As part of a well-prepared drill, Johns Hopkins’ Enterprise IT Department reports that its staff is observing suspicious activity on the organization’s computer systems. To protect the network from being further compromised, IT shuts off all connections to the internet.
Johns Hopkins Medicine Office of Emergency Management officials rolled out this exercise to test how effectively the organization would continue day-to-day operations in the event of a cyberattack that might disrupt everything from performing patient surgeries and processing payroll to accessing patient medical record systems and research databases.
A detailed report on strengths, areas of opportunity and feedback from lessons learned from the exercise will be incorporated into an after-action report that will be released in July. An initial assessment of enterprise performance was presented to senior leadership.
“Data breaches and attacks on information technology systems are becoming more common and aggressive, and the level of an organization’s readiness and response can make the difference between effective business continuity and harmful and prolonged disruption. We need to ensure we are prepared to deliver safe and high-quality care in the absence of information technology,” says Stephanie Reel, senior vice president and chief information officer for Johns Hopkins Medicine.
To test Johns Hopkins’ preparedness, the Office of Emergency Management led a full-scale systemwide drill that activated more than 40 incident command centers at the six hospitals and other member organizations, pulling in 600 active participants and 30 evaluators and controllers.
With more than four months to prepare, participants had to think through their business continuity backup and “downtime” plans. This involved processes such as printing hard copies of phone and fax numbers, backing up copies of patient records and determining how and when to use the various notification systems, including overhead paging, CORUS, RAVE and Assurance Notification Manager.
“The intense and committed exercise participation and game play of Team Hopkins was evident,” says Bob Maloney, senior director of emergency management for Johns Hopkins Medicine, who directed the drill from a central command center at The Johns Hopkins Hospital. “Our staff took the exercise and the resiliency building to a higher level. Our leaders told us the exercise felt real.”
Command center staff at the member organizations found value in the drill, especially with the preplanning.
Johns Hopkins Home Care Group
“Having a controller and evaluator from MEMA was an added benefit for learning,” says Penny Carey, executive director of home medical equipment and respiratory services at Johns Hopkins Home Care Group. “The work to build resilience at JHHCG will continue, not only for IT interruption, but other scenarios that have the potential to cause disruption to our mission.”
Johns Hopkins Medicine International
Representatives from across Johns Hopkins Medicine International (JHI) also participated in Operation Unplugged, including staff from communications, human resources, information technology, patient services, compliance, risk management and support services. “Lessons learned that we’d like to explore include having a phone tree, customized binders for each role and online FEMA training,” says Renata Matsson, JHI’s chief compliance officer. “We also recognize that our diverse stakeholders—including JHI staff, international patients, global affiliates and embassy representatives—require communications across a variety of channels.”
Howard County General Hospital
According to Gene Mellin, director of emergency management for Howard County General Hospital, unexpected scenarios were added and kept the team on their toes, requiring quick thinking and efficient teamwork to solve the complex problems. “The real-world play helped the command center team identify some communication gaps that must be addressed, as well as operational and financial processes,” he says.
Sibley Memorial Hospital
At Sibley Memorial Hospital, “working and coordinating with our IT colleagues, we were able to manage the IT ‘outage,’ identify our vulnerabilities and address these in a timely fashion that allowed us to continue normal operations,” says Ed Grogan, senior director of information technology. “Some of the issues we encountered and addressed included nurse staffing, surgical scheduling and reaching physicians.” Participants recommended that Sibley Memorial develop a list of cellphone numbers of all physicians so they could be alerted in real time.
Johns Hopkins Community Physicians
Melissa Feld Helicke, vice president of operations and chief operating officer of Johns Hopkins Community Physicians, says an extended IT outage pushed the team to think more creatively to address the safety risk of seeing patients without Epic on Day 3. “We had to determine whether it was safe to see patients or if we should cancel patients if Epic remained down for a third day. The growing tangle of test results and other important information our providers could not access might pose an increased risk. We also looked at how to manage extra work once the system is back up and running, such as whether to hire Intrastaff or to require staff overtime hours.”
Johns Hopkins Bayview Medical Center
Todd Dousa, emergency management and safety coordinator for Johns Hopkins Bayview Medical Center, felt each department left the drill with ideas on how to improve their readiness for an extended technology outage. “Some initial opportunities we identified included developing a plan for the additional staffing and long-term recovery that such an outage would require,” Dousa says. “A continued emphasis on business continuity access training across the medical center is also a priority.”
Moving forward, debriefings found that staff members desire resources to improve their ability to communicate, such as standardized messages, more training on using walkie-talkies, and contingencies for staffing and communications.
In the end, Maloney says, “The drill was a tremendous success. It really moved the needle on preparedness.”