How would Johns Hopkins Medicine respond to a cyber incident?

In an industry that relies heavily on information technology—including electronic medical records—cyber outages and breaches, such as the cyberattack at MedStar Health last March that led to the shutdown of its IT system, have brought to light an interesting question: How can health care organizations and hospitals operate during an IT outage?

A tabletop exercise was conducted Jan. 24 to determine how Johns Hopkins Medicine would handle a prolonged information technology, telecommunications, or cyber outage. The exercise included representatives from various departments from all Johns Hopkins Health System hospitals, the Johns Hopkins University School of Medicine, Johns Hopkins Community Physicians, and Johns Hopkins Home Care Group. The exercise was facilitated by Dianne Whyne, director of operations for the Johns Hopkins Office of Critical Event Preparedness and Response, also known as CEPAR.

"With electronic systems used to manage virtually all aspects of daily operations at many hospitals and health care organizations, the health care sector is finding itself uniquely vulnerable to system breaches, failures, and unplanned downtimes," Whyne says. "This exercise was a critical test to determine how we would react in such a situation."

The scenario began with the detection of smoke in one of the data centers on the Mount Washington campus, which led to a series of events that caused power to shut down at both data centers for about 48 hours. In the exercise, various software applications and computer-related aspects were not functioning, including Epic and email. The scenario allowed each organization to determine its strengths, areas of improvements, and enhancements on how to communicate, respond to, and recover during this major information technology and telecommunications exercise.

"It is essential for every employee to be knowledgeable with what, when, and how to activate, implement, and maintain downtime and backup procedures to continue patient care responsibilities and services," says Howard Gwon, senior director of the Johns Hopkins Medicine Office of Emergency Management. "It is also essential for Johns Hopkins Medicine and each of its organizations' departments and groups—such as information technology, clinical informatics, and the incident command center—to know how to coordinate response and recovery procedures during major IT outages, especially extended ones."

This was the first in a planned series of exercises designed to inform, define, and revise IT outage policies and procedures.

Go to the CEPAR website for more stories from the Hopkins on Alert newsletter, where this article first appeared.