Clinicians have a love-hate relationship with electronic health records (EHRs). For how much they seem to be the bane of their existence, the practicality of having records accessible to all care team members at the same time promotes healthier outcomes, improves patient safety, and ultimately generates increased revenue due to timely billing, workflow efficiencies, and reduced staff burden.
Historically paper charts moved step by step with the patient, so if the patient was not with you, nor were their records. If another care team member had the chart when you needed it, all momentum would stop until the last person holding that chart was ready to pass it along. This highly manual and inefficient process had a negative impact on patient engagement. Patients had no real- or near-time access to their health information and their input was not highly promoted, reducing their involvement in making informed medical decisions.
Like EHRs or not, their advantage over paper charts has made them a cornerstone of healthcare today. When all members of a care team can simultaneously access a patient record care coordination moves faster and the chance for duplication of efforts and orders is decreased. Further enhancing these benefits are the integration and interoperability capabilities offered by EHRs that connect patients and their data with extended care teams and the patients themselves.
Though EHRs have significantly transformed aspects of healthcare, they are not flawless. The implementation of an EHR is one of the largest investments a healthcare organization will encounter, and EHRs carry security risks that far exceed the loss of a single paper chart in a basement break room. Cyberattacks, data breaches, and staff vulnerabilities are operational realities that must be protected against at all times and, on average, occur two times per day in the U.S.
Patient data is highly sensitive and incredibly valuable, making it a prime target for cyber criminals. But what happens when your patient data becomes the target and your organization is suddenly dealing with a data breach?
First, there is organization-wide confusion, like when the power suddenly goes out, yet all the lights are still on. Rapid waves of disbelief follow as staff struggle to comprehend that the critical information they need to care for the patient in front of them is suddenly inaccessible. For organizations fortunate enough not to have their phone systems simultaneously compromised, countless frantic calls to managers, IT support, the EHR vendor, ancillary vendors, other local healthcare organizations, and key decision-makers take place. And this is only the first hour.
As IT becomes more involved, systems are intentionally taken offline to protect what has not yet been compromised and to salvage what can be recovered. Decisions about how to manage patients already in the building, and how to communicate with those who have not yet arrived, are made in real time, while teams of now-emotional staff hold in-person and remote conversations with patients whose care is immediately disrupted. They are told that because the system is down, providers cannot safely conduct a proper visit, and appointments must be rescheduled. And this is only a few hours into what could last days or even weeks.
Depending on patient volume and system resilience, the estimated cost of downtime from a cybersecurity event for small- to medium-sized healthcare organizations can range from hundreds of dollars per hour to tens of thousands of dollars per minute. Beyond immediate patient safety concerns, lost revenue from canceled appointments, disrupted staff productivity, billing delays, and potential fines quickly demand leadership attention. These financial consequences alone can be devastating, before even considering the time and cost required for recovery.
When IT teams and staff are unprepared for system downtime, critical operations may be unnecessarily halted and essential business functions severely compromised. Healthcare leadership must recognize that experiencing a security incident capable of disrupting systems is not a matter of if, but when, and prioritize measures that lessen the impact of such events.
Beyond effective defensive security tactics, healthcare organizations must establish downtime procedures and recovery mechanisms, and practice them, to keep patient care flowing. Having strong tools and capable teams does little good if the scope of downtime is not understood, responsibilities are undefined, and efforts are uncoordinated. Planning and rehearsal build awareness, reduce staff anxiety, and sometimes, even if only briefly, bring back paper charting.
Danielle Morrison
Danielle Morrison is the National Practice Manager for Healthcare IT Services atAll Covered, bringing over 30 years of expertise in healthcare and information technology. As a registered nurse with informatics and IT experience Danielle has played a pivotal role in implementing and integrating technology solutions that optimize clinical and financial outcomes for healthcare organizations. Her extensive background fuels her commitment to advancing healthcare delivery through innovative technology solutions and strategies.
