Commence Project: High-level executive sponsorship and continued oversight is an essential success factor for the project. The planner should understand the executive’s purpose and goals for the project as well as the requirements
for reporting back on project status. A formal project charter may be useful in efficient project completion.
Convene Project Team: Form a multi-disciplinary planning team that includes physicians, nurses, information services, information security, hospital operations, contingency planning, clinical equipment, and supply chain specialists. Complete Risk Assessment:
Ultimately the Clinical Continuity plan should address all the institution’s priority risks. For now, the focus will be on cyber attack risks. Attacks can:
- Cut network and communications access.
- Cause the institution to shut down access to the Internet and network in order to:
- Mitigate further damage.
- Prevent data exfiltration.
- Damage or prevent connected medical equipment/devices from transferring data and therefore interfere with data storage and documentation. This includes wearable/implantable devices.
- Affect data confidentiality, integrity, and/or availability.
Complete the Clinical Impact Analysis: The main purpose of the
Clinical Impact Analysis is to identify the most important clinical functions that are heavily dependent on connected medical devices that would be disrupted by a loss of network or a direct attack on the equipment in a cyber-attack.
Typically, the critical clinical functions would include: Radiology/Imaging, Laboratory, Cardiology, Clinical Equipment, Intensive Care, Nuclear Medicine, Neurology, et cetera.
The list of critical clinical functions will vary
by institution, so the main purpose of the clinical impact analysis is to determine the prioritized list of critical functions for that particular institution. Prioritization can be based on an assessment of what loss of that function would have on
the ability to continue to provide clinical healthcare services. Each of the critical functions (or departments) identified through the Clinical Impact Analysis will need to develop a Clinical Continuity Plan for their function or department.
With the guidance and assistance of the planning team, the department will continue the impact analysis by identifying and listing the networked equipment/devices that each function uses. Equipment should be listed in priority order based on criticality,
vulnerability, availability of manual backup processes for data transfer and storage, or other criteria set by the planning team. A risk assessment for each piece of critical equipment should be completed. This risk assessment could consider e.g.,
the age of the equipment, compliance with FDA standards for cyber security, availability of manual processes for data communication and storage, etc.
External Healthcare Service Contractors/Other External Dependencies: The Clinical Impact Analysis must include any external contractors that provide a critical service (e.g. radiology interpretation).
Disaster Recovery Tier List: Information Technology Services maintains a tier list of software and applications used at UTMB. They use this list to prioritize recovery efforts (e.g., Epic EMR will be brought back online before most other software). Some software/applications will have a higher time/resource cost to bring back online than e.g., cloud-based services managed by the vendor.
- Ensure Information Technology Services and Information Security departments know what applications you are using. They can't help you diagnose or fix a problem if they don't know what software you are using. If they don't know about your application, it won't be on their Tier List, therefore you'll be waiting weeks at the back of the line in terms of restoration.
- Know the disaster recovery tier of the software you use. There may be a discrepancy between how important you think the software is and what ITS deems it. Don't be caught thinking your applications will be restored earlier than they actually are.