In late May, I did something to my neck and shoulder that caused significant pain. After a few visits to the doctor, they ordered an MRI. MRIs are a fascinating tool in modern medicine that continues to amaze me. However, four weeks later, I’m still in pain and have no answer as to what the MRI showed — or what might be wrong.
Why?
Because the day after my MRI, my local hospital shut down its computing systems due to a “cyber incident.” Four weeks later, the hospital is still shut down. No phones, no email, no test results.
Let that sink in for a moment: A large hospital and its satellite offices — serving almost all of central Maine — have been essentially out of operation for more than a month. There are no public details about the incident and, to date, no word on when they may be fully recovered.
While I feel some discomfort in my neck, I can’t help but think about the people with life-threatening diseases or medical emergencies who are being severely affected by this outage.
The point of this column is not to pick on anyone or claim I know more than the hospital’s IT staff — I don’t. The point is to encourage you to constantly think about security and to be ready when an incident occurs, because sooner or later, you’ll experience one yourself.
The first thing you need to do is make sure every password in every system is unique and secure. Yes, that will slow you down a bit, but it will also slow down anyone trying to access your network. A good password manager can help ensure your passwords are both secure and easily accessible. Protect yourself and your systems — don’t be the weak link that opens the door to a breach.
Second, consider where vulnerabilities might exist in your system — and what you can do to address them. The No. 1 way threat actors infiltrate networks is by stealing user credentials. As more organizations adopt single sign-on (SSO) experiences, the access a threat actor gains with just one set of credentials becomes exponentially greater.
Are there systems you’ve implemented that may expose users’ credentials?
One area I think about often is shared computers — those built into spaces like classrooms or meeting rooms. These devices are accessible to many people and are potential vectors for keyloggers or other malware. Moving toward a design that encourages — or even requires — people to bring their work laptops eliminates that risk.
Do any of your systems use PINs? If so, chances are high they’re being reused across systems. Is there a more secure way to grant access?
As the AV industry moves toward AV-over-IP as the standard, we continue to expose ourselves to additional vulnerabilities. I’ve spoken with people who say, “I have my AV system segregated from the regular data network.” My follow-up question is, “How do you manage those systems centrally?”
That’s usually when their expression changes. As they describe the management tools they use, they begin to realize their systems aren’t as “segregated” as they believed.
Here’s the lesson: If you can access a device from a remote computer, so can a hacker — no matter how isolated you think that system is.
The other takeaway from my local hospital’s cyber incident is the importance of planning ahead. Ask yourself: What would happen if our systems were shut down by a breach?
“We couldn’t use them” may seem like a sufficient answer, but I challenge you to think more deeply with your team and leadership. Is that truly acceptable? Would you need designated “command center” locations? Are there operations that could continue if you were prepared in advance?
Maybe this means keeping a few laptops with network capabilities that have never connected to your company’s network and are reserved for emergencies. Maybe it means having cellular hotspots on hand for internet access. Do you know of spaces where you could disconnect from the local network but still use AV systems with those laptops?
I’m writing this column because what struck me most about the hospital breach is that it likely began with a single person’s compromised credentials. I don’t know how it happened, but someone probably fell for something — and they may now know they were responsible.
I feel for that person. They likely had no idea they were being tricked. If they do know now, they probably feel awful.
I don’t want to be the person who made that mistake. I also don’t want to be the person who enabled others to make that mistake.
If I can be the person who helped my organization continue operating as best as possible because I planned ahead — that’s the person I want to be.