Boston CIOs Share Lessons LearnedBombings Highlight Need for Business Continuity Plan Scrutiny
Last week's Boston Marathon bombings and the subsequent city lock-down during the manhunt for a suspect has Boston area hospital CIOs John Halamka and Jim Noga scrutinizing their business continuity planning.
The tragedy offers a clear reminder that risk assessment and mitigation is ever-evolving, and that the ability to communicate with staff during times of crisis is vital, the CIOs say. In addition, patient privacy protection efforts need to be amped up in the wake of a disaster, they note.
"Risk planning is forever altered," writes Halamka, CIO of Beth Israel Deaconess Medical Center, in his Life as a Healthcare CIO blog.
The medical center was one of several Boston area hospitals that cared for dozens of bombing victims. It also treated the two suspects accused of setting off the bombs.
Noga, CIO at Partners Healthcare, notes in an e-mail interview with HealthcareInfoSecurity: "Most important is that communications channels stay open, whether that be telephone, e-mail or pager. Keeping communications channels open is most important during a crisis."
Noga explains Partners monitored the performance of its communications channels the day of the bombings. "We were grateful that our code teams' pagers and patient care critical pagers are traditional pagers, as the cellular networks in the Boston area were overwhelmed. Seconds save lives," he says.
Partners Healthcare operates several Boston area hospitals, including Massachusetts General and Brigham and Women's, which both treated patients wounded in the bombings.
"From a tactical perspective, the tragedy that occurred at the Boston Marathon and its aftermath reinforced the importance of having a planned approach to emergency preparedness and business continuity planning," Noga says. "Going into a major event of this type, it is necessary to ensure the stability and availability of systems and focus on steady state, rather than change, to make sure the necessary IT resources are available to the clinical and operational teams."
The marathon bombings also highlight the importance of paying attention to IT staffing levels at all times.
At the time of the blast, seven of Beth Israel Deaconess' IT staff members were volunteering in or near the medical tent at the marathon finish line, a few feet from the explosions, Halamka says. They were among the first responders assisting the injured. "All my staff was safe and unharmed, but given their proximity to the bombs, the outcome could have been devastating," he says.
With this in mind, the medical center's disaster planning will take more into account the expertise of individual staff members who are available on any given day, Halamka says. That means, for example, reconsidering whether multiple members of a database administration team would be allowed to volunteer at the marathon or another event.
HIPAA Under Stress
The older brother accused of the bombing was brought to Beth Israel Deaconess after a shootout with police, but was quickly pronounced dead. Later, the younger brother was captured and also brought to the medical center, where he continues to be treated for serious gunshot wounds.
With intense international media attention focused on the injured suspect, along with curiosity about the bombing victims, Halamka says the organization refreshed its privacy reminders to staff. Plus, it's relying on technology to keep tabs on unauthorized record snooping.
"We capture every lookup in real time and perform many analytics to ensure patient privacy preferences are respected," Halamka says. Nonetheless, the events show that, moving ahead, there may be a need for "novel audit workflows," he adds.
"Might there be new workflows required in the future, such that appropriate individuals are paged/notified within seconds after an [unauthorized record] lookup occurs?" asks Halamka about the possibility of tweaking auditing. "In an emergency/mass casualty disaster, how can we balance the need for increased security/privacy and appropriate access with real-time auditing alerts?"
The medical center placed the following message at the top of its intranet for every staff member to see on every page:
"Urgent Reminder for All BIDMC Staff About Patient Privacy. Staff must completely protect patient privacy according to federal HIPAA regulations and BIDMC's own privacy policies. That means:
- No sharing of any patient information through e-mail, Twitter, Facebook, Flickr or other photo sites, any other social media, phone calls or conversations - or any other way.
- Do not look at, or access by computer, medical records or other protected health information (PHI) or personal information (PI) unless you are authorized to access that information and you need that information to care for the patient.
- Send all media calls to the communications department or page the media relations staff on call."
The final warning on the message: "Violation of these regulations and policies will lead to disciplinary action up to and including termination of employment."
As Beth Israel Deaconess has enhanced the security of its applications and networks in recent months, the medical center has limited remote access to those "with a true need to use systems from off campus," Halamka says. But the medical center will reassess "a plan for future events which shut down the city ... and require many people to work from home ..." as was the case in the Boston-area lockdown on April 19.
"The restrictions on travel to and from communities, plus restrictions on entering and leaving the medical center were imposed with an unknown duration," Halamka says. "Our disaster recovery planning needs to include scenarios such as no staff able to enter the data center and no staff able to leave the data center."
Noga of Partners also notes: "We also understand that it may be likely that the number of remote users may increase significantly due to inability to gain physical access to the workplace." As a result, having a plan in place to use under those circumstances is vital, he stresses.
"While we have our job to do, we are subordinate to the overall emergency preparedness response team and its leadership," Noga says. "Specific to supporting the response team, the monthly testing of equipment in our incident command centers is crucial to activating the incident command center when needed. It is also important to make sure key 24/7 operations are appropriately staffed, and that there is a formal process to track staffing of these activities."
Health Information Exchange in Action
The tragedy in Boston that led to the need for emergency treatment of dozens of patients also demonstrates the importance of health information exchange, Halamka says.
"The need for healthcare information exchange in a mass casualty disaster is very clear," he says. "When patients have a choice of caregiver - a patient-centered medical home or accountable care organization - a lifetime medical record is likely to be available, supporting safe, quality, efficient care," he says. But that's not necessarily the case in an emergency, especially a disaster.
"The events of last week required patient routing based on acuity, urgency and availability of resources," he says. Area hospitals "did a remarkable job treating every patient even with incomplete medical information."
Last week's tragedy, however, illustrates the importance of the second phase of the statewide HIE, Halamka says. That phase will offer secure retrieval of information based on a record locator service and a patient consent registry. The Massachusetts Healthcare Information Exchange now can only accommodate "pushing" summaries from organization to organization, he says. But advanced services are coming soon.
"By the second quarter of 2014, we should have the infrastructure in place to support the kind of data exchanges that would have been helpful last week."
CIOs and CISOs must recognize that IT staff members "are experiencing the emotions" of a tragedy just like others in the community, Noga stresses. "They are our most important resource in responding appropriately and making sure that information systems resources are there to support clinical staff," he says. "Take care of your people."