Media

Resources

Politics
Diversity, equity and inclusion
Financial Decision Making
Telehealth
Patient Experience
Leadership
Point of Care Tools
Product Solutions
Management
Technology
Healthcare Transformation
Data + Technology
Safer Hospitals
Business
Providers in Practice
Mergers and Acquisitions
AI & Data Analytics
Cybersecurity
Interoperability & EHRs
Medical Devices
Pop Health Tech
Precision Medicine
Virtual Care
Health equity

A health system's lessons from a major ransomware attack | HIMSS 2024

March 13, 2024

Ron Southwick

News

Article

Conference|HIMSS

Hackensack Meridian Health revamped its cybersecurity program after a breach in 2019. Leaders from the New Jersey system shared steps for other hospitals at the HIMSS Conference.

Orlando, Florida – New Jersey’s largest health system suffered a serious ransomware attack nearly five years ago, and the breach led to a whole new approach to cybersecurity.

Image: Ron Southwick, Chief Healthcare Executive

Christopher Jurs, director of identity governance and cybersecurity planning, Hackensack Meridian Health, and Mark Johnson, chief information security officer, Hackensack Meridian Health, talk about cybersecurity at the HIMSS Conference.

Leaders from Hackensack Meridian Health discussed how they revamped and expanded their cybersecurity team during a session at the HIMSS Global Health Conference & Exhibition.

“Hackensack has made incredible strides from a cybersecurity perspective,” said Christopher Jurs, director of identity governance and cybersecurity planning, Hackensack Meridian Health.

Over the past three years, Hackensack Meridian reduced vulnerabilities by more than 90%, said Mark Johnson, the system’s chief information security officer.

“That's a massive undertaking,” Johnson said.

Hackensack Meridian’s cybersecurity team is constantly learning and striving to keep up with the latest technology, and the latest threats.

“The bad guys are constantly changing their approach,” Jurs said. “We have to constantly react with our vendors to prepare for that and react to anything.”

Johnson offered a sober warning about the risks of complacency in cybersecurity for health systems.

“If you're standing still in cyber, you’re getting left behind,” Johnson said. “There's no such thing as standing still. And so, you have to continue to monitor and move forward.”

Read more: Change Healthcare cyberattack shows ‘no one is immune’

Building the team

In 2019, hackers breached Hackensack Meridian’s systems, leading to a costly and lengthy disruption.

“The restoration took a while,” Johnson said. “It took several weeks to get back to where we needed to be.”

Hackensack Meridian leaders recognized that they needed to take a much different approach to cybersecurity.

“We're recognizing we can't live like this,” Johnson said. “We have to change.”

To that end, Hackensack Meridian formed partnerships to help fortify their defenses.

The company also expanded its cybersecurity team. In 2020, Hackensack Meridian employed a team of seven staffers on its cybersecurity team, along with the chief information security officer (CISO). By the end of 2023, the cybersecurity had grown to 35 members, along with the CISO.

Hackensack Meridian is indeed investing much more in cybersecurity. Johnson said the system’s cybersecurity spending rose to 6.4% of Hackensack Meridian’s budget in 2023, up from 0.5% in 2020. That’s approaching the average cybersecurity spending of hospitals (7% of budgets), according to the 2023 HIMSS Healthcare Cybersecurity Survey Report.

Cybersecurity “costs a lot of money,” Johnson said. But he said the system’s leaders recognized the need to spend more after living through a serious breach.

“Literally everyone goes, ‘I don't want to live through that again.’”

Read more:Understanding the ‘blast radius’ of cyberattacks of hospitals

Training the team

The health system has become more capable of reacting to threats, but has also taken “a much more proactive approach to what could go wrong and address those concerns,” Jurs said.

Hackensack Meridian continues to focus on improving the skills of its cybersecurity team.

That includes training opportunities and the ability to move upwards in the organization, Jurs said. Employees then become more invested in their career and in the health system.

“There’s no shortage of opportunity at Hackensack,” Jurs said.

When building or revamping a cybersecurity team, organizations should also understand that they may need to replace some staffers. While too much turnover can be a bad thing, Johnson stressed the importance of having clear expectations for cybersecurity staff and holding them accountable.

“When I started, I told the team, ‘I want to build a team of athletes,’” Johnson said. “And an athlete is someone who is always willing to learn was always got their teammates back.”

Move to improve

Health systems should recognize there’s no such thing as perfection in cybersecurity. Mistakes will be made, but systems need to learn from their mistake.

Hospitals need to have partners that can help them with cybersecurity, Johnson said.

“I really, really mean this,” Johnson said. “You can't do this by yourself. You have to find partners.”

Health systems should work with vendors who treat them as partners, not just as customers to buy new products, he said.

The Hackensack Meridian leaders also stressed the importance of support of top leadership, and cited the strong backing of Robert Garrett, the system’s CEO.

They also touted the importance of tabletop training exercises to test responses to a cyberattack.

“I think it's one of the best things you could possibly do to prep the team from an awareness perspective, and then obviously, to be prepared for that day when it comes,” Jurs said.