A savvy CEO leads a rural hospital through a cybersecurity crisis
Cybersecurity attacks on rural hospitals are no longer a question of “if,” but “when.” For Mount Desert Island Hospital in Bar Harbor, Maine, that moment came during Chrissi Maguire’s tenure as CEO. A longtime financial and operational leader turned hospital chief, Maguire had to guide her team through a crisis that tested every investment, partnership, and procedure the hospital had made.
How a Vendor Oversight Opened the Door to Attack
When a vendor failed to properly terminate system access for former employees, it left exposed entry points into the hospital network. A bad actor exploited these vulnerabilities to gain access to the hospital network and began lateral movement through the file folder systems.
Fortunately, someone on the hospital’s cybersecurity team noticed the intrusion and was able to take action. This triggered the hospital’s incident response plan, requiring temporary system shutdowns and a transition to downtime procedures.
The Playbook: Triage, Quarantine, Communicate
The cybersecurity team sprang into action, reducing the exposure to data by making a copy of the entire system structure and placing it into what Maguire calls the “sandbox” to quarantine files, check them for infiltration, and reopen access to high-priority folders as soon as possible. “We triaged them to see if that one was clear, if anyone had been in that folder, then opened those back up,” she says. “I was truly keeping two resources propped up and working for, I’m going to say, 100 hours without sleep.”
Maguire also ensured that her fellow executives stayed informed. “Every single leader in this organization was at the table, either virtually or in person,” she says. “Our communications team was doing a daily briefing every single day.”
In the end, the disruption to operations was minimal: “There may have been a little bit of inconvenience, but there was no significant delay in care for our patients.”
3 Ways Preparation Paid Off
1. Prior Investment in Security Infrastructure and Personnel
The hospital had made significant investments in cybersecurity that paid off during the crisis. They hired an electronic security officer who provided a detailed report on the organization’s vulnerabilities and gave guidance on future investments in both the short and long term. “Having a trusted individual has been incredibly impactful in helping us continue to secure our systems,” says Maguire.
With his help, she has also significantly increased the percentage of the capital budget and projects going to cybersecurity. “Maybe 5 to 10 percent would be IT-related,” she says of the previous allocation. Now, she says, it’s 70%.
Finally, the hospital increased its cyber insurance coverage from $75,000 to $5 million. “The American Hospital Association was starting to make this a real initiative,” says Maguire, who adds that the coverage comes with requirements. “You’re going to have to do this, you’re going to have to do that. And it just continued to help us unpack what we needed to do to be much more acutely aware of what our exposure risk could be.”
2. Working with Partners
Because the cybersecurity team at MDI Hospital was small, they brought in partners for support, including Fortified. “You couldn’t do this with a small team,” she says. “Everything we had invested with our partners like Fortified—the bells, the whistles, the stop gaps—started to work, and we were able to quarantine and stop that advanced attack into our system and begin a mitigation strategy.”
3. Communication with Clinicians and Patients
Beyond briefing leaders, Maguire made sure physicians and nurses knew what was happening. “We convened the medical executive committee to talk about this process, how we’re going to handle it, what the next steps will be,” she says.
When the local media learned of the attack, the hospital also set up a phone bank for calls from patients concerned about their data being exposed.
What Could Have Gone Wrong
Disinterest in Cybersecurity Investment
Maguire really pushed to make cybersecurity a top priority. “At first, my opinion is that our board just never thought about it,” she said. But upgrades to networks and systems that allowed for improved continuity of care provided an opportunity to introduce the topic. She set up a steering committee that included community members as well as hospital staff and identified individuals who could champion cybersecurity efforts and serve as internal advocates.
Regulatory Penalties
Two years after the breach, the Office of Civil Rights accepted the hospital’s detailed report on the incident. Without the proper incident response and reporting, the hospital could have faced significant penalties and potentially class action litigation.
Lessons for Rural Healthcare Leaders
- Conduct cybersecurity training at all levels. The hospital even conducts training at the board level, which they have embraced, says Maguire.
- Educate yourself on the threats to healthcare and current trends. Maguire says it’s critical to “immerse yourself” in the environment, including growing threats and understanding why healthcare data is so sought after. This can help leaders understand the obstacles they face, and the responsibility boards and leaders have in ensuring patient data and healthcare systems are protected.
- Prepare for the inevitable. Attacks are all but guaranteed. Maguire says conducting tabletop exercises, penetration tests, and using white hat hackers is essential to maintain strong defenses.
Cybersecurity as a Core of Patient Care
For staff at Mount Desert Island Hospital, the key to their defense and recovery was not the size of their budget but the strategic nature of their investments and an organizational culture that prioritized cybersecurity as essential to patient care.
Maguire focused on hiring expert individuals to guide her planning and identifying key employees who could advocate for the value of cybersecurity investment, helping her gain buy-in from the board. She also took it upon herself to understand the nature and scope of the threats the hospital faces and to educate and inform leaders and staff about cybersecurity preparedness. Her experience shows that healthcare organizations of all sizes can build resilience and survive attacks even as threats become more sophisticated.
Hear Chrissi Maguire’s full discussion with Dan L. Dodson on his podcast, Cyber Survivor.
