few areas, transfer patients to area not affected
        • May need to call in staff if long term or move from other areas


      • Clinical Impact Analysis (TEMPLATE)
        • Executive Sponsor:
        • Continuity Planner:
        • Planning Team Members:
        • Prioritized List of Critical Clinical Functions (Across the Institution)
        • List of Critical External Clinical Service Providers (e.g. radiology interpretation)
        • Back up Systems in Place for EMR access (e.g. Cloud Based) 
      • Clinical Function Plan (TEMPLATE)
        • Name of Critical Clinical Function (e.g. Radiology/Imaging)
        • Planner:
        • Team Members: (Including Physicians)
        • Prioritized List Critical Connected Equipment/Devices
        • Risk Assessment for each piece of equipment or device
        • Incident Response Plan for loss of connectivity
        • Incident Response Plan for attack on specific equipment
        • Communications Plan (Internal and External)
        • Dependencies or Interoperability Issues with other Critical Clinical Functions
        • Technology Migration Plans (appropriate to clinical continuity)
        • Initial Training Completed
        • Initial Exercise Completed / Plan Improvement 
      • Downtime Considerations (Samples)

        When an outage is identified, contact 2-4040 (Sodexo), 2-5200 (Information Technology Services), supervisors, managers, directors, COA and/or AOC as appropriate depending on the situation and type of outage. 

        Determine ability to access computers/Epic, pharmacy, supplies, doors, phones, and other technologies. If normal access is blocked, resort to manual or backup options (e.g., downtime computers; physical key instead of badge access for locks). 

        Identify downtime roles for staff, such as runners, forms, communications, documentations, and et cetera. Redeploy staff as needed.

        Assess patients to determine which visits cannot be completed without Epic (potentially procedure areas et c.). Contact patients as able. Move incoming phone lines to a voice mail announcement for instructions (work with I.S.). 

        Update signage as appropriate for patient communication.

        Make sure all downtime forms are available, up to date, and you have multiple copies on hand. Ensure you have a way to print more forms as needed (depending on the length of the outage). Ensure forms are stored appropriately so that they can be entered into Epic post-incident. 

        Examples of Downtime Forms include:

        • Lab Slips – Lab order form (obtain from lab)
        • Progress Note for providers 9035
        • Nurse Notes 5300
        • Med admin form 5681
        • Prescription pad – ordered through DEA
        • Assignment of Benefits 8100
        • Consent for Diagnosis & Treatment 5009
        • Acknowledgement Of Patient Financial Policy 8142
        • Consent for Immunizations 8113
        • Authorization for Third Party Payor
        • Paper receipts/ down time forms – Order via special purchaser
        • Notice of Billing Practices for Traditional Medicare Part B Patients 8106 & Letter to Patient
        • No-Show/Missed Appointment Policy 8141 & Letter to Patient
        • Privacy Practices 7079
        • Voluntary Research 8098
        • ImmTrac Adult F11
        • ImmTrac Pedi C-7

      Additional Resources

      The US Food and Drug Administration provides several planning and training resources regarding cybersecurity for healthcare providers. This page provides video training on “Tips for Healthcare Facilities: Cybersecurity Incident Preparedness and Response”; news and updates; guidance; and white papers.

      Good Sample/Guidelines from the Department of Clinical Research Informatics (DCRI) Clinical Center, NIH - Downtime Policy and Procedure for Unavailability of Electronic Clinical Systems.