A healthcare CISO faced an unusual situation in an already challenging time.
Louis Wright, CISO and Director of IT Security for USA Health in Mobile, Alabama, oversees cybersecurity for a healthcare network that includes major hospitals and more than 70 clinics spread across Mississippi and Alabama, including some that were part of the recently acquired Providence Hospital system.
Healthcare acquisitions are always challenging, but when an attack struck the Providence network as his team was in the middle of integrating it into the USA Health infrastructure, it was a crisis that tested nearly every aspect of their cybersecurity preparedness and threatened the success of the merger.
In the midst of the integration, Wright received the call every CISO dreads: “I think we just got hit.”
The Incident: A Call for Help
The reality was more complex than a typical attack. Providence remained under a Transition Services Agreement (TSA) with the seller, Ascension Health. While USA Health had taken control of Providence’s staff and facilities, the critical technology infrastructure—including the EMR system, network, and essential applications—still resided on and was managed by Ascension’s network.
Employees who were still on the Ascension infrastructure were suddenly unable to access the systems they needed to provide patient care. “They lost everything,” Wright recalls. “Not only did they lose access to their EMR and ancillary systems, but their network, printing, and phones went down… I heard they even had to use cowbells for the nurse call system.”
The Response Strategy: Innovation Under Pressure
Faced with this unique challenge—wanting to help their new colleagues while protecting their own infrastructure—Wright’s team focused on three creative solutions.
1. Strategic Service Restoration
USA Health had already begun installing a completely separate network infrastructure within Providence Hospital as part of the planned transition. This foresight paid off. With USA Health switches already installed in every closet but operating on an entirely separate network from Providence’s compromised systems, the team could provide limited but crucial services: essential communications and documentation capabilities. These included installing fax machines and printers running on USA Health’s infrastructure, establishing phone lines through their network, and providing “boots on the ground” support to help verify systems as Ascension worked to restore services.
2. Data Migration
Rather than risk bringing potentially compromised hardware onto their network, Wright’s team developed a comprehensive data-only migration approach. Working with vendors and Ascension, they built entirely new systems on USA Health’s network, then migrated only the data—after thorough scrubbing and validation—from the legacy systems. “We were able to move all those systems over by just moving the data itself and having clean systems that were being monitored and controlled by USA Health,” Wright explained.
3. Application Inventory Management
Maintaining detailed documentation of over 100 applications in various states of transition, replacement, or decommissioning and their interdependencies allowed the team to track recovery progress and prioritize restoration efforts effectively.
What Could Have Gone Wrong: Avoiding Disaster
New Networks Compromised
As the attack was going on, the team feared inadvertently introducing malware into USA Health’s systems through compromised hardware or transfers of tainted data. The team’s approach of building new systems and transferring only scrubbed data mitigated this critical risk.
Integration Chaos
The cyberattack occurred at the worst possible time—during a complex acquisition. The incident could have derailed the entire integration, leading to operational confusion, low employee morale, and financial disaster. Quick intervention from the CIO and other leaders to adjust and condense the timeline prevented this outcome. “We lost a few months, but not a lot compared to what it could have been,” says Wright.
Tips and Takeaways for Healthcare Leaders
- Strengthen cyber-resiliency ahead of time. The incident served as a test of USA Health’s own preparedness and best practices, including maintaining and testing offsite backups for essential systems and reviewing and testing business continuity and disaster recovery plans. The team used what they learned to fine-tune response plans for future attacks.
- Protect against third-party attacks.“It’s not just the systems that you have in-house that you’re trying to protect,” Wright says. “It’s who you partner with, and what is their resiliency plan?” Healthcare cybersecurity teams must collaborate with departments across the organization to assess vendor security and review business relationships based on their findings.
- A crisis can instill confidence. Perhaps most importantly, the crisis served as an organization-wide education opportunity. “I think it really opened up a lot of eyes to realize that the cyber team is not trying to hinder us. They’re literally trying to help you,” Wright noted. The incident helped clinicians and staff see that robust security measures aren’t obstacles but essential to protect their ability to serve patients.
Preparation Over Perfection
This event highlights the evolving complexity of healthcare cybersecurity in an era of increasing consolidation. While USA Health’s network remained secure, the attack on their acquisition target created unprecedented challenges that required innovative solutions and decisive leadership.
Wright’s experience offers a sobering reminder of the realities facing cybersecurity professionals: “When you look at what cyber has to do in your organization, so many people expect them to be right 100% of the time, and that’s not possible.” But the goal isn’t perfection—it’s preparation. Organizations must implement proper security measures, be diligent about maintaining them, and ensure they can recover quickly when incidents inevitably occur.
You can hear Louis Wright’s full discussion with me on Cyber Survivor.
