Handrails
Hospitals & health systems

Prove you can keep treating patients. Even when the EHR can't.

Run cyber, surge and emergency scenarios in live conditions.

What if the entire exercise, from scenario to accreditation-ready report, took less than 60 minutes? You could run it this week.

Get startedSee how it works

Mapped to CMS · HIPAA · Joint Commission · NSQHS · and more

Live · multi-site drill
Live
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
DN
Dr. Nnenna · CMIO
Sam · Privacy
Transcript
Facilitator
What's changed

Why now

01

Patient care breaks down faster than escalation trees

Hospitals often discover communication gaps, unclear clinical ownership and manual-workaround failures during the first realistic downtime simulation.

02

Clinical continuity now depends on operational resilience

Cyber incidents, EHR outages and emergency surges increasingly impact frontline care delivery. Health systems are under pressure to prove they can continue operating safely during disruption.

03

Critical vendors now sit directly in the patient-care pathway

EHR platforms, connected devices, pathology systems and third-party providers have become operational dependencies. A single outage can rapidly cascade into a patient-safety event.

Says who

The frameworks behind every accreditation visit, OCR audit and board question

Every exercise maps to a real clause your regulators, accreditors and patients are asking about.
CMS / Joint Commission
Emergency ExerciseCMS + Joint Commission + NSQHS
Two annually; one community-wide
CMS §482.15(d) + JC EM.16.01.01 + NSQHS Std 1

Mass-casualty and community-wide emergency exercise. CMS requires annual full-scale plus additional. Joint Commission requires two with at least one community-wide. In Australia, the ACSQHC NSQHS Standards (Std 1 Clinical Governance, Std 8 Recognising and Responding to Acute Deterioration) carry equivalent emergency-readiness expectations for accredited services.

If skipped: CMS Condition-level finding; loss of CMS reimbursement eligibility; loss of accreditation; ACSQHC accreditation actions.
HIPAA
Cyber & ContingencyHHS HIPAA + Privacy Act
Periodic testing and revision
HIPAA Security Rule §164.308(a)(7) + HHS HICP + Privacy Act 1988

HIPAA requires periodic testing and revision of contingency plan components. In Australia, the Privacy Act 1988 and the OAIC Notifiable Data Breaches scheme require timely assessment and notification of eligible data breaches; the upcoming Privacy Act reforms tighten security obligations further. EU and UK frameworks expect annual exercising of business continuity plans.

If skipped: OCR enforcement (settlements historically USD 50K to multi-million). State AG action. OAIC determinations and civil penalties under the Privacy Act.
Also available

Don't see your framework?

Handrails covers more than CMS and HIPAA. If your obligation is listed here, or you don't see it at all, let us know.

  • Sentinel Events
    On-occurrence rehearsal expected under Joint Commission Sentinel Event Policy and NSQHS Standard 1. 45 business day root-cause window. Open-disclosure obligations under the Australian Open Disclosure Framework and UK CQC Regulation 20.
  • Infection Prevention
    Annual coordination with emergency-preparedness under CMS §482.42, JC IC.02.01.01 and NSQHS Standard 3. ECDC and member-state public-health frameworks apply in the EU.
Interested in any of these, or don't see yours? Let us know
How it works

From scenario to accreditation-ready report, in under 60 minutes.

Weeks of planning. Hours of facilitation. Days more for the report. Handrails compresses the whole thing into under 60 minutes.
1Context in
Context
OrgMulti-site health system
FrameworksCMS · HIPAA · JC · NSQHS
Patients340k served annually
SystemsEHR · lab · radiology
BAAs127 business associates
Breach notice60 days · OCR
OrgMulti-site health system
FrameworksCMS · HIPAA · JC · NSQHS
Patients340k served annually
SystemsEHR · lab · radiology
BAAs127 business associates
Breach notice60 days · OCR
ScenarioEHR ransomware
Downtime toleranceED: 0 · OR: 2h
RoomCMIO · IT · CMO · Privacy · Legal
FallbackPaper downtime procedures
NotificationsPatients · media · OCR · HHS
OutputAccreditation-ready packet
ScenarioEHR ransomware
Downtime toleranceED: 0 · OR: 2h
RoomCMIO · IT · CMO · Privacy · Legal
FallbackPaper downtime procedures
NotificationsPatients · media · OCR · HHS
OutputAccreditation-ready packet

Built around your context

Answer a few questions about your setup, including your facility type, accreditation framework, jurisdiction, integrated-network status and IT / cyber maturity. The scenario is tuned to the obligations actually in scope, not a generic template. Hours of consultant prep, designed in minutes.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
DN
Dr. Nnenna · CMIO
Sam · Privacy
Transcript
Facilitator

Run it live, virtually

Your team joins a video call. EM, CISO, Infection Prevention, CMO / Patient Safety, Facilities and senior management observers in the same call; each function makes the decisions they'd actually make. The recording is the evidence stream. Scheduling is the only setup.

3Report out
Tabletop · CMS §482.15(d) · HIPAA §164.308(a)(7)Ready
Downtime fallbackED on paper within 7 min
BAA dual-notificationTemplate stale; 17 contacts dead
OCR clock startLogged with evidence
Patient call centreStaffing plan not triggered
Decision logReady for accreditation review

The report is ready before you close the call

Results generated in minutes, logged against your internal policies and what accreditors and regulators demand. See areas for improvement and re-run quarterly to show the improvement curve accreditors and boards now want to see.

Example scenarios

Tailored, not templated

Every scenario is generated from your context, not chosen from a library. Based on your frameworks, facility type, vendor dependencies, even the plans and policies you upload. Three lightweight examples below.
01Scenario

Ransomware on the EHR

EHR encryption stops clinical workflow. Downtime procedures, surgery diversion, OCR breach-notification timing, OAIC Notifiable Data Breaches assessment for AU operations, public statement, regional mutual-aid coordination.

02Scenario

Mass-casualty surge

Multi-vehicle incident plus active-shooter overflow. Triage, OR / ED / ICU surge, regional mutual-aid coordination, family-liaison comms. Joint Commission community-wide drill scope; NSQHS Standard 8 acute-deterioration alignment.

03Scenario

Sentinel event

Wrong-site surgery surfaces. Open-disclosure timing under the Australian Open Disclosure Framework, RCA charter under JC's 45 business day clock, family liaison, state-reporting obligation, JC notification.

Partner with Handrails

Be the partner that makes accreditation prep feel lighter for your clients.

For most hospital advisors, accreditation-prep firms and healthcare-cyber consultancies, tabletop exercises are the most time-consuming deliverable in any engagement. Days of scenario prep, hours of facilitation, more hours producing an accreditation-ready report. Handrails can now carry that load for you. Stay in the advisory role your clients need you in, run more engagements, and earn on every session.
Revenue share, every cycle
Get paid on every session your clients run.
Accreditation-ready evidence
Reports pre-map to CMS Conditions of Participation, Joint Commission, HIPAA Security Rule, NSQHS, CQC and NHS EPRR. One scenario set, jurisdiction-specific evidence packs.
Reports written for you
Don't spend hours writing up accreditation-ready and executive-ready evidence. Handrails delivers it in minutes, straight from the session.
Already working withHospital advisors & accreditation-prep firmsHealthcare-cyber consultanciesHospital groups & integrated networks
Partner with Handrails

Run your first healthcare exercise this week.

Sign up, pick a scenario, invite the team. The report is ready before the session ends.

Get startedSee how it works