Cyberattacks targeted hospitals and health systems at an alarming rate in 2017 — nearly exceeding the rate of one breach per day. Increasingly for healthcare organizations, preparing for a cyberattack is a question of when, not if.
This content is sponsored by Microsoft.
Although cyberattacks are primarily financially motivated, they can have serious repercussions enterprisewide if a healthcare organization doesn't act quickly. Becker's Hospital Review caught up with Hector Rodriguez, Worldwide Health Chief Security Information for Microsoft, about the effect of cyberthreats on clinical services and patient safety, and what healthcare leaders can do now to mitigate consequences to clinical operations.
Note: Responses have been lightly edited for style and clarity.
Question: Cyberattacks clearly have a significant impact on hospital and healthcare operations. What are some of the greatest effects on patient safety and clinical services?
Hector Rodriguez: When a hospital's line of business and clinical systems are locked down by a ransomware attack, the worst-case scenario is that patients' lives are put at risk and the quality of care and services they receive immediately begins to deteriorate. As one of my customers stated, "Patients begin to die." Simultaneously, additional costs are incurred, caregivers are overworked, and returning to paper-based processes is challenging because a number of younger caregivers have only worked with electronic medical information systems — they are not used to working with paper — so everything drastically slows down or even grinds to a halt.
Chief information officers at hospitals have elevated the concern of cyberattacks and framed it as a patient safety situation. By framing it this way, the issue gets the level of clinical and operational attention it needs.
Q: A cyberattack occurs — what can healthcare organizations do immediately to mitigate the impact on clinical operations?
HR: The best thing organizations can do is plan for the attack and practice that plan. The real answer is that organizations must be proactively prepared for when they get attacked — "if" is not an option. A reactive response increases the risk of getting it wrong. The organization should have a well-defined cybersecurity solution in place, accompanied by a detailed recovery plan that they have practiced as part of their disaster recovery and business continuity planning.
When they get attacked, they must quickly identify and isolate the attack to reduce and eliminate the risk of the virus moving laterally and propagating throughout the enterprise. They should also work directly with their cyber-insurer and security vendors to assess the damage and begin recovery.
Q: Do you see healthcare organizations beginning to engage staff in discussions about what to do in the event of a cybersecurity breach? What do/should these conversations look like?
HR: Yes, we are seeing more organizations define their cyberattack recovery plans and educating their users about what a possible attack looks like and the possible damage it could cause. We're seeing more robust communication plans that include employee awareness programs, electronic communications, mandatory online courses and training integrated into clinicians' workdays. We also see simulated phishing attack exercises being performed, along with the hiring of external security organizations to take on the role of the hacker. Practicing response to an attack and recovery from an attack are critical to being prepared.
Q: Besides meeting a ransom demand, a cyberattack can affect other aspects of a hospital's business, including patients' trust in the organization and patient volumes. In the wake of an attack, what can hospital leaders do to combat negative press and get their business back on track?
HR: Hospital leaders must immediately accept responsibility and be part of the solution. They must take ownership and demonstrate a focused approach to recovering from the attack with plans to implement programs and solutions to minimize and avoid future attacks. They must clearly communicate with their community of patients, partners, employees, affiliates and business associates — stakeholders across the board. Although tempting, hospital leaders need to be careful not to assign ownership or blame to third parties such as their cyber-insurance provider or other technology providers. Ownership must be taken by the hospital's executive leadership.
Q: Despite cybersecurity concerns, the benefits of moving data to the cloud clearly outweigh the risks. What do organizations risk by not making this transition?
HR: The reality is that our healthcare data, just like our financial data, is already in the cloud. More importantly, we've moved way beyond the era of bring-your-own-device thinking to the point where patients, employees and caregivers are bringing their own apps to work. Those apps are being used in care settings and even to share patient information. Organizations must get ahead of that and implement programs that enable them to holistically embrace the cloud and hybrid-cloud to work for them without impeding care and care innovation or the ability to meet their "Quadruple Aim" objectives overall.
For further information on how Microsoft helps protect patient data, download this whitepaper here