In healthcare organizations, it seems there’s a code for everything. Code Red means fire. Code pink often means a possible abduction. Code gray is usually a combative patient.
One major category, however, was missing. When Nate Lesser joined Children’s National Hospital as CISO in 2020, no code existed for an information security emergency that necessitated taking down the network. There were also no established procedures for which devices to disconnect, and when. But rather than viewing it as a red flag, Lesser saw it as an enormous opportunity to transform cybersecurity practices.
“It’s not just about identify, protect, and detect — it’s about how we can put more energy into responding and recovering,” he said during a recent presentation, entitled, ‘Code Dark: Finding Force Multipliers in Hospital Cybersecurity.’
The identification and detection part, however, is extremely important. As Lesser pointed out, data breaches happen more often in healthcare than in any other U.S. sector, and at a higher cost. When hospitals are hit with ransomware attacks — which happened 289 times in 2022 — “it doesn’t just knock out back-office IT systems,” he noted. “We’re talking about the hospital’s ability to operate. It’s extraordinarily challenging.”
Compounding that challenge is the fact that security budgets are getting squeezed, particularly for smaller and rural organizations, and the IT security talent pool is becoming increasingly shallow. “We have this expansive set of attacks, we have dwindling resources, and even if we had all the money in the world, we don’t have enough people to hire,” Lesser said. “It’s time for a paradigm shift.”
For Children’s National, the shift entailed created an “integrated incident response” strategy that emphasized training and collaboration, planning for extended downtimes, and empowering frontline providers to act as “cyber first responders.”
While there wasn’t a specific code for IS emergencies when he arrived at Children’s, there was a hospital-wide emergency operations plan, complete with an “outstanding team” that conducted regular check-ins across units and departments. “They already had a tremendous amount of stuff in place — there was no need for me to recreate any of that,” said Lesser. “When we decided to build a new incident response plan, we were able to plug it the existing structure and leverage the way the hospital already communicated.”
Not only did his team not have to reinvent the wheel, but they were able to push out information in the most effective manner. That, he said, “allowed us to hit the ground running and make cultural changes quickly.”
One of those changes was to challenge the thinking around downtime and encourage staff to think about what happens to the business continuity plan if the network is down for a matter of days or even weeks. “If we have no IT services of any kind for the next two weeks, what does that look like? How do we continue to receive patients in the operating room,” Lesser asked.
That’s where Code Dark comes into play. Put simply, “it’s a centrally called code that instructs staff to disconnect devices from the network. “If those devices haven’t been compromised, we’re able to bring them back on when we have a new clean network,” he said, adding that the most important piece is to “await instructions. Don’t bring something back on the network that you’ve taken off.”
Following these procedures is extremely important, particularly considering the fact that disconnecting devices isn’t quite as straightforward as it might seem. For example, in one scenario it could entail turning off WiFi on a laptop. But in the case of a hardwired medical device that communicates patient data, it’s critical to “communicate with your biomed team and make sure you can take these devices off the network without compromising patient care,” he said.
And getting further into the weeds, it also means ensuring staff know the difference between network and power cables. “At its core, Code Dark is a communications tool,” Lesser noted. “We need to ensure we’re empowering staff by giving them the information they need to take action.”
The way to do that is through regular education on everything from moving to paper charts, which requires an “amazing level of detail,” to how to log dispensed medications manually, to how to proceed if the network is down and pharmacists aren’t able to send out commands centrally. “Having that continual communication and planning is essential to make sure we can live through the type of sustained attacks we’ve seen,” he said.
Sharing the burden
And it’s not just training the staff, but ensuring they understand and are willing to share in the responsibility of securing information. “The key is to empower our staff” and to treat them as cyber first responders. “That’s the only way this works.”
And, unlike with phishing exercises that can go in one ear and out the other, Code Dark training needs to be robust enough to maintain engagement. “There’s some work we need to do,” he said, admitting that it is “an iterative process.”
However, although challenges remain, Lesser strongly believes Code Dark provides a foundation and a structure that can better protect hospitals against not just the incident itself, but the aftermath. “The problem isn’t always the upfront attack; it’s the inordinate amount of time it can take an organization to recover because they had to re-image every device in their environment before declaring it clean,” he said. “That can take weeks.”
By taking the steps outlined above, he believes his staff is “better prepared and much more confident than they were before we put it into place,” Lesser added. “It’s been a fantastic communication, awareness and training tool, and there’s great value in that.”
To view the archive of this webinar — Code Dark: Finding Force Multipliers in Hospital Cybersecurity — please click here.