AHLA's Speaking of Health Law

Patient Cyber Harm: Strategies and Tips for Prevention, Preparation, Risk Management, and Transparency

January 17, 2023 AHLA Podcasts
AHLA's Speaking of Health Law
Patient Cyber Harm: Strategies and Tips for Prevention, Preparation, Risk Management, and Transparency
Show Notes Transcript

Cyber events put patients at risk and affect overall patient safety. Cathie Brown, Vice President, Consulting Services, Clearwater, speaks with Sean Sullivan, Partner, Alston & Bird LLP,  Gerard Nussbaum, Principal, Zarach Associates LLC, and Elizabeth Hodge, Partner, Akerman LLP, about the correlation between cyber events and patient safety. They discuss the Board’s fiduciary responsibility as it relates to cyber events, the need for contingency and disaster recovery plans, and the importance of communication during an event. Sean, Gerard, and Elizabeth co-authored an August 2022 Health Law Connections article on this subject. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.

Speaker 2:

My name is Kathy Brown, I'm vice president of Consulting Services for Clearwater. And we are here today to talk to you about an article that was published in Health Law Connections in August of 2022, volume three, issue eight. And the title of the article is Patient Cyber Harm Strategies and Tips for Prevention, preparation, risk Management, and Transparency. And I have a team with me today that was involved in writing the article, so I would turn it over to Sean and let him introduce himself.

Speaker 3:

Yeah, thank you Kathy. This is Sean Sullivan. So I'm a partner at Austin and Bird. I'm in the healthcare group in Atlanta, Georgia. And, um, I focus on healthcare regulatory matters, so things like fraud, waste and abuse, hipaa, privacy, security matters, licensure, scope of practice, all all of those sorts of things. But I do have a specific specialization, um, and focus of my practice on health IT and, and digital health matters, and actually lead our firm's digital health group. Um, I've been working in, in the healthcare space for about the last, uh, 10 or 12 years. Um, started my, my practice. Um, initially I actually after law school in the Army where I was in the JAG court and did a little bit of everything, but when I got out, I quickly moved into the healthcare space and I think it's a great industry to work in initially doing a lot of, um, a lot of litigation, medical malpractice, false claims act, that sort of stuff. And it has given me great, great perspective, but now over the last six or seven or eight years, I've really been focusing more on regulatory matters, um, and compliance advice for providers. And I think it's a great place to be in rather than, rather than talking to providers and helping them get out of trouble, and now mostly focus on preventing them getting in trouble in the first place. So I'm happy to be here and, and, um, thanks for the opportunity. Kathy. I don't know who's next. Gerard.

Speaker 4:

Thank you. Sean. Thank you very much. This Gerard, principal sir Rock and Associates, where we focus on the intersection of health, law and technology. And we work with a wide variety of healthcare concerns, um, from emerging and startup companies through large manufacturers, large health systems. And we really focus on the, you know, impact of how you actually accomplish things in healthcare with a clear understanding of legal ramifications. I, myself have been the interim c i o of a number of health organizations as well as having done strategic and governance work with many healthcare providers from large to small. And with that, I'll turn it over to Betsy.

Speaker 5:

Thank you Gerard. Hi everyone, I'm Betsy Hodge. I am a partner in the healthcare practice group at Akerman, L L P in our West Palm Beach, Florida office. And like Sean, I focus my practice on healthcare regulatory issues, um, primarily, uh, data privacy and data security. Um, although I have in the past, uh, done healthcare litigation, um, I currently work with healthcare providers, but also, uh, self-insured, uh, employer health, self-insured health plans, um, again with their, um, privacy compliance issues. And I would be remiss if I did not also mention that I am vice Chair of education for the A H L A health, uh, information and technology practice group, and also currently serve as the interim chair of the HI practice group. So I think with introductions outta the way, Kathy, we'll turn it back to you.

Speaker 2:

Excellent. Um, I'm really looking forward to your discussion. I have worked in healthcare for the last 30 plus years, um, a very long and fruitful career, but the last 15 plus years I have focused on privacy and security. So, um, Betsy very interested in, in hearing what you and Gerard and Sean have to have to say today. So to, to kind of start us off, let's jump in. Your article discusses how cyber events can put patients at risk and and truly affect patient safety. And you, you list a few examples, but I know in my own experience, for some this is kind of a, this concept is a stretch for them because what I hear is healthcare providers are already used to responding quickly, making decisions quickly and putting patient safety first. So can you talk a little bit about this correlation of cyber to patient safety?

Speaker 4:

Sure. This is Gerard. Um, first of all, healthcare workers excel at responding to the ever-changing and unexpected environment. So nothing about cyber patient harm in any way suggests that providers aren't continuing to do that excellent job. Unfortunately, cyber events happen quicker than you can blink an eye. And, uh, we talk a little bit in the article about, um, types of actions, but for example, if a, you know, a male actor takes over an infusion pump and delivers a deadly dose of a medication with knowledge of caregiver, there may be no time to react. You may not know there's a problem. And clearly one of the first things you need to do to respond to a problem is to know about it. Um, you know, we discuss, you know, in the article the unavailability of fetal trace display at the nursing station due to ransomware attack, which also took down the HR was alleged to have led to the death of an infant. There again, I mean the systems we rely on, in some cases you don't know, the system's not available once you become aware of it. Yes, a healthcare worker can implement the, um, downtime plans and contingency plans, but you may not know the problem exists. So that's part of the issue, the rapidity with which this can happen. And the fact that sometimes you can take out lots of systems all at once through these cyber events means that it stresses the caregiver's ability to respond in the way they normally would. And recognizing of course, that anytime you take out major systems, be it the E H R or access to lab results or fetal trace results, you're stressing the caregiver cuz they now have lots more to manage.

Speaker 3:

Yeah, and this is Sean, I'll go ahead and jump in. So, um, so Kathy, great question. I think you're, you know, you're absolutely right that healthcare workers need to be able to think quickly and think on their feet in order to provide medical services, high quality medical services to patients, right? Especially in emergency situations. But those decisions about medical care are not in a vacuum. And, and frankly, they don't come easily. I mean, they make those decisions based on years of education and training and experience. So, so really what we're encouraging providers to do, and what we talk about in our article is, is providers should put a similar level of thought and pre-planning into risk mitigation around data security and cybersecurity. Because just like, you know, years of medical school or years of nursing school in the, on-the-job training that's required before practitioner can actually put their hands on a patient and provide care to a live patient and of course, be adequately prepared to make those split second decisions. Um, pre-planning for the inevitable data security incident, whether from ransomware or powder out power outage or, you know, a mistake by a staff member. Um, that sort of thought is also key to putting patient safety first as well. So, so what we're talking about is things like developing an incident response and media outreach plan, you know, having a disaster recovery and e H r downtime, contingent contingencies, um, ensuring appropriate risk shifting mechanisms in contracts with vendors and organizational readiness by, by really understanding the rules and the fiduciary responsibilities of executives and board members in healthcare companies. Betsy, do you have any other thoughts? Um, yeah,

Speaker 5:

Thank you Sean. I, I, piggybacking on what Gerard and Sean have mentioned, um, I think it's important for organizations to take the time before something happens, to really think through what their downtime procedures are and how those procedures may affect patient, the delivery of patient care. Um, you know, frequently, you know, people say, well, we adopt our downtime procedures, we go to paper. Um, but really they should be, and I think we'll talk about it a little bit more, they should be thinking through what does that mean when you go to paper? How does that change how the caregivers deliver care to those, to patients? So then you can educate the caregivers, the physicians, the nurses, the other staff, how they may have to change or adapt their procedures in the event, um, that there is some kind of cyber event so they can continue to deliver high quality care to their patients and not put patients at greater risk.

Speaker 2:

Uh, I think this is perfect discussion. Um, I had a customer recently who talked about they suffered a cyber event and they had to go to paper and they were actually talking about, we went to paper, but our staff wasn't trained in how to capture the information on the paper. So, you know, there was somewhat of a false sense of security that even though they have paper forms, it was really how do we use them?

Speaker 4:

But, and I think that's a critical point because yeah, as I've observed outages, whether they're due to cyber events from, you know, ransomware or just, you know, systems fail, you observe a very clear generational divide where those more senior practitioners who started out their career on paper are much more comfortable with doing that. But also when you do a retrospective and try to catch up the data into the electronic health record system, you find that the notes taken on paper by the more senior caregivers who had experience, who knew what they were doing, for whom this was not a sort of, oh, what do I do now? Mm-hmm.<affirmative>, they were much more complete and much more clear in terms of the patient care delivered, which can have implications in terms of record accuracy for lots of things outside of the cyber event itself.

Speaker 3:

Yeah. But I think that really puts the emphasis or shows that there's needs to be an emphasis on training, you know, training and practice. It's not just having a plan that we'll switch to paper and we, we, we think we know how to switch to paper, but let's also practice and let's train our nurses on how to chart on paper, including, including those, uh, younger nurses that may not have ever done it in the past.

Speaker 2:

Right. And I think that, I mean, this is a fairly large effort and it has to be driven from the top. And what I see is that when an organization has already gone through a cyber event, um, the board and the executive team are much more tuned into the need for this. But there is a great number that, that don't really focus on this. So, Betsy, I'll put it on you. Can you kind of talk about how the board actually has a fu judiciary responsibility to the organization when it comes to the impacts of cyber events?

Speaker 5:

The, thank you, Kathy. That's a, uh, a great question. Um, because this is not ju, cyber events are not just an IT issue. Um, they affect the entire enterprise. And so, um, the board and its role as fiduciary, um, needs to take, uh, responsible steps, um, to see that the organization is positioned as well as it can be, um, to not only protect its information, which is how historically I think people have thought about the risk from cyber events, but also patient safety. The board has an obligation to keep its patients safe. Um, now having said that, that doesn't mean that the board needs to be perfect or that the board has to achieve perfection in doing that, but the board needs to take, um, reasonable steps and, and see that the organization is taking reasonable steps, uh, to be able to mitigate harms that may arise from cyber events and keep patients safe. Um, so again, the board is the, the group within the organization that sets the tone they need to communicate to the C-suite team. Um, that cybersecurity is a priority because it's a patient safety issue and it is an enterprise issue. Um, and from there, the board, um, you know, should educate itself. Um, I think if board members, those board members who understand what a target healthcare organizations are to bad actors, I think those board members, um, appreciate that this is something, uh, cybersecurity is something that should be on their radar. Uh, to the point you made earlier, Kathy, about those organizations that have, you know, had them, um, um, bad luck to experience a cyber event. They are much more tuned into this and understand, um, the ramifications throughout the entire organization from dealing with a cyber event. So, you know, the board needs to set the tone and say, communicate that this is a priority throughout the organization, and then empower, um, the management team to go out and develop plans, develop a business continuity plan, um, to conduct training, um, to bring in outside resources if necessary to help the organization be as prepared as it can possibly be in the event. Well, I shouldn't say in the event something happens, I should say, when something happens, because it's true, it's not if it's when,

Speaker 4:

And, and I think Betsy pointed out something really critical. This is not an IT problem or an IT challenge to be faced. This is part of the continuum of overall enterprise risk management. It's one of many things that could adversely impact the ability of the organization to deliver high quality, safe patient care. So you've gotta look at it in the continuum. I mean, as we move forward, um, you'd be hard pressed to find a system in the hospital or in a physician office or a clinic that A, is not connected to electricity and b is not connected to the network and communicating information. So this is not about an IT problem, this is an organizational challenge and how the entire organization from the transporter through the nurse, through the physician, through the administration, the billing, the medical records folks respond when something happens.

Speaker 3:

And, and I'll just, I'll just, you know, put it back to the dis the initial question about the board. You know, one of the, one of the board's main considerations they need to be thinking about is, is financial impact. Mm-hmm.<affirmative>, you know, obviously patient care is paramount and that's the most important thing, but the board also needs to be thinking about finances, um, and a cyber event can, can lead to significant cost, significant expenses, not just in responding to and addressing the, the particular, um, outage or cyber event at the moment. But there's also things like, you know, patients, media, government notification, um, potentially fines or penalties from the government defending against lawsuits from patients, maybe ransoms that need to be paid, and then ultimately lost revenue during the downtime and potentially, you know, ongoing lost reputation, which may or may not ever be able to be recovered if there was a significant downtime event. So these are the, these are the types of financial considerations important and senior leadership need to be thinking about. Um, and, and certainly it costs money to, to prevent and mitigate some of those, uh, issues in advance as well, such as hiring key IT personnel and vendors, you know, things like that, training staff, developing plans, conducting assessments and tabletop exercises, et cetera. So it's a balancing act, but the question for the board is, you know, whether, whether we wanna spend some money now to invest in a robust data security infrastructure and, um, appropriate emergency plans, or do we roll the dice down the line and hope that we don't experience an event, which could cost a lot more down the line if and when it hits. And as Betsy said, you know, getting, getting hit with a cyber event for a lot of healthcare providers is, is frankly is gonna be inevitable. So it's probably best to, uh, invest upfront and mitigate those risks and, and potential future costs.

Speaker 5:

I just wanted to pull a little harder on a thread that Sean mentioned about, um, lost revenue as a result of a cyber event because you have, yeah, you know, the board needs to think about not just procedures that may not be able to be performed because, um, certain systems are offline, but going back to our earlier conversation about having people, uh, having, having to use, uh, paper note, uh, paper charting, um, while the systems are down and depending on how well people are able to document the services that they provided while the systems were down, you may or may not be able to bill for services that you actually were able to provide to patients. Um, and again, you also have the issue of trying to, um, transfer all of the paper notes, documenting care into your E H R system, you know, so you can bill, and I think most of us know from just our own experience, um, if you are not documenting in real time and capturing those activities in real time, you're going, you're not going to bill be able to bill for everything, uh, that you did do. So again, that has an impact on the bottom line. And the board has responsibility, you know, for the financial position of the hospital. So as Sean said, you know, you can invest the resources upfront, including training your staff on how to do the best job possible, charting with paper if the systems are down, um, you know, you can spend the money upfront or you can spend it on the backend

Speaker 4:

And, and without extending this discussion through the rest of the next seven hours,<laugh>, um, I'll point out that oftentimes, you know, lots of companies, not just healthcare companies, rely on outside experts to help them with their cybersecurity, help them with their technology. And what I've observed in a couple cases where there was a critical vendor who, um, failed to, you know, operate their systems in a secure, safe, and privacy effective manner, um, you know, led to outages at the hospital. So you didn't make cost for the hospital, but when the hospital turned around and said, well, you failed under your, your contractual obligation vendor, they found out that there was no money in the till. In part because every other one of those that vendor's customers had a similar problem with suing the vendor, um, somewhat, you know, challenging also was maybe there wasn't sufficient insurance because they'd been cutting back at the vendor on expenses as the economy got worse. So this is a broad spectrum question of how do you effectively make sure that the financial position of the hospital, the health system, the provider, is not harmed by a cyber event. And it goes well beyond, as Betsy and Sean have suggested, just the mere cost of the breach or the breakdown or the break-in

Speaker 5:

When Gerard said ensure, um, the light bulb went off, um, org healthcare organizations, um, that are currently relying on their cyber insurance or other coverage, um, to help defray the cost of a cyber event, um, need to be prepared for the fact that, um, in the future, their insurance may not cover as much as they thought and they will probably be paying more for the coverage. It will probably cover less. Um, you know, we are seeing some insurance companies saying we are not going to cover ransom payments anymore. Um, you know, because the insurer thinks that may incentivize people to, um, rely on insurance rather than taking proactive steps to, um, try to prevent being the victim of a ransomware attack. So, um, you know, insurance is something that the organization and the board should be thinking about, but they also need to recognize that, um, going forward, they will not, they probably will not be able to rely on insurance to cover all of the costs they may incur.

Speaker 2:

Excellent point, Betsy, we, we see that as well. Um, I think all of you have talked about understanding the impact to the organization of a cyber event. I know in your article you also mentioned the business impact assessment. I think that the business impact assessment is so important and it's a foundational component to your risk management program. And of course the output also helps with building the contingency plans and the disaster recovery plans. But, um, to your point, Gerard, this is not an IT issue. So contingency and disaster recovery plans are a lot more than just bringing your systems back online, right? It's, it's having those plans to continue the critical processes while the systems are down. Um, Sean and Gerard, I'm kind of interested in in your thoughts on that.

Speaker 3:

Yeah, you sure. This is Sean. I'll jump in first here. Um, you know, my, my thoughts are that a lot of providers often prioritize when they're first thinking about this, they prioritize eh, r contingency plans. So what if, what if the electronic health records goes down? Um, but you know, ultimately to your question, they need to be thinking about the entire business impact and all of the systems Exactly. And, and all the processes that could potentially be vulnerable to some sort of cyber incident or, um, or systems, you know, that are otherwise based on technology so that these are not just EHRs and learning how to use paper. Um, but as Bessie referenced, you know, how are we gonna be, how are we gonna bill, how are we gonna keep track of what we need to bill and how are we gonna process payments, um, if those systems are down? Um, and then what about patient monitoring and other types of connected devices that, that may need power, may need, um, some sort of network, these types of devices may automatically record patient information, may automatically set up alerts, you know, how is that gonna be done manually? Do we need to have more, more employees on the floor? Do we potentially need runners for moving information manually on paper or moving supplies around a hospital campus or to, um, potentially to backup sites where systems may be up and running. And then, you know, also remember things about, um, just basic infrastructure and life support. You know, what about H P A C systems and refrigeration systems? So if these go down, if the refrigeration goes down and, um, there are supplies or drugs that need to be refrigerated, those may need to be wasted. Or if the HVAC system goes down, then the entire facility could potentially be unusable. So part of this, um, business and disaster recovery planning needs to include plans about what if those basic infrastructure systems like refrigeration and HVAC systems go down as well. Jordan, any other

Speaker 4:

Thoughts? Yeah, I, I, I think overall healthcare is geared toward intervening on what's in front of them. I mean, everywhere from the emergency department through the floor, the treatment of patients is about assessing the patient and making an immediate intervention or plans for further interventions. And one of the things that sets in with some of these cyber attacks, fatigue, the first 24 hours is great. Everyone does what they're supposed to do. They figure out how to document on paper, they put in compensating, um, measures you like runners as Sean mentioned, but at some point, fatigue sets in and it can take 20, 30, 40 days for some of these systems to be restored. And so as you look at your contingency planning, it's not just the initial burst of how do we do this? It's how do we sustain it? And you use, you know, example of runners, well, we, you know, draft in other people in the hospital, um, who may be administrative to be runners, but that can't continue for three, four weeks. Um, how do we make sure that we have backup people coming in because we may have to overstaff the floors to compensate for the lack of access to systems. Um, you know, how do you deal with diversion and, um, you know, when patients can't be diverted. I mean, we have an example in the article of someone who was a hospital when I'm diversion, the patient had travel an extra 25 minutes and died in transit because what they really needed was some immediate triage assessment and intervention that may have then stabilized the patient for transport. So you have to deal with some of those things, you know, how do you deal with relocating patients? It's one thing to sort of say, we're going on diversion, we're canceling all elective surgeries, but you still have people in house. Um, and then, you know, looking at your contingencies, the contingency may be that we're gonna divert patients to the hospital across town. Well, if the outage, the cyber event spans outside of your organization, what's your contingency plan if you can't divert those patients? If you can't transfer them? And how do you adjust your contingency plans if your fallback system fails? Um, how did does this interrelate with other agencies like e m s fire police? Um, in an example, um, you know, of electrical outage that leads to a cyber outage that was due to a hurricane in the area. Well, the area has a lot bigger problems. And so you, you can't do your contingency planning in a very heads down manner without looking at, its how its tentacles sprawl out into everything the organization does. Betsy comments?

Speaker 5:

No, I think you and Sean have, um, scared everybody.<laugh>, but also I think, yes, on one level this is a thought exercise. And you know, probably 10 years ago, some of the scenarios that Gerard and Sean mentioned would seem like, oh, that could never happen. But we know they can happen. And so I think, um, when conducting the business impact assessments, you, you need to try to imagine the unimaginable happening, you know, what would be the absolute worst case and, you know, start planning for that. Um, and I think considering at what point do you, does the organization decide we can't provide safe care? You know, if we get to point X, we are no longer able to provide safe care to our patients, so we need to look at diversion or canceling certain procedures. And obviously point X is different depending on different types of services, you know, but the org, I think in doing the impact assessments, um, there should be some assumption that there will be a point where you cannot safely provide care and you need to build that into your assessment.

Speaker 2:

That's a really good point. I know, um, when we do the business impact assessments, we take a good amount of time to identify the dependencies on the processes. So, um, Gerard, I think you or Sean one mentioned the interaction with E M S and outside entities like that. Um, I think naming those people and identifying those dependencies is so important when you go into making contingency plans. So I, I think an another piece of this though, it's not enough to just have those plans. You have really gotta test them. And of course that takes time and resources, but, um, I believe unless you take that time and do those tests, your plans are not gonna be very helpful. So I know that, um, a lot of customers that we work with have downtime systems in place. Um, but I've also talked to customers who when they need those downtimes and go to'em, they're not available or the data in'EM is not up to date. Um, could you talk a little bit about the need to test those plans and how that impacts the level of readiness to the organization?

Speaker 4:

Sure. I mean, at a very fundamental level, failure to test your plans is a lack of due diligence. And that's, you know, going back to fiduciary responsibility. Um, you know, it's like having a fire suppression system that you never test. It's not much good because you're not sure it works. And a plan that is not tested is not actionable, it's not reliable, and it's not viable. The other interesting thing about testing, in addition to the practice aspect, and just as if you were taking self-defense classes and never practice them, in the case of an emergency, you'd be sitting there going, okay, now what I learn in class, whereas practice makes it muscle memory, uh, nothing is static. A plan that may have worked when created needs to be updated, uh, testing by actually doing it can help identify where things have changed. For example, one, you know, hospital I worked with, the plan says the IT staff will come up from the basement to the floors to help show that downtime computers are accessible, working, et cetera. But last year we moved the IT office five miles away as part of a plan to convert the former IT offices in the basement to clinical space. Oops,<laugh>. Um, you know, while someone should have thought of the downtime plan and the fact we moved it, when we actually went through the testing of the downtime process of our contingency plans, someone said, well, okay, the IT people are gonna come up from the basement. And everyone looked around and sort of said, yeah, but they're five miles away<laugh>. So it testing not only helps build that muscle memory of practice, of how we can clearly execute when things change dramatically, it can also really help you make sure that your plan still works.

Speaker 3:

Yeah. And what, you know, one thing that I wanted to mention is that, is that, um, just like Gerard said, that's part of due diligence is, is doing the testing. And if you don't do that, then government organizations, enforcement agencies, and frankly plaintiff's lawyers are gonna take that and they're gonna consider that lack of testing and sufficient pre-planning to be a lack of reasonable diligence. And it's gonna be an aggravating factor to any lawsuit or penalties or any, you know, data breach incident, um, ramifications or patient harm that results from that cyber issue.

Speaker 2:

Yeah,

Speaker 3:

Betsy,

Speaker 5:

No, I think you all have summed it up pretty well.

Speaker 3:

Great.

Speaker 2:

So one of the things, um, Betsy, I'd like to hear you weigh in on, you know, communication around a cyber event is critical. Um, and I know that there's a lot of talk about you need to be transparent, you need to share information. Um, how transparent is transparent, you know, what does that communication look like to be effective thoughts?

Speaker 5:

It's, well, that's a great question, Kathy and I would start by saying, first, um, following on the discussion, we just have, you need to have a plan, a communication plan, um, before an event happens. Um, you know, understanding, I mean, obviously you can't, uh, script everything, um, before an event occurs, but, um, generally unders having brought ideas about what you wanna communicate and to whom you need to communicate, because the organization has multiple constituencies. You've got, um, you know, your incident response team, obviously the communication to them is going to be more detailed. Um, so they can actually implement your incident response plan. Um, there needs to be communication to the board. Um, and then you've gotta communicate to your employees, you know, your physicians, your nurses, your uh, staff, your billing department, all of those folks about what is happening and what the new expectations will be for them. Um, you know, communicating to patients, um, you know, and you may communicate with patients already in the facility differently than patients who are scheduled to come for a procedure, you know, later that day or, um, you know, a week from then. And then communicating with the public. Also, in certain, depending on the circumstances, you may be wanna communicate with law enforcement. Um, if there is what you perceive to be an ongoing, uh, malicious attack, there may be benefit in communicating with law enforcement. At some point you may need to communicate with other government agencies. I'm thinking perhaps office for Civil Rights or, um, right, HC three, and then going back to our prior discussion, communicating with other, um, hospitals or, um, e m s systems in the community. So, and what the communication looks like to each of those constituencies will vary a little bit. Um, but again, yes, you want to try to be as transparent as possible, but recognizing a lot of times you don't, you know, in the early hours, you may not know what's going on. Um, you know, so it's, you know, admittedly you're walking a fine line. Um, um, you know, which is why it's helpful to think these things through beforehand and ha you know, perhaps engage an outside, uh, media consultant to assist with the messaging. Excellent point.

Speaker 4:

I, I, I think all those things are really important. And wanna pick up on one thing you mentioned, which is disclosure to patients. This could be a part of informed consent. If the organization has a, you know, reduction in capacity, a patient may choose to go elsewhere. In fact, that was mentioned one of the cases we discussed in our article, which is, was there a lack of informed consent on the part of the patient? Um, I think, you know, there's some really huge ground rules in terms of, you know, being transparent. You've gotta be truthful, you can't get beyond your skis. Don't speculate, don't assume, be confident, be clear, be consistent, have an authoritative voice that's as besty suggested one representative. And your plan shouldn't say, well, the CEO's gonna do this because he may be out of town. So what's, who's the backup? Um, don't overcommit. I mean, people always wanna promise, we're gonna solve this problem soon. You don't know what the problem is that Betsy points out. This is a social media era. If you tell internal people something and external people something else, it will come out. And the news media's gonna rake you over the coals because you're telling them something different that you're telling, you know, internal people schedule, right? Regular updates for the press. Control the message. Don't be the voice of doom. Own the situation it happened. Don't try to make excuses for it. Don't discuss why it happened, who caused it. What are you doing to address the situation? We can, we have enough time two weeks later figure out who's at fault or what happened. We've gotta care for the patients in our community now. And to sort of throw Miranda warnings on its head, you do not have the right to remain silent. Everything you say will be held against you, whether in the court of public opinion or the court of law. Sean, I know it's a

Speaker 3:

Yeah, no, it's a, just like you guys highlighted, it really is a balancing, you know, balancing act. You know, you don't, you wanna be as transparent as possible, as transparent as necessary, but you also don't want to cause alarm or panic in the community. You don't wanna harm the health system if you're, if you're a health system or a hospital. You don't wanna harm your reputation in community. But I think the importance of transparency is, is really highlighted by one of the, one of the things we talk about in the article, and I think Gerardi may have mentioned it at the beginning of our conversation, was this ransomware in a hospital in Alabama, I think it was just in 2019, where, where you, you briefly described it, but a pregnant mother was admitted and delivered a newborn while this hospital's systems were down as a result of a ransomware attack. And they had, they had no access to their ehr, they're using paper charting as you reference. Their fetal tracing and fetal monitoring, um, capabilities were either down or very, very limited. And tragically the baby had fetal distress and, and ended up, ended up dying. But throughout that entire period, the hospital was, was, um, issuing press releases and media outreach that emphasized over and over that they were continuing to provide the high quality of service that their patients deserve, and that they were able to continue the, um, continue the services uninterrupted and that their downtime procedures were working, when ultimately, as we know from that event, maybe they weren't able to provide the same level of care that, that the patient would've gotten elsewhere. So, so going back to Gerard's point, I mean, this is a, this is a matter of patient, um, patient informed consent and really about, about meeting the standard of care. So at that, you know, in that scenario, either the patient should have been really informed about what the potential risks were or the practitioner responsible, the physician or other licensed clinician responsible for the patient may have had a duty to, to make a call that we need to do something else or transfer the patient elsewhere because we don't have the capability to treat them. We don't have the capability to treat this patient, or really to meet the standard of care that is necessary for me to do my job, um, without, without facing potential malpractice risks.

Speaker 4:

And, and that very active making the determination is an interesting challenge because you have physicians who have their own medical license, who must make their own judgments about their ability to provide care, which may differ from that of the administration. Mm-hmm.<affirmative> either overconfidence on the part of the physician and saying, yeah, no, no, I can handle this despite the fact the building's burning down around me, or the more risk averse sense of, well, the hospital has taken out most of the things I rely on to provide good patient care. I can't provide care, therefore I'm going to refuse to provide care. And you have to sort out in advance how you're gonna make those decisions and you know, where representatives of the medical staff are gonna be involved in helping administration and the organization decide when is the time to limit the services you're providing and seek ways to alternatively care for or have care provided to those patients.

Speaker 5:

And Gerard, I think that highlights the need to do all the preparation beforehand that we've been discussing, because if you don't understand how care delivery may be affected, if your systems are down, it's pretty, it's difficult to make that determination when you can no longer, you as a healthcare provider can no longer meet the standard of care. Um, so it's important. And again, you also have to test those procedures, um, with your staff. So your providers and your nurses know how things are going to change so they can make those assessments about when it no longer is, they're no longer able to safely provide care to patients. Um, you know, just to drive home, again, the point of doing your preparation beforehand and understanding how your processes may change, um, because then un having that understanding allows you to be, to have a more realistic understanding of what the organization may and may not be able to do, you know, in the throes of this crisis, you know, and in the days following. And then that allows you to, I think, provide more transparent messaging to your different constituencies.

Speaker 3:

Yeah. And I think part of that training and pre-planning, you know, involves determining who's gonna be calling the shots for certain types of scenarios mm-hmm.<affirmative>, and that's, you know, testing that and making sure everyone understands that and knows, knows that is really important. And I, you know, some to, to, to talk about something that just happened recently, the d DeMar Hamlin incident for the N F L fans out there, um, where the player had cardiac arrests on the field and there was a, there was an immediate response, and something that was covered a lot in the media that I remember hearing about was that they had, they practiced this every single game and they had identified, depending on the issue, they had identified which clinician they had, athletic trainers, they had multiple different types of physicians out there, physical train, physical therapists, a lot of different types of clinicians, but they had already identified in advance who was gonna be the, um, the incident commander, so to speak, and who was gonna be the one in charge in calling the shots. And just in the same way, you know, hospitals and health systems that are, that are potentially subject to these types of risks, they need to know, you know, what types of decisions need to be made by the attending physician that's caring for that specific patient and what types of decisions should be made by the hospital administration or maybe set in advance through policies and, and contingency plans and things like that. So, you know, I think it's, it's really important to, to think about who's gonna be making those decisions when we are in a, in a potential time of crisis. And to practice those.

Speaker 4:

And, and I think Sean, you know, through that example, emphasizes the importance of, well, what are the metrics we're gonna use to assess our ability to respond? In the case of, um, the football player, it was, okay, what type of scenario is it? Who's gonna be the incident commander? But all throughout this, what are the metrics we use to determine whether we're providing adequate care, whether they're providing adequate information support. And if you look at a, you know, graph of response during the first couple hours, there's chaos and our efficiency and effectiveness is not great, but we're overwhelming it by just simply flooding the zone. At some point we get our act together, everyone knows where the paper forms are, the older nurses have taught the younger nurses how to document. Uh, we figured out how to, you know, share information. And so the efficiency goes up and then we end up with this drop-off due to fatigue, due to resources getting temporarily burned out. And so looking at that ebb and flow, what are the metrics we're measuring so we can intelligently determine not only are we able to care for patients, but how do we have to then continue the compensation and mitigating efforts to assure that we are providing the appropriate level of care and are safeguarding the financial and fiduciary resources of the organization.

Speaker 2:

This has been a wonderful discussion. Thank you all.

Speaker 1:

Thank you for listening. If you enjoyed this episode, be sure to subscribe to a H L A, speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.