Download PDF
Yearb Med Inform 2016; 25(01): 130-137
DOI: 10.15265/IY-2016-038
IMIA and Schattauer GmbH
Georg Thieme Verlag KG Stuttgart

The Rising Frequency of IT Blackouts Indicates the Increasing Relevance of IT Emergency Concepts to Ensure Patient Safety

U. Sax*
1   Department of Medical Informatics, University Medical Center Göttingen, Göttingen, Germany
,
M. Lipprandt
2   Institute of Medical Informatics, Carl von Ossietzky University, Oldenburg, Germany
2   Institute of Medical Informatics, Carl von Ossietzky University, Oldenburg, Germany
,
R. Röhrig
2   Institute of Medical Informatics, Carl von Ossietzky University, Oldenburg, Germany
› Author Affiliations
Further Information

Publication History

10 November 2016

Publication Date:
06 March 2018 (online)

   Permissions and Reprints

Summary

Introduction: As many medical workflows depend vastly on IT support, great demands are placed on the availability and accuracy of the applications involved. The cases of IT failure through ransomware at the beginning of 2016 are impressive examples of the dependence of clinical processes on IT. Although IT risk management attempts to reduce the risk of IT blackouts, the probability of partial/total data loss, or even worse, data falsification, is not zero. The objective of this paper is to present the state of the art with respect to strategies, processes, and governance to deal with the failure of IT systems.

Methods: This article is conducted as a narrative review.

Results: Worst case scenarios are needed, dealing with methods as to how to survive the downtime of clinical systems, for example through alternative workflows. These workflows have to be trained regularly. We categorize the most important types of IT system failure, assess the usefulness of classic counter measures, and state that most risk management approaches fall short on exactly this matter.

Conclusion: To ensure that continuous, evidence-based improvements to the recommendations for IT emergency concepts are made, it is essential that IT blackouts and IT disasters are reported, analyzed, and critically discussed. This requires changing from a culture of shame and blame to one of error and safety in healthcare IT. This change is finding its way into other disciplines in medicine. In addition, systematically planned and analyzed simulations of IT disaster may assist in IT emergency concept development.

Keywords

Equipment Failure - Patient Safety - ITIL - Electronic Medical Records - Clinical Information System

* both authors contributed equally


 

  • References

  • 1 Frey D, Schulz-Hardt S. Eine Theorie der gelernten Sorglosigkeit.. [A theory of learned carelessness] (German) Mandl H. editor. 1997; 40: 604-11.
    PubMedGoogle Scholar
  • 2 Sparrow B, Liu J, Wegner DM. Google effects on memory: cognitive consequences of having information at our fingertips.. Science 2011; 333: 776-8.
    CrossrefPubMedGoogle Scholar
  • 3 Botta J, Walliser P. Die fatalen Folgen der Implementierung einer HL7-ADT-Schnittstelle.. Swiss Medical Informatics 2014 30.
    PubMedGoogle Scholar
  • 4 Dobuzinskis A. Cyber attack snarls Los Angeles hospital’s patient database.. Internet; 17.02.2016.
    PubMedGoogle Scholar
  • 5 Dalton A. Hospital paid 17K ransom to hackers of its computer network.. Internet; 17.02.2016.
    PubMedGoogle Scholar
  • 6 Flade F, Frigelj K, Grabitz I. Cyber Attacks On Hospitals, A New Kind Of Deadly Virus.. Internet; 23.02.2016.
    PubMedGoogle Scholar
  • 7 Avrin DE, Andriole KP, Yin L, Gould R, Arenson RL. Simulation of disaster recovery of a picture archiving and communications system using off-site hierarchal storage management.. J Digit Imaging 2000; 13: 168-70.
    CrossrefPubMedGoogle Scholar
  • 8 Mansoori B, Rosipko B, Erhard KK, Sunshine JL. Design and implementation of disaster recovery and business continuity solution for radiology PACS.. J Digit Imaging 2014; 27: 19-25.
    CrossrefPubMedGoogle Scholar
  • 9 Colpas P. DR underscores the importance of security. Regardless of the selected solution, experts agree the most important criteria for a disaster recovery (DR) back-up system is that it is secure.. Health Manag Technol 2013; 34: 6-8 10-1.
    PubMedGoogle Scholar
  • 10 Poelker C. Don’t roll the dice on data loss. Implement smart recovery to reduce disaster recovery costs in healthcare.. Health Manag Technol 2012; 33: 14-5.
    PubMedGoogle Scholar
  • 11 Bandyopadhyay K, Schkade LL. Disaster recovery planning by HMOs: theoretical insights.. Health Care Manage Rev 2000; 25: 74-84.
    CrossrefPubMedGoogle Scholar
  • 12 Bagalio SA. When systems fail: improving care through technology can create risk.. J Healthc Risk Manag 2007; 27 (Suppl. 13) 15-8.
    CrossrefPubMedGoogle Scholar
  • 13 Lindeman J, Grogan J. Beyond disaster recovery. Disaster recovery has refocused healthcare organizations from “always being ready” to “always being on”.. Healthc Inform 2007; 24: 72.
    PubMedGoogle Scholar
  • 14 Ong M-S, Magrabi F, Coiera E. Syndromic surveillance for health information system failures: a feasibility study.. J Am Med Inform Assoc 2013; 20: 506-12.
    CrossrefPubMedGoogle Scholar
  • 15 Warden GL. Health IT and patient safety: Building safer systems for better care.. Washington, DC: National Academies Press; 2012
    Google Scholar
  • 16 Just BH, Proffitt K. Do you know who’s who in your EHR?. Healthc Financ Manage 2009; 63: 68-73.
    PubMedGoogle Scholar
  • 17 Bowman S. Impact of electronic health record systems on information integrity: quality and safety implications.. Perspect Health Inf Manag 2013; 10: 1.
    PubMedGoogle Scholar
  • 18 The European Union Agency for Network and Information Security (ENISA).. https://www.enisa.europa.eu.
    PubMed
  • 19 General Secretariat of the Council, European Parliament, Committee of the Regions, Economic and Social Committee.. Computer Emergency Response Team (CERT-EU).. https://cert.europa.eu/cert/clusteredition/en/latest.html.
    PubMedGoogle Scholar
  • 20 Stych C, Zeppenfeld K. ITIL.. Berlin: Springer; 2008
    Google Scholar
  • 21 DIN ISO 14971. DIN EN ISO 14971:2013-04: Medizinprodukte - Anwendung des Risikomanagements auf Medizinprodukte (ISO 14971:2007, korrigierte Fassung 2007-10-01); Deutsche Fassung [Medical devices - Application of risk management to medical devices; German version] EN ISO 14971:2012.
    PubMed
  • 22 Mellin-Olsen J, Staender S, Whitaker DK, Smith AF. The Helsinki Declaration on Patient Safety in Anaesthesiology.. Eur J Anaesthesiol 2010; 27: 592-7.
    CrossrefPubMedGoogle Scholar
  • 23 Diller T, Helmrich G, Dunning S, Cox S, Buchanan A, Shappell S. The Human Factors Analysis Classification System (HFACS) Applied to Health Care.. Am J Med Qual 2014; 29: 181-90.
    CrossrefPubMedGoogle Scholar
  • 24 Neuhaus C, Röhrig R, Hofmann G, Klemm S, Neuhaus S, Hofer S. et al. Patientensicherheit in der Anästhesie.. [Patient safety in anesthesiology: Multimodal strategies for perioperative care] (Germman) Anaesthesist 2015; 64: 911-26.
    CrossrefPubMedGoogle Scholar
  • 25 Thomeczek C, Rohe J, Ollenschlager G. Das unerwünschte Ereignis in der Medizin.. [Adverse events in medicine] In: Madea B, Dettmeyer R. editors. Medizinschadensfälle und Patientensicherheit. [Medical Failures and Patient Safety] (German) Köln: Deutscher Ärzteverlag; 2007. p. 13-20.
    Google Scholar
  • 26 Taylor-Adams S, Vincent C. Systems analysis of clinical incidents: The London protocol.. Clinical Risk 2004; 10: 211-20.
    CrossrefPubMedGoogle Scholar
  • 27 DIN EN 80001-1:2011-11. DIN EN 80001-1:2011-11 Anwendung des Risikomanagements für IT-Netzwerke, die Medizinprodukte beinhalten - Teil 1: Aufgaben, Verantwortlichkeiten und Aktivitäten (IEC 80001-1:2010); Deutsche Fassung [Application of risk management for IT-networks incorporating medical devices - Part 1: Roles, responsibilities and activities; German version] EN 80001-1:2011.
    PubMed
  • 28 DAkkS Deutsche Akkreditierungsstelle.. Leitfaden Usability.. 2010. http://www.dakks.de/sites/default/files/71_sd_2_007_leitfaden_usability_1.3_0.pdf.
    PubMedGoogle Scholar
  • 29 Tom Sullivan.. More than half of hospitals hit with ransomware in last 12 months.. April 07, 2016. http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months. Accessed 2 Aug 2016
    PubMedGoogle Scholar
  • 30 Sittig DF, Singh H. A Socio-Technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks.. Appl Clin Inform 2016; 7: 624-32.
    Article in Thieme ConnectPubMedGoogle Scholar
  • 31 Olenick D. The Ottawa Hospital fends off ransom-ware attack.. 14 March 2016. http://www.scmag-azine.com/the-ottawa-hospital-fends-off-ransom-ware-attack/article/482921. Accessed 2 Aug 2016
    PubMedGoogle Scholar
  • 32 Magrabi F, Aarts J, Nohr C, Baker M, Harrison S, Pelayo S. et al. A comparative review of patient safety initiatives for national health information technology.. Int J Med Inform 2013; 82: e139-48.
    CrossrefPubMedGoogle Scholar
  • 33 ISO/IEC 200–1:2011. ISO/IEC 200–1:2011. Information technology -- Service management -- Part 1: Service management system requirements.; 2011
    PubMed
  • 34 Kabachinski J. Have You Heard of ITIL?: It’s Time You Did.. Biomedical Instrumentation & Technology 2011; 45: 59-62.
    CrossrefPubMedGoogle Scholar
  • 35 Hoerbst A, Hackl WO, Blomer R, Ammenwerth E. The status of IT service management in health care - ITIL® in selected European countries.. BMC Med Inform Decis Mak 2011; 11: 76.
    CrossrefPubMedGoogle Scholar
  • 36 Lapão LV, Rebuge A, Silva M.M, Gomes R. ITIL Assessment in a healthcare environment: the role of IT governance at Hospital São Sebastião.. Stud Health Technol Inform 2009; 150: 76-80.
    PubMedGoogle Scholar
  • 37 Gamble KH. Weathering the storm.. Having a disaster recovery plan can mean the difference between scrambling for a quick IT fix and smooth sailing in the storm. Healthc Inform 2008; 25 (Suppl. 32) 34 36-8.
    PubMedGoogle Scholar
  • 38 NGZ-Online.. Computer-Virus legt das Lukaskrankenhaus lahm.
    PubMed
  • 39 Genes N, Chary M, Chason KW. An academic medical center’s response to widespread computer failure.. Am J Disaster Med 2013; Spring 8 (Suppl. 02) 145-50.
    CrossrefPubMedGoogle Scholar
  • 40 Mazzoleni MC, Baiardi P, Giorgi I. Lesson learnt from a halt of the hospital information system.. Stud Health Technol Inform 1999; 68: 102-5.
    PubMedGoogle Scholar
  • 41 Kilbridge P. Computer crash--lessons from a system failure.. N Engl J Med 2003; 348: 881-2.
    CrossrefPubMedGoogle Scholar
  • 42 World Health Organization (WHO).. WHO draft guidelines for adverse event reporting and learning systems.. 2005. http://osp.od.nih.gov/sites/default/files/resources/Reporting_Guidelines.pdf Accessed 26 Feb 2016
    PubMedGoogle Scholar
  • 43 European Commission, Patient Safety and Quality of Care working group.. Key findings and recommendations on Reporting and learning systems for patient safety incidents across Europe.. 2014. http://ec.europa.eu/health/patient_safety/policy/index_en.htm. Accessed 26 Feb 2016
    PubMedGoogle Scholar
  • 44 Cooper JB, Newbower RS, Kitz RJ. An analysis of major errors and equipment failures in anesthesia management: considerations for prevention and detection.. Anesthesiology 1984; 60: 34-42.
    CrossrefPubMedGoogle Scholar
  • 45 Cooper JB, Newbower RS, Long CD, McPeek B. Preventable anesthesia mishaps: a study of human factors.. Anesthesiology 1978; 49: 399-406.
    CrossrefPubMedGoogle Scholar
  • 46 Vincent C. How to investigate and analyse clinical incidents: Clinical Risk Unit and Association of Litigation and Risk Management protocol.. BMJ 2000; 320: 777-81.
    CrossrefPubMedGoogle Scholar