The following is a guest article by John Gaede, Director of Information Systems at Sky Lakes Medical Center.
Imagine a rural business is the victim of a cyberattack. A nefarious person or group convinces an unsuspecting employee to open an email promising a bonus. Within 12 hours, every piece of technology connected to that network, and every process needed to conduct daily operations, is paralyzed.
Now imagine that business is a hospital. It serves 80,000 people and it’s the only one within 10,000 square miles. Add to the scenario a global pandemic that is steadily ravaging the nation’s healthcare system. On October 27, 2020, Sky Lakes Medical Center went dark.
In a matter of hours, Sky Lakes became a healthcare facility without email, financial and clinical systems, or electronic medical records. Imagine that. How does a clinician administer quality care without knowing any of their patient’s medical history or allergies? How does a clinical laboratory run tests without its high-tech equipment? How does a physician provide real-time diagnoses and treatment with no picture archiving and communication system (PACS) or radiology information system (RIS)? And how does a healthcare facility continue operating with no revenue coming in and no way to communicate with patients, vendors or supply chain personnel?
Each of the hospital’s 2,000 PCs, 650 servers and 150 applications went down simultaneously. The systems we relied on to keep the hospital running and ensure patient safety were reduced to handwritten notes and overworked fax machines.
The ransomware attack that befell Sky Lakes in 2020 was brutal, but it could have been devastating and deadly. However, we got to work. We found partners who helped us squelch the intrusion and keep every one of our patients safe.
A year prior to the attack, we had purchased Cohesity to maximize efficiency. Little did we know this backup would become our lifeboat in a raging sea of chaos and confusion. We prioritized restoring clinical systems, including the PACS and RIS. We learned that fixing our old, outdated PACS system would take too long so, amid everything else, we scrapped that system and launched Sectra’s fully integrated Electromek Diagnostic System.
We immediately mobilized 3M and Sectra and began developing solutions. Weekends and wee hours became our normal work week, but our efforts paid off. A typical implementation of this magnitude takes around nine months to roll out. Alongside 3M, Sectra, and Abbadox, we designed, built, tested, documented and validated a fully functional Diagnostic Imaging network (RIS, PACS, Reporting) in 20 days.
We wouldn’t wish a ransomware attack on anyone, but the experience demonstrated what can happen when strong partnerships commit to collective problem solving. Here are three takeaways from our experience:
- Plan Past Day 2
Every organization has a plan in place for when their IT network fails unexpectedly. Most network failures last 24-48 hours, so most plans only cover that amount of time. Our ransomware attack quickly demonstrated how short-sighted our plan was and how easily it would crumble if the outage lasted longer than two days. Any company that relies heavily on its IT infrastructure would do well to have a mayday plan in place, i.e., a list of policies and procedures that will guide them when the inconceivable happens.
In the wake of our attack, we interviewed every department in the hospital to listen to their pain points, understand their vulnerabilities and built a playbook to help combat future attacks.
- Make the Necessary Investments
In October 2020, we were running an older operating system that needed an upgrade. We realized it was vulnerable, but we didn’t make the investment. And because we didn’t prioritize IT infrastructure, the hackers gained elevated access to our system and were able to move unimpeded around our network for 12 hours.
Fortunately, we’d purchased backup software to gain efficiencies. It turned out that the backup was untouched by the cyberattack and stored a significant amount of our data. This played a huge role in getting us back up and running. We got lucky. We inadvertently purchased ransomware insurance. What we should have done was make the necessary investment to ensure our older PACS system was up to date. Being proactive may not have prevented our cyberattack, but it certainly would have given us peace of mind that we had done everything we could have done to keep the organization and its patients safe.
- Find Great Partners
Once we realized the size and scope of our problem, we reached out to our partners. Following a 3 a.m. phone call, 3M Health Information Systems (HIS) immediately made a team of engineers available to us. The following day we began twice-a-day whiteboard sessions with our partners at 3M and Sectra. We also brought in Cisco TALOS to help us understand how the breach happened, and the team at Kivu Consulting, both were instrumental in getting us to slow down and maintain perspective.
Put simply, we could not have had better partnerships in place when we needed them most. Other healthcare facilities around the country that were targeted by the same group weren’t as fortunate in their partnerships. In an emergency, the team around—whether they’re internal or external—is invaluable.
The Bottom Line
In 2019, the FBI’s Internet Crime Complaint Center (IC3) reported 467,361 complaints at a cost of $3.5 billion. In 2020, the number of complaints rose to 791,790 and cost $4.1 billion. In 2021, those numbers rose to 847,376 and $6.9 billion, respectively. You get the picture.
If this cyberattack trend continues, what chance do organizations have to protect themselves and the reams of personally identifiable information (PII) they handle? To borrow a phrase from the Scout Movement, “be prepared.” Organizations must commit to state-of-the-art IT infrastructure and ensure it is patched and updated regularly. They must operate with agility, transparency and nimbleness in the face of adversity. And they must find partners who are willing to do whatever it takes to identify threats and recover from breaches.
About John Gaede
John Gaede is the Director of Information Services at Sky Lakes Medical Center (SLMC) providing strategic leadership, management, and ongoing vision to SLMC’s Information Services team – saving lives and innovating. Sky Lakes Medical Center is an Oregon not-for-profit community hospital committed to providing the highest quality care for their community while serving as the pre-eminent healthcare center in South Central Oregon.
