Time to Evaluate and Learn from our COVID Responses

As states and cities throughout the United States begin to lift stay at home restrictions, it is important to remember that the COVID crisis is not yet behind us and that the potential for a resurgence still exists.  The reprieve that healthcare systems are beginning to see from the huge patient surges that occurred in previous weeks, however, does provide a bit of breathing room for hospitals to take a moment and reflect on what changes COVID brought to their organization and to take stock of how the implementation of all of those changes compare to the normal IT and information security standards that the hospital upholds.  Moreover, hospitals should take a page from any incident response playbook and take the time to evaluate what worked well, what didn’t work, and what can be improved upon.  Hospitals around the US rushed to expand remote access to their workforce, rapidly deployed telehealth technologies, rapidly added and brought live medical devices, and made numerous other changes in an effort to maintain appropriate levels of patient care and protect the populations they serve as well as their workforce.  In cases such as telehealth, certain HIPAA restrictions were even waived to allow for the rapid deployment of the technology to ensure that patients maintained the ability to seek out medical care during the stay at home orders.  All of this means that no hospital’s technological response to COVID was perfect and that there is room for improvement.  The time to begin to think about those needed improvements is now. 

While in an ideal world, all of the technologies deployed for COVID should still have been properly vetted prior to purchasing and IT and information security best practices followed for the expansion of existing technologies and the deployment of new technologies, the reality is that short COVID preparation windows did not allow for this to occur in all healthcare settings and across all projects within a given healthcare setting.  It is the time for us to begin to catalog all of the changes that were made and begin to evaluate them with the following considerations in mind. 

• What solutions will need to be eliminated? Whether it met a short term need or not, not all changes will prove to be beneficial or sustainable for hospitals over the long term. These problematic or unsustainable changes will need to be identified and plans made for replacement with a suitable solution or doing away with the solution. For example, with HIPAA restrictions, temporarily lifted a video conferencing platform may have been acceptable for use with telehealth, but those restrictions are not going to remain lifted in perpetuity. Any hospital that deployed such a solution will need to come up with a way of migrating users to a HIPAA compliant solution, if economically feasible, or will need a way to phase the solution out.  Hospitals should begin to identify solutions that were found to pose little benefit for the organization and begin identifying methods to safely phase out any such solutions.  For solutions that were found to be beneficial, but are long term unsustainable for other reasons, the hospital should begin to develop processes for conducting cost benefit analyses and risk analyses of possible replacement solutions so that consideration can be given towards eliminating the problematic solution via a possible replacement with a more long-term sustainable one.
• What solutions worked well and are deployed using industry standards? Just as there may be some solutions that were discovered to be of little value to the organization’s COVID response needs, there will be some solutions that will have been found to be highly beneficial to the organization’s COVID response. For these cases the organization needs to consider if the successful solution was deployed according to industry standard best practices or if a rushed deployment led to some corners being cut.  It’s critical to audit the implementation of even successful solutions to ensure that they do not place the organization at risk.  For example, that new remote access technology may have worked out great, but are the in-place permissions restrictive enough to minimize organizational risk or are they too permissive?  For any successful solution that is found to be on par with industry standards, organizations need to take the time to evaluate the scale of the solution that they have in place.  Does the solution need to be scaled up to facilitate an even greater organizational benefit or should the solution be scaled down for economic reasons?  Successful solutions are great, but to ensure the long-term viability of the solution, organizations need to ensure that even highly successful solutions are deployed at an appropriate scale.  It’s a good time to use the lessons learned from the initial COVID peak and to begin to identify any adjustments to scale that may need to be made and to begin to make plans to scale up or down accordingly. 
• What solutions worked well but are not deployed to industry standards? As suggested in the above section, even solutions that were highly successful towards addressing an organization’s COVID needs should be audited to ensure they do not increase the risk profile of the organization to an unacceptable level. For any solution that is found to be deployed in a manner that is not on par with industry standards or found to place the organization at risk, measures need to be taken to correct the deployment. For example, maybe network enabled ventilators were rushed into production to meet an urgent clinical need, but because of the urgency were deployed without following recommended network segmentation guidelines.  Such deployments should be revisited to ensure they are brought in line with industry standards to help reduce organizational risk.  Given that in a modern hospital, cybersecurity can be readily equated with patient safety, not letting such risks linger in your environment is critical.  Once these deployment deficiencies are addressed, it then becomes critical to consider the scale of the solution as detailed above.
• What deficiencies were found to be present despite deployed solutions? While some solutions will have proved highly valuable and other solutions may have provided minimal value, no organization’s pandemic response plan will have been 100% perfect. Now is the time for organizations to reevaluate their pandemic response plans and see what areas were not covered adequately by their deployed solutions.   In what areas was the organization’s technical planning deficient and, more importantly, what are possible additions or adaptations that the organization can make to meet these deficiencies? Perhaps, for instance, your organization had implemented a telehealth solution that worked well for conducting patient visits, but your organization did not anticipate the need for remote monitoring as a part of your telehealth program.  Does the currently deployed telehealth solution allow for the addition or remote monitoring or is another solution needed?  While there is at least a temporary COVID lull, now is the time identify to address those deficiencies with properly vetted and deployed solutions. 

While the first COVID peak is behind us the potential for continued COVID outbreaks still exists.  Take the time to assess your organization’s COVID responses to date and use the lessons learned to ensure that tomorrow your organization is even better prepared.