A group admin explains what business interruption really means
If your practice cannot access its EMR — because of a cyber attack, a failed back-up, or even bad weather — the resulting downtime could be costly due to lost productivity and extra expenses to replace corrupted data or computer systems.
Data can be damaged as a result of hacking attacks, accidents, destruction, corruption, or misuse of digital assets. Administrative or operational errors by an employee or a third-party service provider can also damage crucial electronic data.
To help you better understand how system downtime can affect your practice, we asked one of our group administrators to describe her experience after a system failure affected her group’s four practice locations. What follows are her notes from the incident.
April 2
Staff at the practice try to log in to their EMR/practice server and receive an error message. They are unable to access the network folders and EMR. The administrator calls the contracted IT vendor, who tells them their critical data was being backed up.
April 3
The contracted IT vendor reports a hard drive failure requiring the installation of a replacement drive. The vendor re-establishes access to the EMR.
April 4
The EMR is unavailable again. The server loses connection to the drive array during attempts to restore data from the back up. All efforts to reinstall and configure the new hard drive fail.
April 5
Access to the EMR is re-established.
April 6
The network and EMR are down again due to a second hard drive failure. “This is now our fifth day to be down . . . and physicians felt this should not be happening.”
The contracted IT vendor recommends that the practice pay another IT vendor to recover the data from the damaged hard drives. Estimated cost is between $2,000 and $5,000.
April 9
The data restoration vendor states the drive failures were likely due to corruption of the controller within the drives.
April 10
“Still not able to work on the network for anything” due to multiple physical disk failure. The data restoration vendor quotes emergency repair at $995. The emergency data restoration (with a 48-hour turnaround) and two replacement backup drives is quoted at $27,188.24.” The administrator transfers the funds.
April 13
The administrator remarks to their contracted IT vendor, “I expressed my frustration with everything and that our business was on the line. But [it] seemed they could care less.”
April 16
“This is now three weeks of both our network and EMR being completely down. Expressed how much being down three weeks has hurt our business, not just with patient care, but also from a billing standpoint.”
The contracted IT vendor admits that one of its employees failed to ensure back-ups were occurring. “He should have been making sure that employee was doing was supposed to be done, as we are not IT people and this is what we were paying them for. All measures that they promised were in place have failed. The physicians want to know why they had to pay for data recovery.”
The practice hired a new IT vendor to install a new server and EMR application.
April 17
The new IT vendor visits the office and is shown where the back-up server was located. “In showing him what we were told was our back-up server, he discovered it was not a back-up server, but rather a terminal server for our remote access. The vendor finds no back-ups were being saved to the server and no procedures were established to have a back-up of the EMR outside the damaged server.
April 18
The new vendor finds portions of three back-ups to recover data; but can only recover 65 percent of the data in a spreadsheet format (not in an EMR format). The practice was running again after the new EMR installation and data was loaded.
May 1
About the contracted IT vendor, “I didn’t think he understood what a disaster this was for us, not just regarding patient record loss, but also patient balances, insurance balances, loss of income, and the time and effort now being utilized to re-create everything from scratch. Also informed him that it is very frustrating to learn what we were told was the back-up server and we had spent money to create a locked cabinet for this, was never used for this purpose.”
The administrator also learned that their original IT vendor was doing a back-up on their main server using Windows Server Backup. “This would not have protected us from this type of event or something similar such as a fire or flood.”
Resolution
The practice fired their contracted IT provider, and began using new data back-up protocols. They took out a loan for $30,000 to pay the data restoration fees, and filed business interruption claims under both their businessowners policy and TMLT cyber liability policy. A HIPAA risk assessment determined the incident did not constitute a reportable breach. A forensic accountant is currently determining the practice’s actual business interruption loss.
Risk management considerations
Ensuring business continuity requires protecting your practice’s electronic data interchange against loss or damage. Data security is a shared responsibility between the practice and contracted service providers. Make sure your third-party IT service provider has put appropriate measures in place to ensure your data is secure throughout its life cycle.
At a minimum, maintain off-site or online real-time data back-ups that are regularly tested. The back-up record must be tested to ensure that all appropriate data are being copied, and that data restoration is possible.
It is also a good idea to check with your MPL carrier or with your insurance broker to determine if your existing cyber liability policy or business insurance includes coverage for business interruption. This financial protection may make the difference in keeping your practice doors open if your systems fail.
John Southrey can be reached at john-southrey@tmlt.org.