Three Ways the SAFER Guides Can Help Protect Against Cyber Attacks

For health care leaders across the country, enhancing security and ensuring the safe use of digital systems remain top of mind. To promote the safe adoption and use of certified electronic health records (“EHR”) and health information technology, the Centers for Medicare & Medicaid Services (“CMS”) announced that health care systems attest annually to their completion of the SAFER Guides.  

The SAFER Guides break down recommended practices into three domains: Safe Health IT, Using Health IT Safely, and Monitoring Safety. The recommended practices within these domains include guidelines for maintaining system security and recommendations for business continuity during downtimes. 

A recent cyberattack caused an electronic medical record (“EMR”) system outage for Prospect Medical Holdings, a large health care network, which impacted 16 hospitals and 165 other clinics and disrupted patient care for weeks. Hospitals and clinics had to resort to using paper records and couldn’t provide patients with certain services such as diagnostic imaging and laboratory testing. 

With cases like this, it’s imperative that health care organizations have processes and measures in place to prepare for, quickly recognize and immediately respond to a cyber-security crisis that may result in a prolonged system downtime. Taking a proactive security approach is critical to preventing data breaches that can impact patient care. Consider using the SAFER Guides as a layered security framework based on industry-leading practices to improve and maintain a strong security posture.  

Here are three ways the SAFER Guides can help hospitals proactively mitigate and respond to cyberattacks and other downtime events.   

Reduce Susceptibility to Being Hacked 

To prevent cyberattacks, or any sort of unplanned downtime, proactive implementation and testing of security measures are the first line of defense. 

Throughout four of the SAFER Guides, health care leaders will find more than 15 recommended practices with multiple corresponding controls focused on the right processes and optimizations to recognize cyberattacks or even prevent them from happening. Here are a few specific controls within the CMS’s guides that help improve security against cyberattacks.  

The System Configuration SAFER Guide outlines practices for setting up an EHR system to support digital safety. Health care leaders can leverage these checkpoints during the setup of their systems to proactively reduce their risk of becoming cyber-attack victims. Additionally, these practices can help hospitals and different systems speak and connect with each other to reduce the risk of cyberattacks.  

• For example, Recommended Practice 1.2: Established and up-to-date versions of operating systems, virus and malware protection software, application software, and interface protocols are used. 

Furthermore, the Contingency Planning SAFER Guide recommends safety practices that can aid organizations in preventing and preparing for “EHR unavailability.” Some examples of how the guide can help health care leaders include: 

• Recommended Practice 1.1: Hardware that runs applications critical to the organization’s operation is duplicated.
• Recommended Practice 2.5: Users are trained on ransomware prevention strategies including how to identify malicious emails.  
• Recommended Practice 3.1: There is a comprehensive testing and monitoring strategy in place to prevent and manage EHR downtime events. 

Minimize Disruption of Ongoing Operations 

In health care, where time is of the essence, seconds can affect the delivery of safe care to a patient. If an organization does experience a downtime due to a cyberattack, it is critical that the organization quickly address the cause of the issue and begin measures to fix it, all while simultaneously continuing the delivery of health services across the continuum of care. 

The Contingency Planning SAFER Guide provides checks for ensuring that when disaster does strike, health care organizations can be properly prepared for any sort of downtime, whether it’s due to a natural disaster or cyberattack.  

For example, Recommended Practice 1.4 states that all mission-critical patient data and software application configurations are routinely backed up.  

Here are additional recommended practices from each domain area of the Contingency Planning SAFER Guide that health leaders can use to ensure critical care is still delivered if/when a system is compromised.  

• Recommended Practice 1.3: Paper forms are available to replace key EHR functions during downtimes.  
• Recommended Practice 1.5: Policies and procedures are in place to ensure accurate patient identification when preparing for, during and after downtimes.  
• Recommended Practice 2.1: Staff are trained and tested on downtime and recovery procedures.  
• Recommended Practice 2.2: A communication strategy that does not rely on the computing infrastructure exists for downtime and recovery periods.
• Recommended Practice 3.1: There is a comprehensive testing and monitoring strategy in place to prevent and manage EHR downtime events.  
• Recommended Practice 3.3: Review unexpected extended system downtimes greater than 24 hours using root-cause analysis or similar approaches.

Recover Stronger for the Future

In addition to helping organizations implement measures to ensure a safe and secure EHR, and offering guidance on what procedures should be maintained, the SAFER Guides provide organizations with various recommended practices that advise on actions organizations can take in the recovery after downtime. 

For example, the Patient Identification Guide, which outlines processes and systems related to patient identification, offers unique recommendations to recoup after experiencing a system outage or compromise. 

• Recommended Practice 2.3: The organization has a process to assign a “temporary” unique patient ID (which is later merged into a permanent ID) if either the patient registration system is unavailable, or the patient is not able to provide the required information.  

Preventing costly cyberattacks and the subsequent patient safety risks due to system downtime starts with having a robust and reliable plan. The SAFER Guides self-assessment, when done correctly, provides health care leaders with the building blocks to protect their health systems and, most importantly, their patients.