Sign In
Search Icon
Menu Icon

ASPR TRACIE: Cybersecurity and Healthcare Facilities

Alternative Text for Time-Based Media

The following is a text alternative description for Cybersecurity and Healthcare Facilities

[The video begins with music and a title slide that includes the ASPR and TRACIE logos.]


​Narrator: Welcome to “Cybersecurity and Healthcare Facilities,” brought to you by the Office of the Assistant Secretary for Preparedness and Response, or ASPR. ASPR recently developed the Technical Resources, Assistance Center, and Information Exchange (or TRACIE) to meet the information and technical assistance needs of healthcare professionals, emergency managers, and others working in disaster medicine, healthcare system preparedness, and public health emergency preparedness.  Cybersecurity is a critical issue facing the ASPR TRACIE audience. In this program, a distinguished panel of experts describe lessons learned from recent experiences, planning considerations, and steps the federal government is taking to address cybersecurity and cyber hygiene.

Descriptive Text:  
John Hick, M.D., ASPR TRACIE Lead Editor (Detailed to the HHS ASPR), Emergency Physician and Deputy Chief EMS Medical Director at the Hennepin County Medical Center introduces himself and welcomes viewers to the ASPR TRACIE session on cyberterrorism and healthcare while clippings of news article headlines on cyber attacks in healthcare are shown:

  •  Hollywood Hospital "Victim of Cyber Attack"
  • Multiple Hospitals Hit In Ransomware Attack Wave
  • FBI Investigating Cyber Attack at MedStar Health.

Dr. Hick continues with an introduction of today's panelists, who are:

  •  Beth Musumeci, Senior Vice President for Commercial Cybersecurity, ICF International
  • Craig DeAtlye, Director, Institute for Public Health Emergency Readiness, MedStar Washington Hospital Center
  • Steve Curren, Director, HHS ASPR, Office of Emergency Management

John:  I'm John Hick, and welcome to this ASPR TRACIE session on cyberterrorism and healthcare.  Recently, cyberattacks on healthcare facilities have caused facilities such as the Hollywood, California, hospital to pay many thousands of dollars in ransom to allow their electronic health records and other systems to be accessed.  Many other hospitals have experienced attempted attacks.

So with that in mind, I want to introduce today's panel to you.  We have Beth Musumeci, Senior Vice President for Commercial Cybersecurity with ICF International.  Craig DeAtley joins us from MedStar Washington Hospital Center, where he is the director of the Institute of Public Health Emergency Readiness, and Steve Curren is our Director of the Division of Resilience for the Office of Emergency Management at HHS ASPR.

So, a very distinguished panel, and we're looking forward to hearing some thoughts.  We'll actually start with you, Craig since, unfortunately, MedStar was a recent victim of a cyberattack, and I think a lot of hospitals, you know, tend to think that IT has pretty much got, you know, those areas covered, but in reality when an electronic health record or other systems go down, it can have pretty catastrophic consequences for the hospital.

Can you walk us through a little bit in the aftermath?  You know, what were the effects on your hospital system, and, you know, what did you as an emergency manager need to do and think about?

Craig:  Sure.  Well, as you can imagine, it was quite the education.  It was a Sunday night into a Monday morning when one of our three offsite locations which host our more than 370 software programs that service all of MedStar Health began to show signs of a problem.

Per protocol that is annually refreshed – annually rehearsed, I should say, and updated as needed – there was a MedStar Health mid-level director who was notified, and the preliminary report was given to him.  He provided some initial direction to try this.  That was followed up on.  The situation was assessed to be getting worse.  And so he made the brave but per-the-protocol decision to shut every aspect of MedStar Health's electronic medical record systems off.

So we found ourselves as a healthcare system now without the daily computer-based program software that drives everything from patient care to our biomedical surveillance to our ordering equipment and supplies, just to name some of the systems that were impacted.  To say that this was a dynamic lesson learned is an understatement.  Unlike the traditional plane crash or train wreck or even pan flu, the implications of this were far different than what we've typically experienced.

Some of the takeaways – and I stress some, not all – of the takeaways are something as simple as, every healthcare system or hospital, depending upon where you are, needs to understand it will happen sooner or later to them.  Take it for granted and plan accordingly.  But one of the things that we learned was that there's a difference in what you need to do and what you need to understand is happening.

When it's simply someone shutting you out of getting into your own record system as opposed to someone who has somehow managed to find their way into the system and get access to such things as patient record or personnel records – both are equally serious.  Both need to be planned for on an equally important basis as well.

Another lesson that was reinforced to us was what we had suspected but certainly reinforced still further is that this is, in many ways, like a train wreck or a plane crash in that you need to have an incident command system.  You need to have dynamic leadership, and you need to get it going early and in a sustained fashion.

But it can't simply be the individuals in charge saying, well, let's pull out this downtime procedure for this and that downtime procedure for that, that – yeah, we had downtime procedures for every one of those software programs, but this situation highlighted that you need to have a comprehensive approach to make sure that those other issues besides what do I do to solve this particular software issue, is being addressed.

Things like ordering equipment and supplies, things like the messaging that we give to the staff, messaging that we give to our patients, and not to be lost for brand protection, the message that we give to the public at large as well.  Other information or other lessons that we learned included such things as, while we practiced the plan from an ITIS perspective rigorously, once if not two times across the system annually.

Not to be lost is the importance of practicing it within each of the facilities themselves.  Whether you do it on a unit-by-unit walk-through facilitated basis or you take the system down notionally across the whole of the house and everybody practices it once, you need to practice to be successful in doing this like you do at any other disaster type of scenario.

It definitely is one of the top five in our threat assessment or reassessment now, and so we need to plan and drill accordingly and drill with a certain robustness and realism that will reinforce the realities that will be faced because one of the things that was interesting to me as an individual that's been in medicine now 40 plus years – is that we had the millennials, if you will, whether it was the physicians, the residents, the fellows, the nurses – any of that new generation who are so accustomed to using computers – somewhat lost when it came to the computers being shut off, and now what am I supposed to do becomes their new work reality.

And so within that rehearsing moving forward as we did in reality during our outage, we had the old-timers who were – careers started on pen and paper going and showing the new generation that, yeah, you can provide quality patient care.  You can take what needs to be done just doing it in a pen-and-pencil fashion or a pen-and-paper fashion, I should say.

But not to be lost in this, multiple times did we have leaders and followers alike come at, you know, this really does promote more and more communication.  Maybe we should be texting less and talking more.  And I say that in all seriousness because that was one of the key takeaways.  Yeah, we exchange messages in a longhand fashion, but we had more face-to-face meetings over a patient's bedside or in a department impromptu conversation than we're accustomed to.

And that's a practice that we intend to carry forward across all of our healthcare facilities, and I mean healthcare facilities because we weren't just 10 hospitals that were impacted.  We were over 300 off-patient business entities, many of which provide patient care, but not all of them do.

They saw some of the same problems.  They also saw some of those same overcoming strategies being successfully employed as well.  I think also not to be lost – I said the importance of leadership.  What was a little bit different for the leaders this time is, you know, when it's the plane crash or the train wreck or even in the pan flu outbreak, you have a certain sense of comfort in that those in charge really do know something about it.

But when it comes to that ITIS phenomenon, there's a select few who really know as much as needs to be known, so the rest of us find ourselves having to really trust more than what we might be used to and find ourselves asking questions that we wouldn't have thought about asking until now because the impact that outage has on us isn't simply on paper.

It's at the bedside.  It's in the lab.  It's in the radiology suite.  And so we definitely learned that there is a great importance to having that subject matter expertise being able to not just assimilate the information but explain the information in a – in a somewhat simplistic fashion sometimes in order for those decision-makers to properly prioritize, well, this is the first set of programs we want brought up.

Here's the second, the third, etc.  And I think also related to that information sharing is, well, what do you tell your staff?  We took early and often across the whole of the system as well as within each of the facilities the approach of being as transparent as we could.  There was nothing to be gained by hiding something.  But when is the right time to be clear with your information can be as important as, well, what is that transparent need-to-know information really going to include?

And who best is the one that should deliver the message?  That's both a system issue on the one hand but a facility issue on the other.  And then I think my last point for the time being centers around – in our particular case, we chose, by design, not to pay the ransom, where – it wasn't a ridiculous price, but we weren't trusting in more ways than one.

So we found ourselves involved now in a marathon, a marathon that had stages, a marathon that had prioritization and a marathon that required that we look at the physical and behavioral health of our staff, not simply the ITIS health of our system itself.  Those are some of our key takeaways.

John:  Now, that's excellent.  I think, you know, one of the key things that you brought up is that this is not just an IT response.  It's an incident management response with IT providing a lot of that subject matter expertise.  So making sure leadership is still setting the objectives, you know, setting the overall tone and bringing the SMEs together with the clinical staff and others to say, here's the priorities.

And let's work on these together.  What was the duration of the total outage time, or were you able to bring different programs up sequentially?  How did that time frame work?

Craig:  Three hundred and some programs didn't come on all at once.  They were prioritized.  Within 72 hours we had some of our mainframe programs begin to come back up.

But, truthfully, John, it was three weeks before we got most of everything that is important to us on a daily basis back and operational.

John:   Wow.  And during that time, did you have templated, you know, charts for the ED and clinics and other places that they used on paper and practiced with?

Craig:   Mm-hmm, we did.  We had the downtime procedures that – attached to that were some various forms.  One of the benefits of the prolonged outage was, even though we had used those forms in drills, it's one thing to drill with that form for two hours as opposed for two to three weeks, so we're in the process now of looking at, based on that extended usage, here's some of the modifications we will make to our patient care records.

Here are some of the records we didn't have.  Now we need – we know what we need to have as well.  The other thing that's important that I didn't throw in here is that, of course, patient safety was first and foremost in everybody's mind, and so while we were all committed to doing that within our respective lanes, we also had teams of individuals whose sole job it was to serve, in essence, as a joint commission reviewer to go out and do tracers of various situations – even while we were in the midst of this particular crisis.  That was particularly important and gave us some additional insight that, had we not done that, we wouldn't have necessarily obtained.

John:   I think the clinical systems – everyone kind of, you know, has some of a  backup plan for, although most haven't really practiced with a lot of downtime.  We regard it as a nuisance.

But we don't go out of our way to find opportunities to go back to paper.  But was there another system?  Were there any surprises as far as, you know, communication system or web presence or other things that you were surprised at the amount of impact that it had that maybe you couldn't have forecast in advance?

Craig:  I'm going to give you two answers.  One is, unfortunately, the experience reinforced the need to have your emergency communications system, such as a paging system, on a different platform than what everything else is on.

Because if everything else has gone down, then you've lost – in our case, we lost our two critical paging systems and our primary Internet-based information-sharing system, so going forward they will be separate from everything else.  I think another element of lessons learned centers around, how do I use my manpower because, as an example, with the lab going down, we could still run the tests.

But the printing out of the results took more time, and now how am I getting those results back in a timely fashion?  We had to establish a battle rhythm and, candidly, that took a while.  That wasn't just an hour or two.  That was each shift kind of got into their own battle rhythm.  And while we got critical values to the patient's bedside quickly, the rest of the laboratory information-sharing, the radiologic interpretation reading – they took more time than we might have imagined, again, from just the exercising that we had done to date.

John:  Well, there's a loop closure that you can achieve with electronic health records on results –

Craig: Absolutely.

John:   – that you just can't do unless –

Craig:  Otherwise.

John:    – it ends up being a person-to-person, and that's a tremendously time-consuming and heavy investment of resources, so [inaudible] to keep in mind –

Craig: And I think the other thing speaking to that is related to recovery.  We all are – you know, it's reinforced to us we all need to have a business continuity and a business recovery and a demobilization plan.  In the exercises that we had done, again, it's one thing to look at, how am I going to reenter information for two hours or maybe 24 to 48 hours?

Going back and looking at three weeks' worth of data, you may find yourselves staggered by the time that's going to be committed to doing just that.  System is up and running.  Now how do I catch it up with what I've done so well or not so well in between?

John:  Yeah.  And are you scanning those paper charts into the electronic health record?

Craig:  A variety of strategies are being employed.

John:  A variety of strategies, yes.

Craig:    And including some things, not patient care necessarily, but some things just will not be reentered.  We'll keep them in the paper file.

John:  Great.  Well, thanks, Craig.  So Beth, with 300 different software systems and a host of different platforms and server and VPN and other issues, you know, what comments do you have as far as mitigating some of these issues and some things that healthcare facilities and healthcare systems need to think about?

Beth:  Sure.  So as Craig outlined, the environment that he was working with is not uncommon in healthcare, so healthcare really faces unprecedented challenges today with dealing with Internet of Things, our endpoints, having the push for electronic health records as well as the surge in cybercrime just continuing to escalate.

So just some stats –

  • 94 percent of medical institutions are victims of a cyberattack. 
  • A hundred and thirteen million patient records have been, within the last couple of years, impacted. 
  • At least 12 months – in this – the last 12 months, 75 percent of healthcare entities have either been or believe they have been the victims of ransomware attacks.

So the fact is, healthcare is lagging currently in their protection and their defenses for cyberattacks.  And so there are some very practical approaches to addressing the risk at hand, but it takes a comprehensive plan and defense in depth, as Craig has outlined.  So unfortunately, the trend or the past healthcare focus has been focusing on the perimeter.

And protection at the perimeter.  But today, with Internet of Things and the reliance on a myriad of electronic devices, that perimeter is becoming near impossible to define.  And healthcare is heavenly – heavily reliant on those devices by design to enhance the patient standard of care.

So that means that personal health information is:

  • PHI is on devices that the providers have, are utilizing. 
  • PII, personal identifiable information by billing departments and payment departments – that information is at risk as well as intellectual property even, in case of pharmaceuticals,etc.

They're all highly susceptible to data theft and fraud because of the ill-protected endpoints.  So this makes healthcare organizations prime targets for ransomware.  So as you know, ransomware is a malware that locks files, and with demanding ransom, generally via Bitcoin, that typically then they'll provide the key when the ransom is paid to unlock the files.

And with hospitals and other healthcare providers needed real-time information to provide their clients, their patients with their high standard of care needing access to prescription information, healthcare records, it's very important for them to have that real-time information.  It makes them tend to pay the ransom to be able to retrieve that information.

John:   And when you talk about perimeter of protection, that's really more about firewalls, you know, VPN, other things.  Is that right?  Am I understanding the terminology correctly?

Beth:  Yeah, absolutely.  So it's – when you're looking at firewalls and VPN – but – so when you're protecting your endpoints because you have a myriad of endpoint devices, you need to have antivirus, you need to have whitelisting, firewall of course, intrusion detection, intrusion prevention capabilities.

And the goal is also to partition your network so you don't have a flat network and make the target difficult for attackers.  Attackers are looking for an easy target, and if it's not an easy target and it's more difficult, they'll move on to another target.

John: And how often do we see vulnerabilities exploited where software isn't kept up to date? How important is that within the general scheme of things?

Beth:  It is very important.  And I can't under-elaborate on the importance of patching and continuing to keep that typical hygiene in place.  But also, even with ransomware of today, we're finding that it's a very – in recent months, our team has identified that the ransomware is becoming quite nation-state.

It's almost as sophisticated as a government-sponsored even that you tend to see in more sophisticated environments.  So there tends to be a surge in ransomware that's much more difficult.  So having a team of experts or access to a trusted partner to help in these events is very, very important as well.

John:  And to what degree – if they prevent you from accessing the files – do most of these programs – are they able to access those same files and actually pull data, or is it more of a prevention of access to that program?  Or is it a variety?

Beth:  There's a variety, and there are some common ransomware-type that are more standard.

And there's a lot of tips.  There's sites.  A lot of the AV companies,etc., are helping with tips to – so that you can circumvent and not have to pay ransom.  But some of the more complicated and more sophisticated threats that we're seeing of recent months typically are – you need to rely on your backups.  You need to, you know, bring that data back.  In some cases, you may be able to salvage data.

As we saw in the case at LA Hospital, it took a number of weeks, and as Craig has outlined, you know, to get that – to get information back online in a way that it's usable.

John:  Okay.  Anytime, that protected health information gets released, obviously there's a burden on the healthcare system to do the appropriate notifications to that patient, as well as liability for fines. Which, as I understand it, are in the excess of thousands of dollars per record release, so if you're talking about –

Beth:  Absolutely.

John:   – you know, hundreds of thousands of records at risk, you can understand why sometimes the calculus weighs in favor of paying the ransom.  But, you know, suffice it to say that, as we increasingly rely on electronics and computers, whether it's in IV pumps, MRI machines, ventilators, etc., there's going to be many vulnerabilities. Are denial-of-service attacks being reported by healthcare entities?  Has that been an issue, switchboards and other jamming situations?

Beth:    Absolutely.  And sometimes it's a multifactor, multifaceted approach to the – to launching the attack.  And what – you know, what we're seeing at ICF is, you know, that the – the sophisticated attacks come in with a multifactor advanced persistent threat mechanism as a way to traverse the network, lock out network files – as opposed to user files and launch denial-of-service as well.

John:  Excellent.  Well, thanks, Beth.  Steve, we've, you know, visited a lot over the last several years about critical infrastructure issues, and a lot of times that comes down to, you know, power and potable water and structural reinforcement and things, and yet at the same time most of those things are all dependent on computers.

And they're all dependent on the web.  So vulnerabilities of the grid to cyberterrorism, the way we saw the attacks unfold in the Ukraine, you know, in addition to just the vulnerabilities that healthcare systems face, are pretty daunting.  Does ASPR have any tools or are there any projects or things that are in motion to, you know, try to look at this threat specific to, you know, healthcare or across the breadth of health and human services that you can bring us up to date on?

Steve:  Yes, thanks, John.  Appreciate that.  And yeah, as you said, we've been working on infrastructure protection issues across the healthcare/public health sector for more than a decade, especially triggered by the attacks of 9/11 and all of the disasters that the federal government and the nation as a whole have had to respond to since then, so that can range from hurricanes, floods, tornadoes, looking at infectious disease events like pandemic influenza or Zika virus.

But increasingly, as our society becomes more dependent upon electronic systems and certainly as our healthcare system becomes more dependent upon electronic systems, which all benefit the way we live our lives, the way we do our business, the way we pay – we care for patients – so those are all benefits.  But they also provide us these vulnerabilities.  And those are the things that increasingly we want to work with our private sector partners, those organizations that run hospitals, that manufacture pharmaceuticals, that provide insurance.

All the private sector partners in the healthcare industry – we want to work with them to find out what threats they're facing, what information we have across the federal government that may be able to help them, help them understand the threats, help them understand best practices, and then work together to try to resolve some of those issues.  One of the key programs we have just very recently is the establishment of a healthcare industry cybersecurity task force.

And that's a task force established under legislation that was passed in December – actually, it was the Omnibus Appropriations Act in December of 2015 – that had as part of it the Cybersecurity Information Sharing Act.  And that act required HHS to establish this task force of government but specifically and especially industry leaders, subject matter experts in cybersecurity.

They're going to meet over the course of the year and really focus on providing us guidance on what are the best practices that we can be implementing across healthcare for cybersecurity?  What are some of the practices that other industries are using?  What's working well for them?  What can we borrow from them?  And then also, how do we share information in an effective way so that we're all working off the same script and we're preparing and responding to cybersecurity incidents?

John:  And is there much integration of efforts between FBI, ASPR, other agencies that are dealing with these issues?

Steve:  Yes, we work very closely with our federal partners.  As Health and Human Services, we're responsible for coordinating this critical infrastructure protection mission for the healthcare and public health sector.  In fact, there are 16 identified critical infrastructure sectors across the nation and the federal government with different federal agencies supporting each one.

The Department of Homeland Security coordinates that entire enterprise, so a lot of the work we do, we tie in with Homeland Security.  They have the National Cybersecurity and Communications Integration Center, which is a national hub for reporting on cybersecurity incidents and knowing what's going on.  And the Federal Bureau of Investigation is also a very key partner in this.

Cyber incidents at a healthcare organization or anyone else – they are law enforcement incidents.  They are – they are breaches of the law.  And so to start with, we want to make sure that our partners, anyone in the healthcare industry, are reporting to the FBI when something happens.  We also want to work with them on the non-law-enforcement piece, that which might be the response to the actual incident.

So we always want to make sure that we're tied in with those who are enforcing the law, with those who are helping to respond, and also the – some that may have regulations, like the Office for Civil Rights with breach reporting or Food and Drug Administration, that we're coordinating all of those efforts so it's a listed [ph.] response to these types of incidents.

John:  Are there any quick-reference or other materials that ASPR offers for tips on cyberterrorism preparedness?

Steve:    Yes.  We have a number of materials that are on our website right now, and that's at, and probably if people are watching this they are – they're familiar with that site.  Under our critical infrastructure protection site, or – one can type in cybersecurity and find links to a number of those.  Some of the work we do in cybersecurity – some of the information that we have – is information we can't just put out publicly.

Because it might talk about different threat actors and what to look for, specific URLs that are malicious.  And that's something that we want to keep separately.  But we want to make that available to private sector partners that have a need to know that, so we do have a – we do maintain a portal on a site called the Homeland Security Information Network, and that's a secure, password-protected portal.  The Department of Homeland Security runs it.

And we have a portion of that where our partners, if we know what organizations they represent and they have a need to know, they can go there and find a lot of information about all the activities we do, as well as all those threat indicators that we update on a daily basis, along with our partners within the department who are monitoring those feeds that put that information right in there.  And that's a great source.

But also, we want to make sure that we're a resource for whatever someone needs, and there's so many resources across the federal government, within HHS, FBI, DHS, other agency partners, other non-government partners.  So we always encourage people to write us. We're – our email address is  Write us there.  Let us know what you need.  We'll probably be able to point you at least in a direction to get that information that's helpful to you.

John:    Great.  Thanks, Steve.  Well, I just want to give my panel my thanks for joining us today.  I think this has been an excellent discussion.  I'm a little bit boggled, you know, by the statistics of, you know, how many healthcare organizations have, you know, suffered ransomware or other cyberattacks over the course of the past year.  I think given the number of the systems, the number of software programs we have in play and the sort of unlimited number of hackers and, you know, other folks that would like to coax a little money of their – the other way out of the healthcare system.

I think we can unfortunately expect more of these.  Craig, is there a feeling at MedStar, just as a wrap-up – is there a feeling that, you know, sort of, okay, phew, we made it through, that's it for us, type of thing?  Hopefully they'll move on to somebody else?  Or do you regard this as sort of, you know, something that is just going to be a recurring, you know, issue for you guys and a recurring theme?

Craig:  I think clearly the approach that we're taking is, if it happened once, what's to say it's not going to happen again?  The difference will be, having gone through it once, we'll be a whole lot smarter in how we approach the myriad of issues that can be associated when you lose one program or, in our case, hundreds of programs in a simultaneous fashion.

John:  Thanks, Craig.  Steve, this really seems to be a growing emergency management problem, as well as a problem for individual health systems and facilities.  Are the partnerships within emergency management we should be seeking or working on?

Steve:  Yes, I think that's very important.  It's very important that emergency management is engaged in every phase of preparing for and responding to a cyber incident.  These are incidents that we should treat like any other emergency, to some extent.

They're incidents for which we may need external resources.  They are incidents which we need – may need to have collaboration across the organization or even different organizational structures will need to use to respond to the emergency.  Those are all things emergency management is good at.  That's what emergency management does.  So our message, really, is that all staff within a healthcare facility should be looking at cybersecurity as something important to them.

From clinicians to IT staff to emergency managers, it's going to be team effort and a team fight when we get into this and really need to respond to a cyber incident.

John:  Great.  Thanks, Steve.  Beth, are there any final tips that you can give healthcare systems and facilities on preparing for potential cyberattacks?

Beth:  Sure.  So it's important to know that compliance is important, but it isn't being secure.

So compliance is – really serve as a guideline to align your policies and your practices.  However, security is much different.  It's, you know – it's absolutely understanding your vulnerabilities and solving and mitigating those vulnerabilities with a plan.  Also, understand that cyber criminals will take the time to learn your network well.

And so you must know your network well, and that includes your extended network, so don't take the shortsighted approach to what you define as your network.  That's your suppliers, your accountants, your lawyers – everyone that touches your environment.  So when you're enforcing your security policy, make sure that your suppliers and their suppliers are actually adopting that policy and controls.

Also, have – I think you've heard from Steve and from Craig all about your emergency plan, so making sure that you have an incident response management plan that absolutely ties to your emergency response plan, because it – just taking an IT view of those events, as we've seen in a number of events that have happened in industry to date, it impacts the entire enterprise, and so having a critical communications plan in place and being able to respond and train on that plan over and over, so it is really secondary in nature – just to actually provide the response and do the scenario-based training – that includes red teaming and blue teaming, so red teaming – have a scenario that impersonates an attack, just like an attack would come into your environment.  But blue team – making sure that you have the right incident response plan so that they're known and honed regularly.

So having that planning process regularly.  And then also, don't give up.  The problem seems insurmountable, but it's not.  It's a matter of putting the right practices in place, of taking it down to a control level, but also educating your teams so that they understand not to click on that email.

I mean, phishing is probably the number one access vector for ransomware, so, you know, continuing to train and make sure your employees understand the risks involved absolutely provide a better result.

John:  Well, a full spectrum of mitigation, preparedness, response, and recovery issues to be addressed on cyberterrorism and cyberattacks on healthcare.

Lots of work to do, but lots of work to be – lots of work that has been done and some lessons that we've learned.  Thanks for joining us today.

Narrator:  Thank you for joining this ASPR TRACIE webinar on Cybersecurity and Healthcare Facilities.
We encourage you to visit us at for more information on a variety of healthcare emergency preparedness and response topics, including a Topic Collection on Cybersecurity in Healthcare and Issue 2 of our newsletter, The Exchange, focused entirely on Cybersecurity. You can also submit resources to be considered for inclusion in our resource library and Topic Collections, participate in a password-protected discussion board, or submit requests for technical assistance.

Descriptive Text:   
Contact ASPR TRACIE by phone at 844-5-TRACIE or by email at


[The video ends.]