Investigating Electronic Health Record Downtimes: A Scoping Review of Literature and News Media (Preprint) Institutional Repository Document

Electronic Health Record Systems have become ubiquitous in the delivery of patient care. While the implementation has brought safety and efficiency boosts to the industry, it has also exposed patients and their data to new risks in the form of downtime. Downtimes are any period where the computer systems are unavailable and these periods occur for updates or upgrades, but can also be triggered by deliberate cyber-attack. During an unexpected downtime, healthcare workers are forced to fall back to rarely practiced paper-based methods for healthcare delivery, while at the same time, patient data is potentially exposed to parties seeking to profit from its sale.

We sought to provide a foundational perspective of the current state of downtime readiness in light of the growing cyber-attack threat on healthcare data and hospital networks.

A search of technical news media related to healthcare informatics and a scoping review of research literature were conducted. Following the ENTEREQ framework, 1,651 records were retrieved, of which 16 were included in the final review.

164 US-based hospitals experienced a total of 670 days of downtime in 41 events between 2012 and 2018. Almost half (48.8%) of the published downtime events involved some form of cyber-attack. 1,651 studies matching downtime search strings were found, 16 of which were found to meet inclusion criteria. Few research studies have a downtime emphasis; those that do are predominantly focused on a top-down approach. They were found to have a range of focus from the theoretical exploration of downtime to direct empirical comparison of downtime versus normal operation.

Downtime contingency planning is still predominantly considered in abstract or top-down organizational focus. It is proposed that a bottom-up approach to comprehending and addressing downtime will be beneficial due to the complicated nature of patient care and computer downtime events. A bottom-up approach would involve the front-line clinical staff responsible for executing the downtime procedure and directly caring for the patients. EHR downtime events will continue to be a complication to hospital and healthcare operations. Significant new research support for the development of contingency plans will be needed as the cyber-attack threat continues to grow.