Two security engineers take us into the trenches—and talk about what happened afterward.
James Edgell and Dan Colon work in IT security for Lawrence General Hospital in Lawrence, MA. Normally they spend their days scanning systems, working on cybersecurity awareness newsletters, coordinating with Fortified on business impact analyses, and other routine tasks.
However, it wasn’t business as usual when the hospital was hit with a ransomware attack as part of the SolarWinds breach in 2020. It took a lot of work, but thanks to preparation and vigilance, the team was able to mitigate the damage and protect patients. Dan, who experienced the incident, talks about what it was like on the ground, and James discusses what the team did in the aftermath to shore up the hospital’s cybersecurity defenses.
The Incident and Response
The attack in the early morning was discovered when staff arrived to find ransom notes appearing on computer screens and even being printed on printers throughout the hospital. In response, the IT team began shutting down systems to contain the breach and started the recovery process.
The entire hospital reverted to established shutdown procedures, operating on paper backups while digital systems were down to continue providing care.
Meanwhile, the security team followed protocols, prioritizing critical applications first. Those were back up and running within two days, while the rest were restored within two weeks. Most importantly, there was no direct impact on patient safety or loss of life.
What Worked: Teams Working Together According to Plan
Rapid and Dedicated Response
The security team demonstrated incredible dedication, “camping out” at the hospital and working 16-hour days to restore systems. The hospital even set aside rooms for security engineers to get some rest and sleep over if they had to. “The team really came together,” says James.
Hospital Staff Trained to Handle Downtime
The hospital’s ability to switch to and closely follow disaster response protocols for care delivery when digital systems were offline was key in preventing chaos and ensuring patient safety. “It wasn’t easy, but they never stopped, and they just followed the shutdown procedure for the whole period,” Dan recalls. Ensuring hospital staff are trained and up-to-date on paper-based processes and other analog workarounds is critical.
Clear and Empathetic Communication
During the crisis, the security team actively communicated with clinicians, outlining the recovery plan step-by-step, explaining the necessity of prioritizing certain systems, and clarifying processes that might make the recovery seem slow, such as the fact that patient data collected on paper during the outage would have to be entered into digital systems once they were restored. “We were talking to the doctors and nurses just to let them know, we’re on top of this. We’re doing the best we can and trying to get everything back and running,” says Dan.
This helped manage expectations and reassure them that the situation was being handled, fostering cooperation and even camaraderie during a high-stress period.
Learning From the Incident: Two Big Lessons
When James joined the hospital in 2022, he spearheaded a review of the incident to identify learnings that the team could use moving forward. That review and a business impact analysis conducted with Fortified highlighted some valuable lessons. As a result, “we are a lot more prepared,” says Dan.
- Regularly review tools and technologies. The security team at LGH periodically considers the tools and platforms they use to ensure they are optimizing their functionalities and capacity, explore new functions and features that could be applicable to their needs, ensure tools are working together effectively, and identify potential redundancies in their tech stack.
- Foster a strong cybersecurity culture and investment for the long term. A security crisis like this one can be a wake-up call. But in the months and years after a major incident, it’s all too easy for leaders to forget the urgency of investing in security, especially if there is turnover in the C-suite.
To maintain momentum, provide consistent reports with clear metrics to communicate risk and progress. Frame cybersecurity in a business context by showing how investments can reduce costs, such as by lowering cybersecurity insurance premiums, and by highlighting the liability healthcare organizations may face for neglecting changing cybersecurity regulations for the industry. “You’ve got to paint a financial picture as well on the impact,” says James.
There’s Always a Next Time
While the SolarWinds incident was undeniably disruptive for LGH, the hospital handled it far better than some of their peer systems. The security team’s rapid response and effective communication, plus clinicians’ commitment to patient safety, prevented what could have been a catastrophic outcome.
Perhaps most importantly, the incident served as a catalyst for organizational transformation, leading to increased board engagement, enhanced cybersecurity investments, and stronger defensive capabilities. Because even when a healthcare organization capably handles an attack, there is always room for improvement when patient health and safety is on the line.
To hear the full story, listen to my podcast, Cyber Survivor, here
