In this first in a new series of blogs on cybersecurity, Steve Matheson, Product Manager for BridgeHead’s RAPid™ Data Protection solutions, discusses planned and unplanned outages and their repercussions for healthcare organizations with a focus on what makes cyberattacks different. Steve also introduces a three-point plan to arm healthcare enterprises to mitigate the impact of a successful cyber intrusion.

Planned and unplanned outages in healthcare

If you have worked in a healthcare provider environment for any length of time, you will be used to outages of your digital information systems. Many are planned where advanced notification is given allowing the appropriate preparation to take place. In these cases, no one is thrilled about the planned downtime – it is inconvenient and usually disruptive to workflows, but adapting is part of the job, so it’s a generally accepted nuisance.

But, then there are the unplanned outages. Staff are less forgiving about these. One minute clinicians are working in an application; the next they are either ‘locked out’ of the system or the screen freezes. There are rarely any advanced warnings, and the immediate reaction is one of “did what I just enter get lost?” or “what information did I just input?”.

As disruptive as these are, and as angry as staff might be at the time, in the back of their minds they know that the IT department will be working to try and resolve the issue. Often, the technology vendor/s are also involved, partnering with the provider to do their part in solving the problem. And, for the most part, the root cause of the issue is well-understood, certainly enough that the fix or repair is carried out in hours or, at worst, days. But, it’s recognized by staff that the situation is in hand and will get sorted.

Why cyberattacks are different?

However, In the case of a cyberattack, it’s different. Yes, a cyberattack results in unplanned downtime. But the root cause and, more importantly, how to resolve it, are anybody’s guess – certainly in the first instance. According to IBM Security, in their Cost of a Data Breach Report 2023, “organizations required an average of 73 days to contain breaches in 2023”. 73 days, on average, is a long time to be without digital information systems – especially for a healthcare organization.

A common characteristic of a cyberattack is that often the symptom (e.g., suddenly an application or data being unavailable) isn’t localized to one digital information system, but cuts across many. Furthermore, the cyberattack is designed to create chaos. Often a cyber intrusion deliberately targets information systems one at a time (not all at once), over days, weeks or even months – continuing to propagate the attack across the remaining, unaffected applications. The worst case results in the malicious destruction of data, making it permanently unusable – not necessarily because it was deleted but, even more nefarious, because it was manipulated.

The first reaction to a cyberattack… isolate!

Once a cyberattack is detected, the immediate reaction is to limit the digital attack surface so it doesn’t spread. The attack surface encompasses all of the hardware and software that connects to a healthcare organization’s network. These include applications, source code, network ports, servers, storage, and websites. As a result, the first course of action in response to the cyberattack is to ‘isolate’ –taking everything off the network and stopping both external and internal access and communication. This is widely accepted as the safe thing to do. However, with healthcare’s complete dependency on digital information systems and their inter-communication, a major problem is that clinical and business departments have to revert to non-digital workflows and processes (largely paper-based) with almost immediate effect in order to continue operations. This process change in itself creates a series of risks beyond that of the cyberattack itself.

The two problem domains of a cyberattack response

With the network shutdown, each application has become a digital island; and both business and clinical staff now have to quickly pivot to non-digital workflows. Consequently, the cyberattack has created two distinct problem domains:

  • the first is how to safely operate during the potential extended period that healthcare applications are unavailable;
  • the second is how to assess which digital information systems have been compromised and, once assessed, the options available for recovery.
The challenge with safely operating during cyberattack

Transitioning to non-digital workflows, whether delivering patient care on the ground, gaining pre-approval from the insurance provider, or processing inventory routines; is hugely disruptive and creates many ‘time wasters’. It’s an established good practice that each department keeps manual binders that contain downtime processes and current order sets, but it creates a lot of new work. For extended outages, such as cyberattacks, this documentation helps during the reconciliation process. However, a critical and immediate challenge when you invoke your first manual workload is ensuring every department has the same starting point for their specific data. For example, if one department starts its workflow based on PDFs that were generated and printed 5 days before the cyberattack, but another is using PDFs that were created the day before, what process is in place to reconcile these across departments? And how is this managed for departments that are geographically distributed? From my experience, the answer is that no such process generally exists.

The challenge of assessing compromised healthcare applications

Assessing which digital information systems have been compromised, and to what extent, is more artform than a science. Currently, the best, first step after you determine your systems or network components have been attacked is to isolate them in turn. Once isolated, the expansion of the threat is contained. Now comes the art of determining the digital information system component/s that have been compromised and, once identified, establishing the options available for removing the threat. All of those decisions, at some point, lead to the need to recover the constituent parts that make up your digital information systems. Having a consistent and time-tested process for creating regular recovery points for those systems is key.

A three point plan to mitigate the impact of a cyberattack

Healthcare organizations face two significant challenges after a successful cyberattack: to keep the business of healthcare delivery running while you rebuild your digital information systems infrastructure.

As a long-standing leader in the healthcare data management and protection space, BridgeHead Software has amassed its knowledge, expertise, and experience to develop a new three-point plan to help provider organizations mitigate the impact of a cyberattack:

#1 – Attack Surface Reduction

Reducing the cybersecurity attack surface by retiring vulnerable, legacy applications

#2 – Clinical Continuity

Reducing the need to invoke manual clinical and operational workloads

#3 – Application Recovery

Ensuring comprehensive backup and disaster recovery of mission critical healthcare applications.

In the next three blogs in this series (starting next week), we will delve deeper into each of the areas of this three-point plan, discussing why they are important, the benefits of addressing them, and solutions to consider – all in bid to help healthcare organizations to develop greater resilience and to ensure clinical, operational, and financial risks are mitigated alongside a rapid ‘bounceback’ following a successful cyberattack.

Photograph of Steve Matheson, Product Manager for RAPid Data Protection solutions at BridgeHead Software (mid shot)


Steve Matheson is BridgeHead Software’s Product Manager for its RAPid™ Data Protection solutions.


Steve has previously held leadership roles in high profile organizations focused on data management and data protection, with global experience covering both hardware and software. These include Vice President of Channel Sales for CommVault, Vice President of Sales at Cambridge Computer Systems, and Senior Director of Channel Sales at EMC.

To learn more about BridgeHead’s three-point plan to help healthcare organizations mitigate the impact of a successful cyberattack…