With 25 years in cybersecurity, including experience at the Department of Defense and National Security Agency, Phil Alexander has seen the full spectrum of cyber threats. Since founding his consultancy and working extensively with healthcare organizations, he’s gained unique insights into the industry’s specific vulnerabilities and the most effective strategies to address them.
His experience building security programs from the ground up has reinforced a critical insight: in healthcare, cybersecurity isn’t just about IT—it’s about patient care.
The Incident: From Early Warning Signs to a Measured Response
Alexander’s team detected what initially appeared to be minor disruptions—denial of service incidents affecting various sites. However, he knew these seemingly small events as potential indicators of a larger threat. “You don’t see the mushroom cloud in the beginning,” he says.
His instincts proved correct. Further investigation revealed that a Russian terrorist organization was attempting to infiltrate the healthcare system. What could have been a catastrophic breach was contained thanks to proactive planning and established relationships.
Rather than implementing a complete shutdown, Alexander’s team made a calculated decision to disconnect half the equipment. This approach served two critical purposes: it mitigated potential permanent losses and enabled providers to continue treating patients. This decision was particularly crucial for patients with chronic conditions like cancer, where a disruption during treatment or loss of medical histories could be disastrous.
What Worked: The Foundation of Success
An Established Internal Leadership Structure
Alexander had previously created an internal cybersecurity council comprising senior leaders from across the organization. This council met every two weeks to discuss challenges and recommendations.
When the incident occurred, leaders were already familiar with the cybersecurity landscape and risks, and they trusted Alexander. “If you do a good job explaining the risk and opportunities, they will make the right decisions,” Alexander notes. “And when you have an event, they’re intimately aware of the environment and will back you completely.”
An External Support Network
Alexander’s response included immediate outreach to key vendors for additional resources, contacts at the FBI for assistance and guidance, and peers at healthcare systems that had experienced similar attacks
These established relationships provided his team with immediate access to expertise, resources, and proven strategies from organizations that had faced similar threats.
Business Impact Analysis
Alexander’s team had conducted a comprehensive business impact analysis early in their security program development. As a result, the team understood how ongoing disruptions would affect different departments, enabling them to prioritize response efforts effectively and maintain critical patient care functions.
What Could Have Gone Wrong: Critical Vulnerabilities
- Workforce Burnout: During crisis situations, individuals often work 20-hour days with no clear end in sight. Alexander emphasizes the importance of rotating workloads and managing team schedules, even if it extends the resolution timeline: “You can lose really good people because you burn them out.” It’s better to take the time to work out a schedule to ensure teams remain productive and can work at their peak ability.
- Organizational Fear and Blame Culture: High-stress incidents can create fear at every organizational level. “People from Vice President down to Help Desk felt like they were going to lose their job,” Alexander observed. When people fear for their jobs, they may hide problems rather than report them honestly. This undermines both immediate response effectiveness and future prevention efforts. “If you’re not honest about what’s going on, you can’t solve it for the future.”
Three Tips and Takeaways for Healthcare Leaders
1. Focus on people, not just the event. Crisis leadership means managing people’s expectations and maintaining transparent communication.
2. Build relationships before you need them. Alexander’s time spent on developing and maintaining connections generated significant returns in a crunch.
3. Prioritize cybersecurity fundamentals over flash. “Today in the industry, all we care about is the next shiny object,” Alexander observes. “It’s the basic hygiene we continue to struggle with.” He notes that many successful cyberattacks exploit vulnerabilities for which patches are available. Taking steps like implementing a patch management program, multi-factor authentication, and network segregation will help protect most healthcare systems more effectively than splashing funds on expensive new tools.
Protecting Patients with Careful Preparation
Effective cybersecurity in healthcare requires more than technical solutions—it demands organizational alignment, transparent communication, strong relationships, and a clear understanding that security serves patient care. As Alexander’s experience demonstrates, the difference between a contained incident and a catastrophic breach often lies not in the sophistication of the attack, but in the preparation and relationships established long before the first alert appears on a screen.
In the end, the most advanced threat detection tools are only as effective as the human systems supporting them. And in healthcare cybersecurity, success is measured not just in systems protected and data preserved, but in patients served without interruption.
Hear Phil Alexander’s full discussion with Dan L. Dodson on his podcast, Cyber Survivor.
