by Scott Stuewe, President and CEO

What’s the Worst that Could Happen?

With a bit of time to recover after the whirlwind and sensory overload of HIMSS 2025 in Las Vegas earlier this month, I am struck by the lasting impact the Preconference Healthcare Cybersecurity Forum had on my perceptions. For me, the innovation and success highlighted at the rest of the conference was somewhat overshadowed by what I learned in those first eight hours of sessions. What’s the worst that can happen? None of your innovations matter if the systems that enable them are down or inaccessible. Nothing matters if your public loses trust in your ability to maintain the confidentiality of the health data you maintain. Ransomware can be an existential threat for organizations that can’t bear between 20 and 90 days of downtime for operations. Most can’t.  

Behind every hopeful message with strategies that can help healthcare providers (and those that serve them) maintain regulatory compliance and resist cybersecurity attacks was the sense that inevitably, sooner or later, a system or a connected partner you depend upon to operate your business or care for your patients will become compromised or unavailable. While no one should underestimate the harm that data breach or PHI theft can do to patients and to providers, it pales by comparison to the impact of an inability to operate critical systems. The least equipped to recover from breach or extended downtime are the small and rural settings. 

Is there hope? What can we do? 

My takeaway from the day? The two key strategies to implement for the highest impact are:

  1. Think like a bad guy
  2. Assume the worst will happen and architect and practice for rapid recovery

This message that recovery should be our focus was both a through-line and bookends on the day of sessions, with Health Sector Coordinating Council (HSCC) Cybersecurity Working Group chairs past and present, Erik Decker from Intermountain Health, and Chris Tyberg of Abbott leading the discussion in front of a very large crowd of mostly security professionals to kick off the day. In his keynote, Chris asked for a show of hands to identify healthcare organizations, and about 10% of attendees raised their hands. Then he asked for those who represented a facility with less than 50 beds – and fewer than five hands went up from among roughly 400 in the room.  

Erik and Shawn Anderson from Intermountain Health shared strategies for breaking the ransomware attack chain by adopting the mindset of the bad actor – think like an attacker. Erik shared that really in the vast majority of ransomware attacks, exactly the same approaches were used. Focusing almost exclusively on preventing phishing attacks and other common vectors will make the most difference. Starting with training end users to recognize sophisticated attacks and implementing multi-factor authentication on all systems is a good start. Implementation of the security tiering of the Bell-LaPadula model can prevent attackers from navigating horizontally. Utilizing separate devices to get access to high privilege accounts – so called Privileged Access Workstations or PAWS can make this very difficult for adversaries (although cumbersome for your team).

How fast should I be able to recover?

The next presenter focused explicitly on recovery – and sought to get the audience expectations from recovery in 72 days to 72 hours. The Intermountain team shared that they were working to be able to demonstrate the restoration of all critical systems in 5 days or less. The industry average Mean Time to Recovery (MTTR) after identification is nearly 90 days, so most have a long way to go here. This speaker noted that the proposed updates to the HIPAA Security Rule required that organizations annually demonstrate the restoration of critical systems in less than 72 hours. We have heard from many that this seems unattainable. DirectTrust accreditation recommends that you periodically test your restoration process for such critical systems annually and work toward a three hour recovery time. Our thought is that the risk that downtime poses to operations is what should drive behavior here. If your business is a data-only business, downtime means you are producing no revenue or value. On the other hand, healthcare organizations can continue to operate on paper for a relatively short time. Almost nobody can survive 90 days unscathed. And what about the confidentiality of data? A panel discussion featuring Hannah Galvin, Elex Enriquez, and Erika Riethmiller, brought the impact of interoperability activities together with the question of privacy and confidentiality. Erika shared that not having a privacy component for your incident response plan is an unacceptable gap. 

Let’s Map the Ecosystem!

Greg Garcia shared the work that I have had the pleasure to participate in – the SMART initiative – or Sector Mapping and Risk Template. Greg is the Executive Director of the HSCC and has been leading this effort to map the healthcare sector seeking to identify systemic consolidation risk – basically looking for the systems or vendors that are “too big to fail” like financial services firms identified after the 2008 fiscal crisis. Greg actually helped with the mapping exercise that followed 2008 and is doing the same task here. In the long term, these maps can be used by organizations that want to determine which systems have the most impact on their ongoing operations with a goal of identifying those without whom operations come to a halt risking both adverse patient outcomes and catastrophic business impacts. Which infrastructure elements need backups? Which connections represent the most risk and should have redundant alternatives?

New Elements – Identity, AI, Post Quantum Cryptography

A major theme which resonated at the conference all week was the notion that digital identity and cybersecurity have an important relationship in healthcare. At the preconference event, John Riggi of the American Hospital Association discussed identity first principles with David Bardan and Jon Schlegel from Clear. Artificial intelligence was highlighted both as a strategy and a risk. On the strategy side, Anahi Santiago of ChristianaCare offered that AI can help identify risks, but that false positives can cause security teams to go down rabbit holes creating both extra work and anxiety. This panel also featured Mike Nelson from DirectTrust member DigiCert, offering thoughts about the importance of developing a readiness strategy for post-quantum cryptography in a near future when our encryption algorithms will no longer protect our data. 

Why we work on restoration and recovery

Revisiting the recovery messages that bookended the sessions: At the conclusion of the day, Nate Couture from the University of Vermont shared his story of a 2020 ransomware attack that didn’t ultimately result in the loss of any patient data to the dark web, but still caused weeks of downtime for all critical systems at the health system and an extended period of incredibly stressful activities for his team in the midst of the pandemic. The preparation his team had made allowed a full recovery of the data, but it required completely rebuilding the infrastructure from scratch. His emotional account of the experience noted that “ransomware attacks are human events.” He also shared that even after all systems were up, essential third party systems would not reconnect with the university system until his incident response team could verify a 100% clean system. His recommendation for how to think about third party connections was to “accept that partners will be hit and plan for that.” This very much supports the premise of the SMART initiative the HSCC task group is working on. 

Nate’s story was in a way quite hopeful – he openly shared his insights from the experience, offering valuable lessons everyone in the room could apply. The preparations they had taken allowed them to recover, albeit slower than they would have liked,and they should be in a much better position if they are again the victim of an attack. Those who heard his story need not suffer the same fate – they can put the ideas they learned from Nate, Greg, Erik and others throughout the day to work to improve resilience. These outcomes are why we go to conferences. Kudos to the HSCC team for a powerfully impactful day!