On August 15, 2023, the Joint Commission issued a Sentinel Event Alert entitled “Preserving patient safety after a cyberattack,” which provides “tips on what organizations can do to prepare to deliver safe patient care in the event of a cyberattack.”

The Alert outlines the growth of cyber-attacks and information system breaches in the health care industry and how they have increased over the past several years. Some cyber-attacks, including ransomware attacks, have been reported to the Joint Commission, which noted that “[s]ome of these events were associated with harm to patients (e.g., delays in care).”

The Alert notes that “all staff-not only IT-must be prepared” for a cyber-attack so the organization can operate during a cyber emergency. In addition to implementing continuity of operations plans and disaster recovery plans, hospitals “must annually evaluate their emergency management program.” The actions suggested by The Joint Commission include:

  1. Prioritize hospital services that much be kept operational and safe for an extended downtime.
  2. Form a downtime planning committee.
  3. Develop downtime plans, procedures, and resources.
  4. Designate response teams.
  5. Train team leaders, teams, and all staff on how to operate during downtimes.
  6. Establish situational awareness with effective communication throughout the organization with patients and families.
  7. After an attack, regroup, evaluate, and make necessary improvements.

Many of the items suggested by The Joint Commission may be included in an organization’s Incident Response Plan, but specifically planning for downtime and lack of access to systems during an emergency is not always included. Planning for downtime and pivoting during an attack is critical to being able to respond to a cyber emergency and continue to operate and provide patient care. Reviewing existing plans and procedures to specifically address downtime and prioritizing the operational areas that involve critical patient care is necessary to avert delays in patient care in the event of a cyber-attack.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.