Healthcare runs on digital systems. Hospitals rely on electronic health records (EHRs), connected medical devices, and online communication to provide safe, efficient care. But what happens when these systems go down?
Cyberattacks, hardware failures, and natural disasters disrupt healthcare operations. In 2024, ransomware attacks on Change Healthcare and Ascension Health exposed the industry’s vulnerabilities. The Change Healthcare attack alone affected 190 million people, making it the largest healthcare data breach at the time. The Ascension Health attack forced hospitals to shut down IT systems, impacting 5.6 million patients and employees.
Digital downtime isn’t just an IT problem. When systems fail, patient safety is at risk. Delayed test results, communication breakdowns, and inaccessible medical records can lead to serious consequences. Regulatory bodies, including HIPAA, the Joint Commission, and the Centers for Medicare and Medicaid Services (CMS), mandate contingency plans to safeguard patient care during outages.
Hospitals must prepare for digital downtimes before they happen. To that end, this article – part of OmniSure’s series on 25 Trends in Risk Management for 2025 – analyzes several ways to fortify against the possibility of a digital disruption. This information will be helpful to insurance brokers, hospital administrators, healthcare providers, and others concerned with securing their organization from a potential system failure.
The 5 Key Strategies Included in This Guide
- Create a multidisciplinary response team
- Conduct a business impact analysis (BIA)
- Assess the effects of downtime on patient care
- Implement regular drills and simulations
- Use Plan-Do-Study-Act (PDSA) cycles for continuous improvement
1. Create a Multi-Modal, Multidisciplinary Team to Prepare for a Digital Outage
A successful downtime preparedness plan requires collaboration across multiple departments. IT alone cannot manage digital failures. Clinical staff, administrators, and support services must work together to develop and implement response strategies. This ensures that hospital operations continue, and patient care remains uninterrupted when systems go down. Regulatory agencies such as the Joint Commission and HIPAA require healthcare organizations to establish contingency plans that include a multidisciplinary approach.
Key Stakeholders: Who Should Be Involved?
A strong response team includes representatives from the following departments. Each group has a critical role in developing and executing downtime protocols.
- IT – Ensures system restoration and cybersecurity.
- Clinical Staff – Doctors, nurses, and allied health professionals adapt workflows for patient care without electronic records.
- Executive Leadership and Administration – Guides policy enforcement and regulatory compliance.
- Support Services – Departments such as pharmacy, radiology, and laboratory services that rely on digital systems for operations.
Role Alignment – From Leadership to Frontline Caregivers
Every team member must understand their responsibilities. Hospital leadership should oversee strategy, while frontline workers need clear step-by-step guidance. Effective stratification ensures:
- Executives allocate resources and prioritize preparedness.
- Safety and Risk Management establish policies and procedures.
- IT professionals develop alternative digital solutions.
- Clinical staff implement manual processes seamlessly.
- Support services coordinate backup workflows to maintain patient care.
Defining Responsibilities and Communication Protocols
Clear communication is key to downtime management. The team should establish:
- Escalation Paths – Who reports what, and to whom?
- Alternative System Communication Methods – Walkie-talkies, landlines, command centers, or in-person briefings.
- Manual Process Guidelines – Paper charting, medication administration, patient communication, and lab result handling.
Cyberattacks such as the 2024 Change Healthcare and Ascension Health breaches have demonstrated the importance of clear communication during downtimes. Hospitals with predefined roles and protocols minimize confusion and patient risk during disruptions.
Case Study: A Successful Multidisciplinary Team Implementation
In 2024, a ransomware attack at Ardent Health Services, operating over 30 hospitals across six U.S. states, resulted in its electronic health records (EHR) being compromised. A multidisciplinary team, led by its chief digital & information officer and chief technology officer, carried out a structured response comprising containment, restoration, and recovery phases during the EHR downtime.
They quickly isolated affected systems, worked with operational leaders to restore critical functions, and repurposed clinical advisory committees to enhance communication. This comprehensive approach enabled the restoration of clinician access to EHR within 12 days.
Strengthening Team Preparedness for Digital Outage
Creating a multi-modal, multidisciplinary team ensures hospitals can handle digital downtimes efficiently. A well-structured team enhances response coordination, safeguards patient care, and ensures compliance with regulatory standards. Hospitals that invest in cross-functional collaboration will be better prepared for future disruptions.
2. Conduct a Business Impact Analysis (BIA) to Help Avoid a Digital Disruption
A business impact analysis (BIA) helps hospitals pinpoint their most critical digital systems and clinical workflows. It shows how interdependent these systems are and guides hospitals to focus on areas that matter most during a downtime. The BIA informs decision-makers about the potential impact of system failures on patient care and hospital operations. Regulatory agencies such as the Department of Homeland Security (DHS) and HHS ASPR TRACIE (the Technical Resources, Assistance Center, and Information Exchange) stress the importance of BIAs as part of business continuity planning. The Joint Commission also supports these practices to ensure that hospitals remain prepared.
Steps in Performing a BIA
Hospitals follow a structured process when performing a BIA. Using these workflows ensures hospitals know which areas need the most protection during a downtime. This process unfolds in three critical steps:
1. Identifying Essential Digital and Clinical Workflows
Hospitals must create a detailed inventory of systems and workflows that support patient care. Key items include:
- Electronic Health Records (EHRs) – The digital backbone for patient information.
- Imaging and Laboratory Systems – Tools that provide diagnostic data.
- Pharmacy Management Software – Automated dispensing cabinets and systems that track medication usage.
- Communication Networks – Channels like paging systems, VoIP, and secure messaging.
- Clinical Workflow Integration – Supports such as pneumatic tube systems and inventory management systems.
- Security Systems – RFID technology, infant security, and automated door security (badge scanners and digital access panels).
- Regulatory and Compliance Safeguards – Product recall tracking systems and temperature/humidity remote monitoring systems.
- Infrastructure Integration – Building management systems and plant operations.
2. Assessing Potential Losses and Downtime Risks
Hospitals calculate the risks associated with system failures. They measure potential revenue loss, delays in treatment, and other clinical impacts. Every minute of downtime can affect patient care, delay lab results, and disrupt communication. The Joint Commission mandates that hospitals evaluate these risks to maintain operational continuity. By assessing potential losses, hospitals gain a clear picture of the stakes involved.
3. Prioritizing Investments in Mitigation Strategies
After identifying risks, hospitals must decide where to invest. Three areas they can channel funds toward include:
- Backup Systems – To ensure data and operations continue during outages.
- Cybersecurity Enhancements – To protect against future attacks.
- Alternative Workflows – To maintain patient care when digital tools fail.
Past cyberattacks, like those on Change Healthcare and Ascension Health, reveal the high cost of inadequate planning. These events show that proactive investments in digital resilience save time, money, and lives.
Regulatory Guidance on Conducting BIA
Regulatory bodies offer clear frameworks for performing a BIA. DHS, ASPR TRACIE, and the Joint Commission recommend that hospitals update their BIAs regularly. They advise including every department in the analysis and using the findings to shape broader downtime response plans. These guidelines help hospitals align their practices with federal standards and prepare for emerging threats.
Lessons From Past Cyberattacks and Hospital Downtimes
Real-world incidents provide valuable lessons. The Change Healthcare ransomware attack disrupted billing and claims processing across the nation, while the Ascension Health breach forced hospitals to switch to manual workflows. Events such as these attacks show how well-executed BIAs can not only minimize financial losses but also safeguard patient care.
3. Assess the Effects of a Digital Outage on Patient Care
Digital systems drive daily hospital operations. When these systems fail, hospitals experience a direct impact on patient care. Clinical workflows break down, and staff struggle to access essential information. Doctors, nurses, and allied health professionals lose the digital tools they rely on every day. This disruption threatens patient safety and care quality. Regulatory bodies warn that downtime can lead to severe clinical consequences.
Potential Risks and Examples
Hospitals face immediate and long-term patient care challenges when systems go offline. Consider the following risks:
- Delayed Procedures and Lab Results: Without timely access to digital records, diagnostic tests and procedures are delayed. Critical lab values are missed. This lag postpones treatment and can worsen patient outcomes.
- Increased Mortality Due to Disrupted Monitoring: Continuous monitoring of vital signs and patient conditions can fail during downtimes. This lapse increases the risk of undetected critical events.
- Medication Errors From Lack of Digital Verification: Electronic systems help verify medication orders and dosages. Without these tools, staff rely on manual checks, which can lead to errors.
Strategies for Mitigating Patient Care Disruptions
Hospitals can take steps to reduce the impact on patient care during digital downtimes. They must plan and develop alternative workflows. In turn, these strategies promote quick recovery and help maintain a high standard of care even when digital systems fail. Some strategies include:
- Establishing Backup Communication Channels: Hospitals set up alternative methods such as landlines, two-way radios, command centers and in-person briefings to keep staff connected. These channels ensure that critical messages reach the right people during an outage.
- Implementing Manual Processes: Teams prepare for paper-based documentation, medication administration, and lab result recording. Training staff on these manual procedures builds confidence and readiness.
- Setting Clear Escalation Procedures: Hospitals define who should report issues and how to act when problems arise. This clarity minimizes delays and errors during downtime.
- Conducting Regular Training and Drills: Frequent practice helps staff understand their roles during an outage. Drills simulate real-life scenarios to reveal gaps in the response plan and improve readiness.
Real-World Scenario Illustrating Downstream Effects
Real incidents show the dangers of unplanned downtimes. In July 2024, a global IT outage caused by a faulty CrowdStrike update disrupted operations in at least 12 major U.S. hospitals, including Cleveland Clinic and Mass General Brigham. The outage led to delays in lab test results, canceled elective procedures, and reliance on manual processes.
This incident highlights the critical need for robust downtime protocols and staff training to maintain patient care during digital disruptions. Hospitals that train staff and implement manual processes recover faster and reduce the risk of errors during disruptions.
Understand and Identify Risks
Assessing the effects of digital downtimes on patient care remains crucial. Hospitals must understand how system failures impact clinical workflows and patient safety. By identifying risks, planning mitigation strategies, and learning from past incidents, healthcare providers can secure better outcomes for patients during outages. This proactive approach ensures that even in the absence of digital systems, quality care continues to flow.
4. Implement Regular Drills and Simulations to Prep for Hospital Downtime
Routine drills help hospitals ensure every team member understands their role during digital downtimes. Drills expose gaps in current protocols and sharpen response times. Regular testing builds confidence in manual processes and backup procedures. A downtime roadmap published by Nurse Leader, titled “Prepare for Downtime Now,” stresses the need for frequent drills to verify that contingency plans work effectively.
Designing Effective Multi-Modal Downtime Drills
Hospitals design drills that mimic various real-life downtime scenarios. They conduct both scheduled and surprise exercises to test readiness. Effective drills combine multiple approaches:
- Full-Scale Simulations: Engage all departments in a real-life scenario.
- Tabletop Exercises: Bring staff together to discuss and refine response plans.
- Role-Specific Drills: Focus on individual responsibilities to improve clarity.
These multi-modal drills ensure every facet of downtime response gets tested and improved.
Key Components to Test
Hospitals must focus on several critical elements during drills:
- Alternative Communication Channels: Test systems like landlines, walkie-talkies, and secure messaging apps.
- Manual Processes for Clinical Documentation: Ensure teams can quickly switch to paper-based recording.
- Access to Backup Records and Emergency Protocols: Confirm that backup systems and emergency plans are fully accessible.
Testing these components helps hospitals maintain operations and safeguard patient care when digital systems fail.
Case Study of Successful Downtime Drills
In 2023, Cedars-Sinai Medical Center in Los Angeles implemented regular downtime drills to prepare for potential cyberattacks. These drills included the use of downtime boxes containing paper charts for each patient, necessary forms, and clear instructions for using business continuity computers. This proactive approach ensured that, during actual digital downtimes, clinicians could seamlessly transition to manual workflows, maintaining patient safety and operational efficiency.
This example shows that regular drills can reduce risks and ensure a smooth transition when digital systems go down.
Lessons From Becker’s “Return-to-Paper” Playbook
Becker’s “Return-to-Paper” playbook offers proven guidance on managing downtimes. It provides step-by-step instructions for shifting from digital to manual systems. Key takeaways include:
- Clear protocols for manual documentation.
- Regular training and drills to reinforce procedures.
- Ongoing evaluation and updates to downtime plans.
Hospitals that adopt these lessons experience fewer disruptions and maintain a high level of patient care during emergencies. For example, in 2024, a Texas hospital reverted to paper records after its EHR contract lapsed, highlighting the importance of having a manual documentation plan. Similarly, a California hospital faced an IT outage and successfully continued operations by switching to paper records, underscoring the need for preparedness.
These real-world instances demonstrate the critical value of the playbook’s strategies.
Staying Proactive Can Lead to Greater Preparedness
Regular drills and simulations play a vital role in downtime preparedness. They help hospitals identify weaknesses and improve overall response. By designing multi-modal drills, testing key components, and learning from real-world examples, hospitals can better protect patient safety during digital outages. A proactive approach to drills builds team confidence and ensures care continues, even when technology fails.
5. Utilize Plan-Do-Study-Act (PDSA) Cycles Before a Digital Downtime Occurs
Plan-Do-Study-Act (PDSA) cycles drive continuous improvement in downtime preparedness. Hospitals use this approach to test changes and make data-driven decisions. PDSA cycles help teams learn from real-world experiences and drill outcomes.
Regulatory bodies, including the Joint Commission and DHS, encourage this method to maintain high standards of patient safety and operational readiness. With each cycle, hospitals refine their plans and adjust to emerging threats and evolving technology.
Steps in the PDSA Cycle
The PDSA cycle consists of four key steps. Each step builds on the previous one to create a loop of ongoing improvement:
- Plan: In this stage, hospitals identify weaknesses in current downtime plans. Leaders set clear objectives and design experiments to test new approaches. The planning phase requires input from all key departments to ensure that every angle is covered. Hospitals develop a detailed action plan with defined responsibilities. This stage lays the foundation for successful implementation.
- Do: Next, hospitals execute the planned changes on a small scale. They run drills and simulations to test the new strategies. Staff actively engage in these exercises to provide feedback on the processes. The goal is to see if the proposed changes work in a real-time setting. By starting small, hospitals reduce risks and learn valuable lessons without major disruptions.
- Study: After the drill, hospitals analyze the results. They review what worked well and what needs improvement. Teams gather data on response times, communication effectiveness, and workflow efficiency. This phase offers a clear picture of how changes impact patient care and operational continuity. Hospitals document lessons learned and compare them against regulatory benchmarks.
- Act: In the final step, hospitals implement successful changes on a larger scale. They update protocols, train staff further, and refine contingency plans. Hospitals integrate feedback to improve future cycles. This proactive step ensures that improvements become part of standard practice. By acting on study findings, hospitals build a culture of resilience and adaptability.
Adapting to Emerging Threats and Technological Changes
PDSA cycles enable hospitals to adapt quickly. Each cycle offers a chance to update strategies based on the latest challenges. Hospitals can adjust to changes in cybersecurity, software updates, or shifts in regulatory requirements. This flexibility ensures that downtime plans remain effective and up to date.
Integration With Regulatory Compliance Requirements
Regulatory bodies typically require continuous improvement in healthcare operations. Hospitals that use PDSA cycles meet these requirements and show a commitment to quality care. The structured approach helps hospitals align their practices with guidelines from the DHS, Joint Commission, and other regulatory agencies.
Using Best Practices to Lead the Way
PDSA cycles provide a systematic way to improve downtime preparedness. Hospitals actively plan, test, study and act on improvements. This method drives a culture of continuous learning and rapid adaptation. By using PDSA cycles, healthcare organizations build resilience, safeguard patient care, and meet regulatory standards. The cycle empowers teams to address emerging challenges and refine processes for a secure, reliable future.
The Five Strategies to Keep in Mind to Avoid a Digital Outage
Preparing your healthcare organization for digital downtimes is a continuous, proactive process. We have discussed five key strategies: creating a multidisciplinary team, conducting a Business Impact Analysis (BIA), assessing the effects of downtime on patient care, implementing regular drills and simulations, and utilizing Plan-Do-Study-Act (PDSA) cycles for continuous improvement. Each strategy plays a vital role in building resilience and ensuring patient care remains uninterrupted during digital outages.
Remember these four key takeaways:
- Proactive Planning Saves Lives: Hospitals must plan for system failures before they occur. Robust contingency plans help protect patient safety and maintain operations even during severe disruptions.
- Teamwork Is Essential: A multi-modal, multidisciplinary team that includes IT, clinical staff, administration, and support services strengthens your response to digital downtimes. Clear roles and communication protocols ensure quick, effective action.
- Analyze, Train, and Adapt: Conduct comprehensive BIAs to understand your digital dependencies and review them frequently as your enterprise digitally evolves. Regular drills and simulations, paired with continuous improvement cycles like PDSA, help you spot weaknesses and refine your protocols to address new challenges.
- Invest in Resilience: Allocate resources for backup systems, cybersecurity enhancements, and manual workflow processes. These investments reduce downtime risks, minimize losses, and ensure that patient care continues seamlessly even when technology fails.
By embracing these practices, hospitals can better navigate the challenges of digital downtimes, safeguard patient care, and maintain regulatory compliance. Building resilience today means protecting lives tomorrow.
OmniSure Is the Right Choice for Your Risk Management
With OmniSure, you get a risk management partner with solutions built to fit your needs and grow with you. OmniSure helps you stay on top of risks, stay informed, reduce risk, and control losses—so you can focus on what you do best. Our tailored solutions can help you navigate today’s most difficult risks.
