Preparing your laboratory for an extended downtime: Best practices and strategies

Clinical laboratories are now confronted with the growing risk of cybersecurity attacks and are grappling with the task of sustaining operational functionality in the face of such incidents. Over the past decade, the sophistication of cyberattacks threatening the healthcare industry has increased dramatically with no signs these threats will subside.1 This article will review cybersecurity pitfalls and highlight events that could lead to a delay in laboratory operations, which impacts the financial stability of the health system and ultimately patient care. It is crucial to understand financial and operational stakes at risk during cybersecurity attacks, with the average cost of data breaches reaching on average $8 million per healthcare organization.2 The strategic response to such an event is multifaceted and requires immediate, well-coordinated actions. Figure 1 presents the structured approach to managing a cybersecurity incident within the laboratory, starting with detection and moving through the subsequent stages of systems going offline, the adoption of manual documentation, the restoration of systems, the recovery phase, and concluding with the essential post-event learning outcomes.

Day-to-day challenges during a cybersecurity event: The immediate aftermath of a cybersecurity attack presents numerous operational hurdles. Clinical laboratories face the task of activating downtime procedures to replace automated/electronic systems. Making the switch from electronic documentation to downtime or manual documentation processes can be difficult. The laboratory staff must have a procedure for downtime operations as a guide, this will ensure proper recovery of operations when the system is back up and running. Operational workarounds become a daily reality, as staff members must adapt to manual data entry and the use of alternative equipment, often leading to increased workload and potential for errors. However, during a downtime event, this practice is paramount. If your downtime documentation is out of date or does not include planning for extended downtimes (i.e., more than two weeks), you risk the chance of staff burnout and/or revenue lost due to documentation issues such as recording of patient information, specimen data, and test results. In 2017, laboratories generated an estimated $87.3 billion in revenue, totaling 2.6% of annual healthcare spending in North America.3 This revenue figure highlights the vital role that laboratorians play in the healthcare system, emphasizing the necessity of robust documentation practices as manual processes inevitably slow operations, reducing the potential for revenue collection. Most importantly, manual processes increase the potential for human error, posing a threat to the quality of patient care.

Effective communication and coordination become vital during a cybersecurity event. Communication barriers become prominent due to system outages and email disruptions, necessitating an alternative means of communication. It is crucial to set up communication channels with key stakeholders, like department or section heads, who play a critical role in downtime management and can efficiently spread information. Quickly implementing alternative communication methods at the onset of unexpected downtime is essential for keeping your team informed with up-to-date information. A unified response across various teams is crucial for managing the crisis effectively. Teamwork stands as the cornerstone of effective downtime management, playing a critical role in navigating your laboratory through unexpected downtimes.

Operational challenges and solutions: The transition to manual processes introduces specific operational issues such as the need for alphabetizing patient records manually, complexities in the patient readmission documentation in the laboratory, and the management of supplies, particularly the exhaustion of downtime labels. Laboratories should devise new systems for label printing and patient management, underscoring the importance of innovative solutions and efficient tactics in managing these challenges. Ensure your laboratory has a back-up system for generating downtime labels in the event you lose all middleware and laboratory information system functionality. Although it may seem unlikely, the possibility cannot be entirely dismissed. The crucial question remains: Are you prepared if it does happen?

Your lab should be prepared to run quality and control, result specimens, and troubleshoot downtime accessions that are not generated by electronic means. You should have a system in place to manually review QC before performing patient results, in the event your QC management software system goes down as well. Ensuring the notification of critical results during system downtimes is essential. It is important to have mechanisms established both for identifying critical results and for alerting the relevant department or floor when regular communication channels like phone lines, fax machines, and email are unavailable.  It is also important to implement systems of communication with the floors/units regarding time blood draws, and blood culture collections. How can the laboratory inform the floors about the collection of blood specimens or cultures when there isn't an electronic system available for confirmation?

Continuity and recovery planning: Preparing for such events through drills and training fairs is essential to ensure staff readiness. Some major healthcare organizations hold downtime drills hospital-wide monthly to ensure the hospital system is better prepared for downtime documentation methods. During a downtime event, manual processes such as charting, or admissions can be notably time-consuming. It's important to recognize that most admissions and nursing floors may not engage in downtime practices as frequently as the laboratory. Therefore, it's vital to establish a system-wide downtime drill that includes the lab and other departments in the hospital, aiming to identify and address any miscommunications or ineffective practices that could lead to considerable delays during an actual downtime scenario.  Post-event, the focus shifts to recovery strategies and learning from the incident to improve future preparedness. It's essential to keep your downtime requisitions updated, making sure they include the most current test codes, CPT codes, and order identification numbers. Determining which departments can be consolidated onto a single requisition form is essential. This involves assessing if the Emergency Department (ED), Operating Room (OR), and Radiology (XRAY) need individual forms or if their testing requirements can be efficiently met with one comprehensive requisition.

When facing extended periods of downtime, it is worth considering if your downtime requisitions should include fewer tests to streamline processes, while leaving space for physicians to write in testing not listed. Additionally, implementing a color-coded system for each test on the requisition form can greatly assist non-lab professionals in identifying the correct tubes for specimen collection. Including the requesting floor/unit/department and a reliable contact number at the top of the requisition could enhance the efficiency of recovery efforts. This addition ensures clear communication pathways and facilitates prompt responses to any queries or issues that arise. Given the volume of specimens and requisitions laboratories receive, such measures are crucial in managing the extensive recovery process effectively.

Establishing a designated recovery area within your lab right at the onset of a cybersecurity event can significantly reduce your lab's recovery time. This recovery room should be staffed by key personnel dedicated to leading the recovery efforts. It serves as a centralized location for organizing all results and original requisitions securely, facilitating a swift return to normal operations once systems are restored. This setup is also beneficial for rapid result readback to providers who request results from the period of downtime, which could span several weeks and are not yet available in the system for reference. 

Collaboration with your IT and laboratory information system (LIS) teams is critical to determine the most effective method for recapturing lab testing orders. Charge recovery can follow various pathways, and the optimal approach will depend on your laboratory's specific context, including the available personnel for recovery efforts and the capabilities of your IT and LIS infrastructure. For example, ABC Health System implemented a strategy for charge recovery using a bulk-charge sheet, enabling the laboratory to input multiple tests simultaneously into an Excel spreadsheet, provided the patient's name, medical record number, and admission dates are correctly matched with the registration team's inputs. This allows the laboratory information system (LIS) to upload the charge sheet and post lab charges, though it's important to note that lab results will not be recorded in the system for the duration of the downtime. 

It is important to note during a recovery, manual entry of results is always the preferred method in order to ensure patients' lab results are accessible in the system. However, manually entering results following an extended downtime presents a significant challenge. Additionally, registration must create or modify patient stay accounts before the lab can post results, adding another layer of complexity to the recovery process.

Recovery from an extended cybersecurity event is a team effort, necessitating close coordination across the laboratory departments and the health system. Regular communication with hospital leadership is essential for addressing ongoing issues, such as unverified requisitions or illegible orders, specimen transport issues between inpatient and outpatient clinics. This collective approach underscores the importance of unity and collaboration in overcoming the challenges posed by downtime and ensuring the continuity of laboratory services.

To enhance recovery processes in the clinical laboratory, the following recommendations are proposed:

1.     Regularly update your laboratory requisitions at least once a year to ensure they reflect the latest tests, codes, and procedural changes.

2.     Actively engage in or organize comprehensive downtime drills across the hospital. Follow up with meetings to address any issues encountered and discuss improvements.

3.     Assess your laboratory's current downtime protocols and confirm the availability of non-electronic backup solutions for label printing and other critical functions that typically rely on the laboratory information system (LIS) or electronic medical records (EMR).

4.     Maintain an updated list of key contacts for quick communication with various hospital units during extended downtimes, so as to ensure minimal disruption to laboratory services.

5.      Develop a contingency plan for delivering test results when conventional methods (tube system, phone lines, fax machines) are unavailable, incorporating manual delivery methods, as necessary.

6.     Recognize the importance of sustaining staff morale, especially during challenging periods. Offering meals, wellness breaks, and incentive pay can significantly contribute to a positive work environment during extended downtimes.

7.     Allocate a specific area or room within your laboratory for recovery efforts. This space should be equipped with computer workstations and have the resources to handle the sorting and processing of results and requisitions during and after downtime events efficiently.

In conclusion, this study has shed light on the significant impact that cybersecurity events can have on laboratory operations, emphasizing the critical need for effective recovery and continuity strategies. By highlighting common pitfalls and offering insights to mitigate disruptions, this research underscores the importance of a strategic, well-coordinated response to safeguard laboratory services, alleviate financial burdens on health systems, and minimize adverse effects on patient care. The findings demonstrate that preparedness, resilience, and adaptability are key to navigating the complexities of cybersecurity events in the healthcare sector. Through the implementation of the recommended strategies, laboratories can enhance their defenses against such disruptions, ensuring the continuity of care.

Acknowledgements: I extend my deepest gratitude to Christina P. Nickel, MHA, MLS(ASCP)CM, CPHQ, for her invaluable contribution to this publication. As the Laboratory Director of Clinical and Anatomic Laboratory at Bryan Medical Center, her expertise and dedication were instrumental in the creation of a comprehensive PowerPoint presentation that significantly aided in the drafting of this paper. Her insights and guidance throughout the process have been a cornerstone of my research, enhancing the depth and accuracy of my findings. I am profoundly thankful for her support and collaboration, which have greatly enriched this work.


  1.  Chau JA. Cybersecurity in the healthcare industry. August 2021. Accessed February 12, 2024.
  2. Department of Health and Human Services. A Cost Analysis of Healthcare Sector Data Breaches. Health Sector Cybersecurity Coordination Center (HC3). Published April 12, 2019. Accessed December 31, 2023.
  3. Executive Summary. A cost analysis of healthcare sector data breaches health sector cybersecurity coordination center (HC3) Published April 12, 2019. Accessed May 21, 2024.