How have hospitals prepared for the possible loss of ICT systems?

During the winter 2019/2020, the Norwegian Board of Health Supervision conducted a survey of five enterprises and their overview of critical systems, risk assessments and emergency procedures regarding ICT systems. The survey was limited to a number of enterprises within the specialist health service. No legality checks were carried out on the responses that were received. In this report, we present the key overall findings.

The enterprises have mostly identified the ICT systems that are critical, and largely developed emergency procedures for key functions, such as the ordering of tests/investigations and the distribution of medicines. However, few enterprises would be able to maintain an overview of admitted and scheduled patients in the event of a loss of ICT. The risk of failure of proper healthcare also increases the longer period of ICT failure lasts. Patients arriving at an A&E department while the medical record system is unavailable would largely have to be treated without any information concerning previous treatment.

Several enterprises have unclear decision-making structures concerning the establishment of read-only copies of EMR (electronic access to read back-up electronic patient records). There was some unresolved delegation of responsibilities between some health enterprises and ICT providers regarding the preparation and approval of risk assessments.

The enterprises stated that emergency procedures are stored in separate emergency folders in clinical departments. There is some variable practising of emergency routines, but in practice emergency routines will be tested in the event of real operational problems. The report forms the basis for a wider survey. Information security is investigated as regards accessibility, but not as regards confidentiality or integrity.