First Hand Accounts of a Healthcare Ransomware Event

Today in health, it reflections on the ransomware webinar we did yesterday. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week and health it a channel dedicated to keeping health it staff current. And engaged. No message for today. Just going to go through the webinar,

we had John Gatey effectively, the CIO for sky lakes medical center. This is a health system that was ransomed. In the fall of last year, we had Dr. Lee Milligan CIO for a Santi health, who was their community connect host. We had Alfonzo powers, director of security for a Santi health. And they're CSO.

And Matt Sickles, a serious healthcare cybersecurity first responder. It was a phenomenal. I quite frankly, I'm not just saying this cause I was a part of it. It really was a phenomenal webinar. So, if you want to view that video, go ahead and you can still go out there and register.

We're going to send the link out on Monday. You can watch the whole thing in its entirety, as well as get some additional content. Let me walk you through a couple of the highlights from it. We started, we had a framework and we have four movements we looked at. We had pre event.

The actual event, the actual ransomware event. Post event and then lessons learned, like, what are the things that happen post event, and then the lessons learned for each of the individuals. And so obviously we started with John Gatey. And sky lakes, medical center is. It is in that category that a lot of hospitals are it's it's sub 200 bed.

But it's over 150 bed. They serve a massive area. He starts off by telling us that, if you want care outside of sky lakes, medical center, You essentially have to drive a hundred miles in any direction in order to get care. Anywhere else other than sky lakes, medical center. , Dr. Milligan is a part of a Santee health. They have three hospitals, they're roughly a billion dollar health system.

And they are a community connect host for sky lakes, medical center. And we talked about a lot of things,

we talked about their backups. We talked about their intrusion detection system. We talked about their. , virtual setup. They're a virtual desktops and where they were using them, where they weren't. We talked about. Their state of their cyber security. Uh, let's just call it preparedness. And, you know, patching situation.

Age of desktops and, you know, it's all the things that you would expect. They had phishing campaigns, they had tools in place. Some of them were configured well, so of them were not configured. Well,

they had windows seven machines. So obviously, you know, it's, it's a typical 200 bed hospital.

It's not like they have an unlimited budget and they do not have a massive staff. So they are doing the best that they can with the resources that they have. So we started talking about the event and this is where it was really eyeopening for me. It starts off just like you would think it would.

The system's running slow things actually, as they're starting to get encrypted. Fire off these processes that just start sucking up the compute resources. So things start to look slow. The entry point was an email. And he goes through the psychology of why that email was clicked and what it actually did.

On the system from the time the email was collect till the time The triple X, E X E executed. It was A little less than 12 hours. And then they were off to the races from that moment until the time they decided to shut every system down in the hospital, that could be shut down.

It was probably an additional six or seven hours. And then, obviously they are completely in the dark and that's not an exaggeration. I think that was one of the takeaways for me. Is to rethink. Disaster recovery business continuity plans. A lot of them are well-designed for. The four hours, eight hours, 24, even 72 hours.

But once you get past that they really break down. We literally are going back to a time where we need runners. We need, , different ways of communicating. , one of the things that John talked about was the Vocera badges. It was one of the systems they decided to bring back as quickly as possible

So that they could have communication with the clinicians. , , during this time. They did bring it back online and it was immediately reinfected. And so they lost communication. Not only the Vocera badges, but, the phones, the phones had to go down. And so the only communication they really had was through, , the mobile phones that they had an overhead.

Paging and those kinds of things.

So you get this picture. I mean, you really do go back into a state of pre EHR. Pre-technology how did we practice medicine? You're taking samples and you're actually writing everything out. By hand you're giving it to a runner. Who's running it. To the lab, who's doing the work. They're running it back.

. So. That was a, that was pretty interesting for his first 24 hours. The first 24 hours for Dr. Milligan at Assate was interesting as well. So they are a community connect host. They're connected through a VPN. He gets the phone call and has to make the decision.

To shut down that VPN. And think about this, you are shutting down. Uh, access to the EHR for an entire hospital. But you also have to think about your three hospitals and what is going to be the impact if somehow that infection comes across that VPN. And so they do make that decision. They do shut off that access, that access doesn't come back up, I think for about three and a half, four weeks.

Roughly, to get that all back online and functioning once again. And the other part of the story that John shares is it took them almost seven months to get all the information that was collected during that downtime back into the EHR.

So that they could have the information they need for delivering care. Moving forward. Dr. Milligan talks about in that first 24 hours, and I found this interesting

Reading the cybersecurity insurance contract. And really understanding what that enables you to do and not do. And I think one of the things that was interesting also to me was that John talked about the fact that you lose control.

So the initial attack happens. And your S your team starts running around trying to fix things as quickly as possible.

And then what happens is you have to check in with your insurance carrier. You have to check in with the authorities, the FBI, and others about the attack. And quite frankly, They want you to take your hands off the keyboard. They have to determine what happened to what extent it's happened. The, cyber insurance policy and a lot of cases dictates who you can use and who you can bring in to help you once they come in.

They also will be very directive as to what you can do. So you actually lose about 24 to 48 hours. Where you cannot be making progress towards restoration. At all. And that's just, part of the process. Th I found that interesting, Dr. Milligan, after going through his cyber insurance policy.

, recognize that the cyber insurance company actually. Has their set of companies that they're going to recommend. And he's in the process now of talking to them about utilizing companies that are familiar with their environment. Today who provide those services.

That was one of the things I found. Very interesting. We then go into a lot of detail of coming back online. A lot of great stories there, and , again,

highly recommend that you register for the webinar. We'll send you the link on Monday. You could watch the webinar in its entirety.

So at one point, Dr. Milligan starts to talk about what it's going to take for them to reconnect to sky lakes. What is going to take to allow sky lakes to connect into the EHR. As the community connect host. And. They actually created a memorandum of understanding, which he shares in detail. In the webinar. And we actually will also share a redacted. And generalized version of that to

anyone who registers for the webinar? And it's really interesting. They had to ensure that sky lakes wasn't currently infected. So that, that line, if they open up that VPN line, that it didn't present any risk of infecting a Santee. So that's the first aspect. The second is they wanted to make sure they had the right controls. And I'm going to let you go ahead and download the.

The webinar because Dr. Milligan goes into it in detail. It's really well thought out. The MOU is well thought out in anyone who is a community connect, host or partner. Should probably take a look at that document to ensure that you have the right relationship. , the last thing I'll probably leave you with.

And again, there's a ton more in the actual webinar. But they talked a lot about their relationship. And how important it was that they had a very strong relationship prior to the event and how the relationship has evolved since the event. Their cybersecurity teams really didn't meet.

They met for the connection, connecting up the community connect host,

and then they really haven't met much since that event. And so now as a result of the ransomware event, they now have quarterly updates with each other to discuss their security posture, what they're doing, what they're seeing, and they're sharing their learnings across both organizations.

Again, one of the best webinars I've been a part of, and I'm really proud to have been a part of it.

, and we got feedback from people saying just that, that it was one of the best webinars that they've attended.

And I have to give our guests kudos on that

because this is a topic that you can easily try to hide behind and not want the world to know what really happened. And John is really out there. And he's being transparent about what happened in hopes that the industry can learn from this. And I really appreciate the back and forth from him and Dr. Milligan and how they share the, the journey. And it wasn't easy, as you would imagine, there was a lot of times where there's a fog that exists as this is happening. There's a lot of chances for the relationship to get strained.

And for our emotions to take center stage, but the two of them. Give a great model for how leaders work together in those kinds of times. So again, highly recommend register. We'll send you the link this week. health.com/register. That's all for today. If you know someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher.

You get the picture. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. VM-ware Hill-Rom Starbridge advisors, McAfee and Aruba networks. Thanks for listening. That's all for now.