Issue link: https://beckershealthcare.uberflip.com/i/944376
28 Executive Briefing Sponsored by: C yberattacks targeted hospitals and health systems at an alarming rate in 2017 — nearly exceeding the rate of one breach per day. Increasingly for healthcare organizations, preparing for a cyberattack is a question of when, not if. Although cyberattacks are primarily financially motivated, they can have serious repercussions enterprisewide if a healthcare organization doesn't act quickly. Becker's Hospital Review caught up with Hector Rodriguez, Worldwide Health Chief Security Information for Microsoft, about the effect of cyberthreats on clinical services and patient safety, and what healthcare leaders can do now to mitigate consequences to clinical operations. Note: Responses have been lightly edited for style and clarity. Question: Cyberattacks clearly have a significant impact on hospital and healthcare operations. What are some of the greatest effects on patient safety and clinical services? Hector Rodriguez: When a hospital's line of business and clinical systems are locked down by a ransomware attack, the worst-case scenario is that patients' lives are put at risk and the quality of care and services they receive immediately begins to deteriorate. As one of my customers stated, "Patients begin to die." Simultaneously, additional costs are incurred, caregivers are overworked, and returning to paper-based processes is challenging because a number of younger caregivers have only worked with electronic medical information systems — they are not used to working with paper — so everything drastically slows down or even grinds to a halt. Chief information officers at hospitals have elevated the concern of cyberattacks and framed it as a patient safety situation. By framing it this way, the issue gets the level of clinical and operational attention it needs. Q: A cyberattack occurs — what can healthcare organizations do immediately to mitigate the impact on clinical operations? HR: The best thing organizations can do is plan for the attack and practice that plan. The real answer is that organizations must be proactively prepared for when they get attacked — "if" is not an option. A reactive response increases the risk of getting it wrong. The organization should have a well-defined cybersecurity solution in place, accompanied by a detailed recovery plan that they have practiced as part of their disaster recovery and business continuity planning. When they get attacked, they must quickly identify and isolate the attack to reduce and eliminate the Microsoft WW Health CISO: Cyberattacks Should Be Framed as a Patient Safety Situation & 5 More Thoughts "The real answer is that organizations must be proactively prepared for when they get attacked — 'if' is not an option." — Hector Rodriguez, Worldwide Health Chief Security Information for Microsoft