In an era of increasing cyber threats, healthcare organizations are particularly vulnerable due to the sensitivity of patient data and the critical nature of their services. Ardent Health Services, a large health system with over 30 hospitals and 200 care sites across six states, faced this reality head-on when a ransomware attack hit its infrastructure. In a joint presentation, Anika Gardenhire, RN, Chief Digital & Information Officer, and Lonnie Garrison, Chief Technology Officer, shared their experience and lessons learned from navigating this cybersecurity crisis.
Building a Crisis-Ready Culture
Gardenhire described the immediate challenge of stepping into her role just before the incident. She emphasized the importance of a supportive network, stating, “I am deeply grateful for all the folks who answered my call… many of whom were walking the halls during this event.” Her ability to quickly rally support underscored a critical aspect of cybersecurity response: establishing a resilient, team-oriented culture capable of withstanding high-stress situations.
The early days of the crisis were intense, with rapid-fire decision-making and an urgent need for structure. Gardenhire highlighted the need for executive alignment on decision-making responsibilities, sharing that “one of the things that…can slow things down” is ambiguity in who holds the authority to make decisions under pressure. She and Ardent’s Chief Legal Officer adopted a “cure and consequences” model, dividing responsibilities to allow swift action on both the technical response and the organizational impact.
Tactical Phases of Incident Response
In an organized response, Ardent’s strategy was divided into three main phases: containment, restoration, and recovery. Garrison emphasized the decision to “shut off the entire internet” as the initial containment measure. This decisive action freed up the team to focus on assessing the extent of the attack without the distraction of ongoing breaches, thus stabilizing the situation. “What did it allow us to do?” Garrison asked rhetorically. “It allowed us to get our teams less focused on ‘Are they still attacking us?’ and then pivot to other containment activities.”
Containment efforts were executed on multiple fronts, including perimeter defenses, device controls, and identity verification. By setting up stringent password resets for every account, the team quickly uncovered an unanticipated challenge: they had approximately 520 applications in their environment, far more than the anticipated 390. This discrepancy highlighted the importance of maintaining an accurate application inventory for an efficient response. According to Garrison, “You don’t have an application inventory? No better time to start than now.” This realization led to an immediate shift in prioritizing asset management tools to prepare for future incidents.
Recovery and the Path to Operational Stability
As the team moved into the recovery phase, Gardenhire and Garrison underscored the need for collaboration with operational leaders to reestablish essential functions. Gardenhire stressed the importance of thinking beyond the immediate technology needs to consider logistical challenges: “Think about the things that you’re likely to run out of,” she advised, citing items as basic as paper and ink cartridges. In a prolonged outage, simple resources like these can quickly become critical.
Garrison discussed their decision to repurpose clinical advisory committees and work groups to facilitate communication between technical teams and operational staff. This collaboration ensured that the healthcare organization could maintain its essential operations, even with limited access to digital resources. “We took those existing work groups and quickly repurposed them,” he explained, reflecting the agility necessary for maintaining continuity of care. Daily 24/7 calls kept the entire team coordinated, and IT project managers were assigned to oversee specific work groups to track documentation and progress.
This structured communication enabled Ardent to accomplish an impressive recovery milestone: restoring clinician access to Epic within just 12 days. Gardenhire attributed this success to a dedicated and cohesive team: “We were incredibly fortunate…our team members and our partners made this possible without question.” This level of teamwork not only restored the organization’s operations but also reinforced the culture of resilience and partnership necessary to manage such crises.
Long-Term Lessons and Strategic Planning
Reflecting on the extended recovery process, Gardenhire and Garrison emphasized the importance of post-crisis planning. Establishing a clear application inventory became a priority, as did formalizing partnerships with vendors and identifying which would provide critical support in future crises. Garrison succinctly categorized their external relationships: “There are vendors, and then there are partners. We quickly came to find out who were vendors and who were partners.” This distinction proved crucial in identifying reliable support channels during high-stakes situations.
Both executives highlighted the need for health systems to invest in readiness by practicing “dark days” where systems go offline to test contingency plans. Garrison noted that Ardent plans to “go dark in the middle of the week during the height of patient care,” a proactive move to enhance preparedness. Such exercises allow organizations to fine-tune their responses, ensuring that both technology and human resources are ready to respond when needed.
Gardenhire also shared a unique piece of advice for executive IT leaders: cultivate a network of trusted contacts who can provide counsel in the midst of a crisis. “You just need a council of people who can think straight… who can take five minutes to reorient you.” This approach underscores the emotional and psychological dimensions of leadership during crises, where having a grounded perspective can prevent decision fatigue and improve clarity.
Insights for Healthcare IT Leaders
The experiences of Ardent Health Services illustrate that managing a cybersecurity crisis in healthcare requires a multifaceted approach involving technology, process, and people. Health systems must develop rapid containment strategies, maintain detailed asset inventories, and foster a collaborative culture that aligns IT and operational teams. By understanding these lessons, other health system executives can better prepare for potential incidents and reduce recovery times.
In her closing remarks, Gardenhire reminded healthcare leaders of the resilience and dedication required in such moments: “For me, I was so incredibly grateful because it was the fast thinking of every individual team member that created this as a possibility.”
Share Your Thoughts
You must be logged in to post a comment.