Lessons learned from a targeted ransomware attack

Emergency preparedness is a vital component of healthcare management. Unfortunately, preventing cyberattacks has now become as essential as planning for natural disasters, mass shootings, epidemics and a litany of other potential catastrophes.

Earlier this month, Hackensack Meridian Health was the victim of a targeted ransomware attack. Despite our growing awareness of the frequency of these attacks and preparation, it packed the punch of a hurricane.

Numerous computer applications were hobbled, including call bells in some locations so we provided patients with actual bells and increased staff. Clinical teams immediately went to backup procedures, including writing physician orders on paper. Prescriptions were filled manually in some of our pharmacies.

As a healthcare executive for 35 years, I have seen my share of jammed emergency rooms from all sorts of mayhem: multivehicle pileups, deadly fires and the fallout from chemical explosions. Those scenes are disturbing, but it's what we do: We snap into action and save lives. This was surreal and unsettling: a faceless criminal enterprise crept into our hospitals and physician offices, our labs and our pharmacies, to impact operations in pursuit of a payout.

Our network, which includes 17 hospitals and more than 500 patient-care locations, was saved by countless acts of heroism. Our IT teams worked around the clock to restore functionality; our clinical teams quickly converted to backup practices that include a lot of paper; our vice president of payroll worked 30 hours straight to ensure people got paid. Our physicians and team members really pulled together in this crisis.

Four days into the attack, our core clinical systems were fully restored. Our entire network reported fewer than 100 elective procedures rescheduled. Patient volumes remained the same or higher than is typical for this time.

As we continue to stabilize our network, there are lessons to share:

The number of ransomware attacks doubled in 2019 by some estimates and they can have a crippling impact.The city of New Orleans suffered a ransomware attack recently serious enough for the mayor to declare a state of emergency. In October, a network of Alabama hospitals had to stop accepting new patients because of a ransomware attack.

Healthcare providers are especially vulnerable for several reasons. We operate 24/7 and lives are at stake. Also, as our industry makes quantum leaps forward in technology, our systems are increasingly complex and connected. Cybercriminals know that they can target one vulnerability in a single device and impact the entire network.

Ensure that backups are reliable and well-tested. Make sure you still have old standbys on paper including phone lists, physician orders and they are easily accessible.Just as physicians place fragile patients into medically induced comas, our IT teams brought down systems to prevent further damage, including our electronic health record system. If we don't take these vital steps and remove malicious files, there will be a more lengthy and costly return to normalcy.

We've come to learn that 70% of victims make these payments. You may not have the luxury of time to consider rebuilding your network. We believe it's our duty to ensure patient safety and protect our communities' access to healthcare. And as a not-for-profit entity, we also understood the potentially crippling impact of interrupting business, which can cost five to 10 times the amount paid in ransom, national experts say.As a leading health network, we have comprehensive coverage to help cover costs associated with a cyberattack, including payment, remediation and recovery efforts. We worked closely with experts and our insurance company and reached the decision that a negotiated payment was the most prudent course for our network, New Jersey's largest.

Try to commit to going public with an attack as soon as you can. We alerted state and federal authorities immediately but going public is different. You don't want to jeopardize negotiations with the attackers. We waited two weeks on the advice of national experts to ensure the best outcome. The more candid we are about the workings of cyberpirates, the more insight we will gain about their operations.

Together, we can work to prevent more chaos and lost business. I, for one, would prefer to leave the harrowing world of ransom payments and Bitcoin where it belongs—in movies and spy novels.