During a featured session at Becker’s Hospital Review 15th Annual Meeting in April, Eli Tarlow, a healthcare strategist and director with the tech firm CDW, took the stage to confront a sobering reality: health systems must be prepared to deliver care without technology — for as long as a month.
Drawing on experience from CIO roles and recent health system outages, Mr. Tarlow outlined a no-nonsense roadmap for building “clinical care resiliency” in the face of cyberattacks, infrastructure failures and cascading IT disruptions.
Here are four key insights from the session:
Note: Quotes have been edited for length and clarity.
1. A month-long outage isn’t a hypothetical in healthcare
The Change Healthcare cyberattack in 2024, and other recent cyber incidents have shown that even well-funded systems with strong IT teams are not immune to extended downtimes.
Mr. Tarlow cited one hospital that survived a month-long outage with no significant clinical adverse outcomes because they had prepared and rehearsed downtime procedures. Other systems have seen staff stay on through severe outages but later demand security updates and downtime process changes to avoid the worst outcomes of another devastating attack.
2. Effective downtime planning requires clinical and business continuity
Mr. Tarlow challenged attendees to consider full outage scenarios — no EHR, no phones, no ordering systems, no pharmacy tech, no badge access. “You still have oxygen and power, but that’s it. No technology. No phones,” he said. “Start to think about what that looks like for you.”
CDW’s model breaks downtime into various duration phases (day, week, month) and recommends testing each department’s ability to operate manually. Every unit — from the operating room to the revenue cycle team — needs a specialty-specific continuity plan.
3. Real planning means simulation — not just documentation
Most hospitals have outdated, or vague downtime plans that would fail under pressure. Mr. Tarlow advocated for on-site assessments, live departmental simulations and an enterprise-wide downtime rotation model.
He described a multi-site project that uncovered outdated forms, misaligned staffing, and missing manual supplies like wristbands and prescription pads. Every gap was logged and tied to clinical and financial risk.
4. The biggest risk is doing nothing
“This is not just an IT problem, this is a business problem,” Mr. Tarlow said. “The CEO of one organization that engaged us [to work on downtime preparedness] told us the reason why he’s doing this is because if they’re down for a month, they lose a billion dollars. Guess what? He was wrong. It’s $1.8 billion.”
Learn more about CDW’s cybersecurity advisory services here.
