In the aftermath of a ransomware attack several years ago, Hackensack Meridian Health embarked on transforming its cybersecurity program with the support of top leadership and increased funding and staff and by implementing critical security tools and best practices, said CISO Mark Johnson.
Johnson, who joined Hackensack Meridian Health two years ago after the transformation was already in motion, said the endeavor took a lot of hard work and commitment from all parts of the organization and extended from the immediate response to the incident and the following months and years.
“When they were going through the event, they said, ‘We have to fix this. I don’t have a tool,’ so they put some things in right away – they slammed them in,” he said.
“But then, to the leadership’s credit and the people on the ground’s credit, they said, ‘It does us no good to throw it in and walk away from this. We have to have the care and feeding for this,'” Johnson said, adding that the institution’s top leadership agreed.
The transformation effort included boosting Hackensack Meridian Health’s cyber budget from about 0.5% of overall IT spend in 2020 to 6.4% in 2023, expanding its security team from seven to 35 people and tackling a long list of important tasks.
In this interview with Information Security Media Group at the Healthcare Information and Management Systems Society 2024 conference in Orlando, Florida (see audio link below photo), Johnson also discussed:
- How Hackensack Meridian Health remediated more than 90% of critical vulnerabilities in its network over a short period of time;
- The importance of communicating with internal staff and leadership, business partners, patients, external counsel, cyber insurers, regulators and others in the aftermath of a cyber incident;
- Responses to different types of security incidents;
- Considerations for conducting tabletop exercises with key stakeholders on a regular basis to prepare for potential cyber incidents;
- How AI affects the threat landscape.
Johnson was previously a shareholder at LBMC, where he led the firm’s cybersecurity consulting practice. Before that, he was managing director at consulting firm KPMG, where he led all cybersecurity services for the healthcare industry nationally. Earlier, Johnson was CISO of Vanderbilt University Medical Center.