How to survive a cyberattack
By Tom Jensen
There are certain days that are branded in your memory, that shape you as a leader and a person. For me, June 15, 2019—the day the hospital I serve as CEO was hit with a cyberattack—is one of those unforgettable days.
Unfortunately, the threat of a cyberattack and the steep costs associated with them have only skyrocketed since my organization was impacted. Today, in light of the intensifying conflict between Russia and Ukraine, businesses are facing “perhaps the most acute cyber risk U.S. and western corporations have ever faced,” according to a Harvard Business Review analysis.
In these volatile times, evaluating your current cybersecurity measures should be a priority of every organization, no matter its size. My organization had some measures in place prior to the ransomware attack, but it still created a major crisis within our organization. I share our story and the lessons we learned from the cyberattack in hopes that it will create a sense of urgency among my fellow leaders take steps now to protect their organizations.
Our story.
We were first alerted to the attack on a Friday at midnight. At that time, we thought it was maybe just a few servers that had been tampered with by ransomware, a software that encrypts a victim’s digital files. By Sunday night, we realized the full extent of the attack. The hackers demanded the bitcoin equivalent of $1 million to decrypt the files.
With the guidance of the FBI, we refused to pay the ransomware demand. We slowly started to pull things offline and onto paper to keep the hospital and clinics going in the days following the attack. We did not miss a beat providing quality care to our community, and I am tremendously proud of that.
Going through a cyberattack and the process of rebuilding a database doesn’t make you an expert, but it does make you someone who can reflect on what you did right and what you got wrong.
Here are a few words of wisdom to help you avoid a cyberattack or come through one as a stronger organization:
Plan ahead.
When you’re in a rural environment like our hospital is, you don’t have the bells and whistles or the money to put toward cybersecurity that larger systems do. However, we frequently conducted risk assessments, and we purchased cyber-insurance when it was fairly new and inexpensive. These measures helped us come through our cyberattack financially intact.
Several months before our cyberattack, I met John Riggi, the National Advisor for Cybersecurity and Risk for the American Hospital Association. We had many conversations about how most cyberattacks occur and the best avenues to protect our hospital. As a result, our hospital leadership did some crisis planning and had an understanding of areas we needed to improve to prevent and be ready for a cyberattack.
Another important piece of making a cyberattack plan is having a shortlist of who to call. You need to know who to call first, and it’s not always the FBI. On the Monday after the attack, we went into internal disaster mode to determine our risk. We weren’t sure who to call for advice or help us slow the attack. We spoke with our insurer, John Riggi (who was on vacation in Italy at the time), the FBI, and Homeland Security. They gave us the sound advice to refuse to pay the ransomware, but having a list prepared before we were in crisis mode would have saved us time and stress.
Educate staff.
It is essential to educate hospital staff and clinicians on malware threats. I understand the unique challenges to keeping staff of rural hospitals up-to-date on best practices and potential security issues, but every hospital must take some steps to keep their digital files and patient information safe from ransomware. Ensure that your staff knows how to spot suspicious or dangerous emails and the proper avenues to share patient info.
Create a culture.
While planning ahead was a critical component of staying afloat during the cyberattack, at the end of the day, having people who were willing to work through the process and not just say, “We can’t do this,” or “This won’t work,” was the key to being able to continue providing care for our community. In my experience, people in rural environments don’t give up easily, and our staff was persistent, determined, and flexible throughout the entire crisis.
As a leader, make sure you are building a culture where agility and grit are the expectation and the norm, and outside-the-box thinking is encouraged and rewarded. When disaster hits, your team will be ready to overcome the difficult circumstances together.