Rae Woods (00:16):
From Advisory Board, we are bringing you a Radio Advisory, your weekly download on how to untangle healthcare's most pressing challenges. My name is Rachel Woods. You can call me Rae.

(00:27):
Today's episode is special because we recorded it at the kickoff to Advisory Board's 2025 Summit Series. In this episode, you're going to hear the story of the 2023 ransomware attack on Ardent Health Services. Ardent is a 30-hospital health system with locations across six states. What happened to them feels like something that should be out of a movie. But there's no movie magic here. In fact, I learned that events like these are not particularly uncommon. Cyber attacks are happening more frequently. They're getting bigger and they're getting more sophisticated. For Ardent, it all started with a threatening message that showed up on a medical device, of all things. It led to the system going completely dark, disconnecting everything from the internet, effectively taking their system back to the analog days. The story ends with what I have to describe as a miraculous recovery.

(01:22):
The conversation you're about to hear reminds me of a different conversation that we could have been having, one about the early days of the patient safety movement. 30 years ago, one of the early messages we said in regards to patient safety was all about resisting the urge to bury the negative stories. Which is hard. Nobody wants to voluntarily spotlight a failure. But being transparent when things go wrong is the only way that we learn. It's the way that we improve. Resist the urge to think, "But, Rae, this could never happen to me."

(01:57):
You're going to hear what it's really like to face a worse case scenario, what it takes to move quickly to minimize damage and build a more resilient system. Here's my conversation with Ardent's President and CEO Marty Bonick and their Chief Digital and Transformation Officer Anika Gardenhire.

(02:15):
Hey, Marty. Hey, Anika. Welcome to Radio Advisory.

Marty Bonick (02:20):
Great to be here with you.

Anika Gardenhire (02:20):
Thanks, Rae.

Rae Woods (02:22):
Now, I want to start this story at the very beginning and I want to start with you, Anika. How long had you been working for Ardent when this cyber event happened?

Anika Gardenhire (02:31):
A little less than two months, less than 60 days.

Rae Woods (02:34):
A little less than 60 days. I have to ask, had you ever experienced anything like this before? Would you have called yourself prepared for this moment?

Anika Gardenhire (02:42):
Absolutely not. No. I don't think there is any preparation.

Rae Woods (02:46):
But you were still doing things like tabletop exercises, doing all the best practices that go into cyber defense, but nothing really compares to dealing with it in the moment.

Anika Gardenhire (02:54):
Absolutely. I think in every organization, you prepare for possible disaster as best you can. You work through business continuity, you do your tabletop exercises. You absolutely give it the best possible muscle memory that you can. And in the thick of the moment, I think the reality is you rely on those muscles and it is completely novel-

Rae Woods (03:17):
Yes.

Anika Gardenhire (03:17):
... all at the same time.

Rae Woods (03:18):
Yes. I have learned that there is an entire language around cyber defense that I did not know before preparing for this conversation. Marty, you actually have a really helpful analogy that will help ground us. Because when this story started to unfold, it started in late October 2023. But at that point, you didn't yet know that your systems had been breached. What's the analogy that can help ground us in the timeline of what happened?

Marty Bonick (03:45):
When these things happen, often times the perpetrators are getting into your systems before they manifest themselves or there's any physical signs of it. We had a little bit of a clue. Think about, you're in a big office building. It's nighttime, it's dark. Nobody has the master schematic to see this three-dimensional building with multiple stories and multiple entries and exit points. We got an alarm that said a door had been opened and it quickly shut. We had people digitally go and check this doorway hypothetically and say, "Okay, everything seems to be okay. False alarm." We did some follow-up checks on that just to audit and it's like, "Okay, false alarm."

(04:24):
When these people get into the system, they don't necessarily know where they're going. They have a key that got them into one door, and they're going and clicking on others doors to see, "What else can I get into?" You're trying to chase them down through that. You're trying to figure out where they might have gotten into your rooms, and where do they leave a footprint, and what's been contaminated.

Rae Woods (04:42):
Anika, you and your team are responding to an alert that is normal, maybe I'll even call it generic, right? You're doing all of the best practices of cyber defense. You're communicating with the FBI, you're working with your third party managed detection response team, you're working with your team. At what point did you realize this is not a drill, this is not normal, there is actually an attack happening?

Anika Gardenhire (05:05):
It's really when your systems start to be impacted that you realize, "Oh, something really untoward is happening." You get the message on a medical device, and then you start to realize that your systems are not behaving as you expect. You might be expecting data to move in a certain way across your systems, or you may be expecting certain things to happen on your screen, or you might see something be gushy. You have some monitoring. The reality is this is healthcare, nobody monitors every system down to the nth degree. You don't necessarily have teams that can monitor every application all the time, 24/7. That's just how life works.

(05:48):
But as soon as something happens, you start to try and have teams that are more targeted, that are looking more closely. Then you have teams that are doing things like extract detection responses. There are all these specialties that come into place that begin to help you understand what might be happening across your systems. Then you have the message.

Rae Woods (06:06):
The message came up on what day?

Anika Gardenhire (06:10):
November 23rd?

Marty Bonick (06:13):
Thanksgiving morning.

Anika Gardenhire (06:14):
Thanksgiving morning.

Rae Woods (06:14):
Thanksgiving morning.

Marty Bonick (06:14):
For better context, yes.

Anika Gardenhire (06:15):
November 23rd?

Marty Bonick (06:16):
Yeah. When your nurses start to get messages on screens that says, "Your system has been compromised by XYZ hacker group and pay this ransom," that's when you really know you have it. We can detect some activity, but then when it starts popping up on screens, then you know it's real.

Rae Woods (06:31):
There's this nefarious message that shows up. It says, "I own your system," or whatever it says. It happening on Thanksgiving morning. I want to channel how you must be feeling at this moment, Anika, because you've been on the job for two months. This message shows up on a medical device. You've got to make a phone call to your boss on Thanksgiving morning while he's on vacation. What is that call like?

Anika Gardenhire (06:53):
First, you're just grateful that he answers.

Marty Bonick (06:58):
That's gets a laugh and it's true, because I was actually ... I love to go on a run and I did my own little turkey trot. My watch starts to buzz. You're going through this split-second, "Well, maybe she's just calling to say happy Thanksgiving, Marty." I've known her for two months.

Anika Gardenhire (07:16):
7:00 in the morning.

Marty Bonick (07:17):
Yeah. I'm like, "No, I should probably take this," so I did.

Anika Gardenhire (07:23):
There are a couple things that happened. First, I receive a call. I receive a call from our information security team. We are having a full-on conversation, I'm having conversations with our MDR team, and I'm gathering enough information to be able to call Marty.

(07:39):
There a couple things that go through your head. One is what exactly do you need to share? Two is does Marty have enough information to make the next call that he needs to make? Then it's making the call to say, "This is not a drill." We are going into the office. We are instituting our incident command structure, and we are going to gather the situation room.

Marty Bonick (08:02):
Yeah. To Anika's credit, when she came into the organization, she really highlighted and brought more visibility to some of the things that happen every day in your IT shops. There are constantly alarms going off and you can get alarm fatigue, just like our nurses get alarm fatigue. But it always wasn't trickling up into the C-suite. When Anika came, I think this was probably the third time that we've heard this, and that the first two really just false alarms. Then this one becomes real.

Rae Woods (08:31):
I want to come back to the origin of realizing that this is not a drill, this is a true attack. It strikes me, and frankly surprised me, that this message first appeared on a medical device. I'm not sure I or we appreciated just how connected your average hospital or health system is to the internet. Anika, how connected are we actually talking about here?

Anika Gardenhire (08:56):
Astronomically connected. The way that I try to describe it to people is to think about your home, think about your house. Often times, when people think about the things that might be connected in their houses, they think about, "Oh, my cellphone. Oh, my laptop. Oh, my TV." Then they go, "Oh, wait. My refrigerator."

(09:16):
The hospitals are exactly like that. Refrigeration systems and air conditioning systems. The systems that deliver your food trays, or help you make recipes, or help you calculate dosages. The systems that help you gather medication are all connected to the internet. We have the internet of things, you might be familiar with. We have the internet of medical things. IOMT, the internet of medical things. It is an extensive number of device that sit on networks that are connected to the internet.

Rae Woods (09:48):
The other thing I'm not sure I appreciate is just how sophisticated these attackers are. I think we can all conjure up an image in our mind of an attacker. I bet we're all imagining a teenager in a hoodie in the basement of their parent's house. But these are real sophisticated actors. Knowing that, what in your mind are the worse case scenarios that you are trying to avoid?

Anika Gardenhire (10:16):
The first and far most biggest scenario you're trying to avoid is mal-impact to human life.

Rae Woods (10:22):
Yes, yes.

Anika Gardenhire (10:22):
First and foremost, our job is to keep people safe and it's to make people better. I started my career as a registered nurse. I think the hardest part about this for me, and I've shared this with Marty, is I felt like I knew exactly what I was doing to people when we were making the calls that we needed to take through this process.

(10:39):
When you think about those medical devices, how do you ensure that dosing calculators were good? How do you ensure that people can still have what they need in order to be able to care for patients? How do you ensure that ratios are good? How do you get people back into the hospital? How do your get your incident command structure stood up? How do you communicate? All of those things are the things that are most and foremost running through your mind.

(11:01):
To your analogy about the person in the hoodie. I think I said to Marty one night we were white boarding. You do have that image in your mind. You think about the movie and you have the person who is sitting in their hoodie, and they click a couple times and they go, "I'm in." I said to Marty, "That's really not it." Think Oceans 11. Think contractors and subcontractors. Thinks selling of information. Think deep-casing. Really understanding the rhythm of your business. That is the sophistication that we are really trying to guard against every day. Part of the reason that we're having this conversation is realistically, we have to figure out how to do this together more. Because individually, as any individual organization, it's really, really hard to combat that.

Rae Woods (11:46):
Worse case scenario number one is an impact to patient care. Particularly important because this message was also showing up on a medical device. What's your second worse case scenario?

Anika Gardenhire (11:56):
Transparently, you think about the business. You're thinking about patients, first and foremost. Then you're thinking about clinicians and the people who are working to care for patients. And I also needed to call my chief legal officer and my chief financial officer, so you start to think about things like how many days of cash do you have. All of these things come together in very short order.

(12:17):
How are we keeping people safe? How are we keeping our clinicians safe, and notifying them, and making sure they have the tools they need? How do we keep our business running?

Rae Woods (12:24):
There's no shortage of problems that you're having to deal and you're having to deal with as quickly as possible. You, and another player who's actually not with us today, but I think he's important enough that we should introduce him from afar, and that is the Chief Counsel at Ardent Health Services Stephen Petrovich. I think you lovingly call him Petro. Do you think he will call me call him Petro as well?

Anika Gardenhire (12:45):
I think he would.

Rae Woods (12:47):
Between Petro and Anika, you set up a framework for how you were going to divide and conquer because so much is happening so quickly. What was that framework?

Anika Gardenhire (12:56):
We divided ourselves into what we called cures and consequences. I give Petro full kudos because this was his brain child. I think we were in the thick of it and we were running through. In fairness to Marty, we were working to keep him updated, who's trying to get home. We're in the situation room, I think it's really late Thanksgiving night. Petro says, "You just run. Just go and handle the cure, just get us to a place of recovery, and I'll handle the consequences." Because as you can imagine, you can get stuck trying to figure out how to make the right moves and you can easily become paralyzed in how you need to make decisions. What should you knock over, what should you not knock over? How much is that going to cost you? I mean that in terms of time, and impact to people, and all of those things as you're thinking about recovery. It was awesome.

Rae Woods (13:50):
An example of that is you have to turn off payroll, he's going to figure out how to get people paid.

Anika Gardenhire (13:54):
100%.

Rae Woods (13:54):
Yeah. I don't mean to be flippant here, but you're running at the cure. Petro is fixing the consequences that come up as you're running towards the cure. Marty, what are you doing? But I'm serious. What is the role of the CEO when this is happening?

Marty Bonick (14:16):
Yeah. It was probably a blessing that I wasn't there because you think most executives, you have this control, "I want to be involved and I want to do something." But they had had this so laid out. I'm telephonically dialing in from a few states away and I'm being updated, but you're really helpless. My role became chief communications officer in a lot of ways, and helping the organization to understand what's going on, and staying out of their way. You can't manage this by committee. I think it was brilliance, the cures and consequences. You just get it fixed, spare no expense, and do what needs to be done.

(14:48):
There are consequences, like you said. People still needed to get paid, but when you put the whole company in airplane mode. It wasn't just the clinicians at the bedside, it was connecting to your suppliers. Once your vendors understand what's happening, they're going to disconnect from you because they don't want to get contaminated. You set your organization back 20 years ago when we used to do everything on paper and interoffice memo envelopes, and stuff. You go back to that world in a hurry. Explaining to people what's going on is really important.

(15:14):
We're working with a generation that didn't get trained on paper.

Rae Woods (15:18):
Yes.

Marty Bonick (15:19):
We've got physicians and nurses that never worked on paper. When you can look back and smile at some of the fun moments of this, in talking to some of our veteran nurses, talking to a medical student who is used to having a computer help them prescribe which medication. They're trying to figure it out and they're like, "Well, give the patient Tylenol." They're like, "Okay. What route? What dose? How much? How often?"

Rae Woods (15:40):
Pull out your calculator, let's figure this out.

Marty Bonick (15:42):
Have you signed and dated that order? We really put the organization back 20 years.

(15:47):
From my position, what seemed natural but isn't always natural as we learn talking to others, just getting that communication protocol set up as quickly as possible. And just being vulnerable and transparent with your team, and then having the external communications as best as you can.

Rae Woods (16:02):
Yes.

Marty Bonick (16:02):
People knew what we could do, what we could answer, what we couldn't answer. By being as open and communicative as possible was really where my role came in.

Rae Woods (16:10):
I appreciate that you're saying that the role of the CEO is actually to step back. The role of Petro was to step back and say, "Anika, you are going to run at this cure." I think you even had a three-part way of thinking about what does it actually mean to solve this problem. What were those steps?

Anika Gardenhire (16:27):
It was to contain, and then extract, and then recover.

Rae Woods (16:30):
Contain the problem, extract the bad actor, and then recover from the all the damage-

Anika Gardenhire (16:34):
Absolutely.

Rae Woods (16:35):
... that actually happened. Let's just talk about containing because your first instinct is not to shut the entire system down, and take it back 20 years, and put it in airplane mode. Your first steps are to try to contain it as it's moving. But my understanding is these things move very quickly. I have to imagine this is where you're clinical training actually jumps in and you're thinking, "I'm running this like I'm running a code."

Anika Gardenhire (16:55):
For sure. You have massive numbers of teams coming in. Everybody, every application person, every DBA, everybody in your infrastructure, every network engineer. You have massive numbers of people coming in. If you think about a situation room, you are setting up chats. All the things that you can imagine that a bunch of technologists who are coming together to try and figure out a problem are doing. There are 16,000 chatrooms happening and people are trying to communicate from home. You have all hands on deck.

(17:24):
You're asking people, "Take a look at your applications, take a look at your environments, take a look at the infrastructure," really try and package that together. You're trying to understand where the problem is, how the problem is moving, and you're trying to understand what's been touched. Because it's not just what's moving now, it's also what might have been touched in the time since you were initially contaminated, for lack of a better term.

Rae Woods (17:49):
At what point do you realize, "All right, the only way that we are going to contain this problem is to shut everything down?"

Anika Gardenhire (17:58):
Interestingly, there was a moment when we realized that there was still ongoing movement. You have a situation where you have humans, and then you have effectively maybe a payload that they've dropped off. You think the pinball machine, that thing's just knocking around into stuff. There's a point at which maybe the door was left open a crack and somebody is controlling it.

(18:23):
In order to completely ensure that you have closed every door and window ... You think that moment on a movie where somebody hits a button, and the metal shutters come down, and the metal bars come down. That moment is turning off the internet. You hit a place where you realize in order to effectively know that I have contained us completely, I have to hit the button that lets down the metal bars and the metal shutters, and that is our way forward. That actually wasn't very long. I think about it now and it feels like a very long time. But in actual numbers of hours, it wasn't all that long. You think about being in that cures mode, this is just the fastest path. I tell Marty all the time, I still don't necessarily know that that was exactly the right decision, but in the moment.

Marty Bonick (19:12):
I'd say the decision was probably in the first six hours. It's not as easy as going, "Okay, pull the plug or hit the switch."

Rae Woods (19:19):
There's no red button like you see in the movies.

Marty Bonick (19:20):
No.

Anika Gardenhire (19:20):
No.

Marty Bonick (19:20):
It's not.

Anika Gardenhire (19:20):
There's no actual button.

Marty Bonick (19:22):
It actually takes time to sever from the internet as we learned.

Anika Gardenhire (19:25):
Yes.

Marty Bonick (19:26):
I'm like, "Wait, we said we were going to shut this off." Again, CEO is like, "Hey, we made this decision three hours ago. Why aren't we down?" It's not that easy to sever everything from the internet.

Anika Gardenhire (19:34):
It's really not.

Marty Bonick (19:34):
Because you're connected through so many redundant ways externally, it's not just a main power plug that you can pull.

Rae Woods (19:39):
I can't stress how big of a deal this is. That you are disconnecting, again, 200 sites of care, six states, at least two time zones, and you're disconnecting everything from the internet. You said it yourself, "taking us back willingly 20 years in time." Talk about consequences to have to deal with. How are you actually communicating with the staff at Ardent? How are you keeping patient care going? How are you keeping the business running?

Marty Bonick (20:07):
If you're doing tabletop drills, and if you're listening and you're a CEO, participate in those because you'll learn a lot. But have you really scenario planned for turning the internet off? Which means you're turning your email off. We didn't know what we didn't know. This person was in the building, we didn't know if they were in the email servers. If I started emailing Anika, "We think that we've found it," and they're watching our emails, we couldn't communicate through email.

Rae Woods (20:29):
There's a very practical question of how do we even communicate?

Marty Bonick (20:30):
Right.

Anika Gardenhire (20:30):
Right.

Marty Bonick (20:30):
We discovered Signal before it became a Washington term of art.

Rae Woods (20:38):
Signal meaning the encrypted communication platform that is more secure than text message, but perhaps less secure than we all realize because of news lately?

Marty Bonick (20:50):
We did not inadvertently attach any reporters to that.

Rae Woods (20:53):
Got it, got it.

Marty Bonick (20:56):
But it turned out to be a great platform because we could set up a CMO group, and a CEO group, and a CNO group. I was part of all of them, Anika was part of all of them. It was great to watch our chief medical officers become little MacGyvers and going, "I've got this problem here. What have you done?" Somebody would figure out it and they would send it, so we were learning from each other. That's the benefit of being a large system is learning from each other and having that.

(21:20):
But it was also interesting to watch their trial-and-error. It was like, "Well, let's go buy fax machines." It's like, "We'll go raid the local Staples store and buy all these fax machines." Great. What are you going to plug them into, because everything is VOIP? Voice over internet. We don't even have traditional phone lines. You really had to be ingenuitive. We went back to running paper results around. Every lab test, every X-ray that you had to do. It turns out the radiologists really like working from home in their pajamas. They're like, "Wait, you want me to come in and read an X-ray now?" It's like, "Yes, because we cannot get it to you anymore." Everything that you know in terms of how you operate today had to change and go backwards.

(21:58):
Those are the things that, because we had the communication protocols rapidly set up and we were communicating to each other, we had twice a day conversations, a morning and an evening call, all hands on deck. We'd go through and everybody went around the table, and we were running this from my iPad. I would pass the iPad around the table, and Anika would give her report, and our chief medical officer would give her report, and our chief legal officer would give his report. We just had to keep doing that and passing the phone around, and then people would raise up questions through that chat.

Rae Woods (22:27):
As difficult as that must have been to continue to run your business and to continue to provide patient care ... And I really appreciate that, Anika, you said, "I'm not even sure it was the right decision." But it ultimately was the thing that allowed you to contain the problem. But then you've got to get them out. What does that step mean?

Anika Gardenhire (22:48):
You have a whole host of people who are going through your systems and looking for trails. There are these digital trails, as Marty mentioned. You have worked with your chief legal officer and others, and transparently, you have brought in SWAT teams. You have hired them temporarily and invited them in, and they are going through with a sandblaster, and they are ensuring that everything is out. As you can imagine, in the process of going through with a sandblaster, it means that recovery looks different. Now we have gone through and we have sandblasted everything, we have to paint things over, we have to put the house back together. That's what recovery looks like.

(23:27):
But really, it is about having a team of people who are going through and they are looking for every possible digital trail. You are looking for any type of encryption. You are looking at any communication that you might have had with anybody that has given you any insight. I would tell you, if there's a piece of advice that I could give to anyone whose sitting in the type of seat that I occupy, it's call your friends. We are part of groups like the Advisory Board or CHIME. I got such good advice from other leaders who had had this situation before. They told me things like, "Get your clean bill of health letter early, it will make your recovery faster." They gave me insights into the things that they wished that they had known in the moment and I was taking notes. And saying, "Oh, by the way, we should do this even though this hasn't happened because somebody told me that it would really help us." I highly recommend, if you have that personal board of directors, that group of people that you would call, call them.

Rae Woods (24:25):
I have to even say the lack of ego that you have to have in this moment of dealing with a worse case scenario.

Anika Gardenhire (24:30):
For sure.

Rae Woods (24:31):
Dealing with a crisis and saying, "I need help, this thing happened to me." That is a characteristic that we think we all have as leaders until you're actually hit with the hard moment. I have to imagine, Marty, you had to put incredible trust in a person who, again, you had known for two months.

Marty Bonick (24:52):
Yeah.

Rae Woods (24:53):
Were there ever moments of doubt, ever squabbles that you had to deal with as a leadership team?

Marty Bonick (24:58):
No. Again, the team had come together. Anika jumped right into action. Petro jumped in and they had this system organized. I'll say one thing. This team is competitive, Anika is extremely competitive, and we all want to win. She had a plan, she had the mind mapping and the white boarding that we did in the wee hours of the night. Really just convinced me, "Okay, this is yours. You tell me where you need help." It's always fun to call an emergency board meeting on Thanksgiving afternoon, which we had to do. You've got lots of people wanting to help, and then you've got to actually just stay focused on the problem at hand. Take care of our patients, take care of our caregivers, get the system back up, damn the consequences, and then we'll deal with the consequences.

(25:39):
Just having the confidence that she had the experience, she understood what needed to be done to contain the extraction, the recovery. The whole thing made sense and I couldn't argue with any of it. It was just stay out of the way.

Rae Woods (26:45):
Containing the problem was immensely difficult. Extracting this bad actor, not easy. I actually think the hardest step is the recovery. Or at least, the longest step is recovery. If I think about other organizations who have been through something like this, Ascension was offline for months. CommonSpirit I think was on paper charts for eight weeks. How long was Ardent Health Services down and disconnected from the internet?

Anika Gardenhire (27:12):
12 days.

Rae Woods (27:13):
12 days. Prior to that, what was the fastest recovery time in the market?

Marty Bonick (27:21):
We heard somewhere between 14 and 21 days. That's when Anika said, "Well, we've got a new goal. We're going to beat that." If something bad happened, we were at least going to set a new record and we did. Now, that's getting the systems back online. That does not mean you're recovered. People just assume life moves on, unless you're dealing with that. That's really key.

(27:41):
For us, and what Anika quickly learned and helped me understand, like I said, I have analogies for everything. This came up to me like a library. If you had a tornado go through a library, or something less than a tornado go through a library that just threw all the books off the shelves and skewed the shelves, and you had to build the library again. Ideally, you've got a system. There's the Dewey Decimal System. You've got a card catalog, you know where every book is supposed to go on every shelf. Well, in the IT world, you've got servers, you've got applications, you've got domain controllers that tell you which applications should be on which shelves.

(28:13):
Well, in an ideal system, you'd have a Dewey Decimal System, an information technology system. The reality is with budget constraints, ideally you'd want a server for this application and a server for that application. But when capital gets tight and everybody's got to squeeze, "Well, we're just going to put this extra book on this other shelf." It's sort of related, but not really. Knowing the map to rebuild all those systems is key. We lost essentially our Dewey Decimal System in this.

(28:38):
Now, they did not get to your backup systems so we were able to recover, but we still had to know where to recover and where to rebuild these. Every one of the 4000 servers, and domain controllers, and applications had to be rebuilt, reinstalled, and that's not quick.

Anika Gardenhire (28:53):
I just want to say you always feel validated when your CEO knows what a domain controller is. Feel good about it, feel good about it.

Marty Bonick (28:59):
Yeah, yeah. Well, then you've got your partners. One more torch to the analogies. I love movies. The Apollo 13. Epic is a great partner. We've got one instance of Epic across the entire system, which is great. We didn't have to boot multiple systems up. But Epic's got a protocol that says, "We're not going to come up for seven days validation to go through this."

Rae Woods (29:21):
Seven days? That's more than half the time it took for you.

Marty Bonick (29:22):
Right.

Anika Gardenhire (29:22):
Yes.

Marty Bonick (29:25):
That's where, again, you have to step in and knowing folks up the chain. This is like Apollo 13. We don't have enough oxygen. Our nurses and doctors don't have enough oxygen, you're going to have to cut your protocol. We got them to reduce it to 72 hours, which still feels insanely long in the moment. If you look back, it's extremely quick just knowing all that has to be done. Those are the things that, divide and conquer, know who has what role and what buttons to push.

Anika Gardenhire (29:53):
There are a couple of things that I think are really, really important for your CEO and those who are surrounding you. One is that they will knock down doors. Marty helped knock down several doors.

(30:04):
Then the other piece that we haven't talked about that I think is really important that Marty did, because it's super easy to lose sight of this. You also need a chief human officer. Who's actually checking on the people? Not only the people who are being cared for in your facilities and the people who are caring for those people, but the people who are trying to get you recovered. Who is looking out at the people who are in the situation room and going, "Hey, you've been here for 72 hours. I think you need a nap?" Who's doing that?

(30:38):
I will say having someone who has enough space and enough authority to help support and make sure that, because this does have a long tail, because 72 hours in 12 days is not the end, you do need someone who's checking on people. I think that became a really important part of what Marty did to help the organization.

Rae Woods (31:02):
I can't say enough how impressed I am in your approach to recovery and your speed here, how quickly you were able to act. There's a couple things that I'm hearing from this. First of all, the trust that you had in each other. The frameworks you set up on how to divide and conquer. The fact that you had a very different role, Marty, than you had, Anika. The fact that you were knocking down doors and making phone calls to try to speed up processes. The fact that you had the tabletop exercises and the muscle memory. What else went into you being able to recover as quickly and effectively as possible?

Anika Gardenhire (31:36):
I would say culture and team, no question about it. This is 1000-person recovery. This is a 24,000-person recovery. Every single person in the organization is moving with speed, and alacrity, and in critical decisioning skills. We talk about things like the ability to make payroll. But you have analysts who would see things happen and make choices to do things, like download the payroll file so that you could do that. Those things come with an individual contributor who works in a culture that says, "I can exercise my independent free-thinking skills and I think this will benefit the organization." It's literally a lifesaver.

(32:18):
I think as people think about culture and talking about things culture eats strategy for lunch, this is one of those instances where absolutely, no question about it. Having a team that will literally give up their Thanksgiving Day, give up their next Thanksgiving Day, give up their weekend. And transparently, give up the next five months of their lives in order to dedicate getting the organization back to what we would consider some type of norm is the thing that you need. You have to build that over time. It's trust that you implemented people, that's people being able to bring their whole selves to work, those are the things that show up for you in this type of moment.

Rae Woods (32:55):
Part of recovery is also figuring out what's next for your organization. Something that has been in the back of my mind as we've had this conversation just comes back to how connected the healthcare system, how connected a hospital system is. I have to ask has living and leading through this made you question our interconnectedness as a system? Is there even any going back?

Anika Gardenhire (33:22):
I don't know that there's any going back. Transparently, when we think about the pace of life and the convenience that these types of things bring, transparently, the reliance that we have on them to be able to improve life, I don't think that there's any going back.

(33:36):
I will tell you that as you're thinking about your broader organization's strategy which is driving your broader technology strategy, and we say things like, "We want platform plays. I want one system of this, I want one system of that." Think about the other ways that you can create redundancy becomes really important.

Rae Woods (33:54):
Yes.

Anika Gardenhire (33:55):
It's really mission-critical.

Rae Woods (33:57):
Yes.

Anika Gardenhire (33:57):
Those are things that, to Marty's point, when capital gets squeezed and the organization is in a tight spot, they are the things that can be the quickest to go. Having your architecture team, your team that creates the Dewey Decimal System, is one of those easy teams to think about how do they create value? But it's in these moments that you actually more deeply understand. How you actually strategically think about creating redundancy I just think becomes even more important as you think about your broader technology strategies you're looking for.

Marty Bonick (34:30):
I'll add in segments.

Anika Gardenhire (34:33):
Yes, and segmentation.

Marty Bonick (34:33):
Segmentation between the networks. We're a big system, lots of big systems here in the audience listening. If this building was just contained and we could have kept that person there, it would be one thing. But when we have multiple buildings, and digitally they're connected without clear paths to cut those off and wall it off. Think of Titanic. You want the bulkheads to come down.

Rae Woods (34:53):
You really do love movies.

Marty Bonick (34:55):
I do. It's my hobby. If the bulkheads could have protected that, the ship wouldn't have gone done. For us, they got in through a higher level and we didn't have the segmentation in place at the time, so it gave them bigger reign. That's why we had to put the whole company in airplane mode, instead of just one hospital or one clinic, or what have you.

Anika Gardenhire (35:14):
It's a really important call out though. For those of you who stood in boardrooms, and ELTs, and others, and your CISO, and your CIO, and people who have titles like mine are coming in and they're saying, "We need micro-segmentation. I need zero trust." I need all these things that you guys go, "Well, that's IT stuff and I don't understand it."

Marty Bonick (35:31):
Yeah, the me.

Anika Gardenhire (35:32):
Trying to understand.

Marty Bonick (35:34):
My eyes glaze over, it's all the acronyms. It's like, "No, pay attention."

Rae Woods (35:38):
I think there's a broader theme that you all are getting to and it's actually one that we've been talking about at Advisory Board. At Advisory Board, we have been saying that there is actually no way to completely bubble wrap yourself from risk. This story is really emblematic of that. It's one of the reasons why we're pushing healthcare organizations of all kinds to move from a world of cyber defense to a system of cyber resilience. Again, if I think about patient safety, moving from dealing with the aftermath of one adverse event to having a culture of safety and a culture of resiliency. What does it take for healthcare leaders to make the jump between one-off defense to truly moving towards cyber resiliency?

Anika Gardenhire (36:22):
I think planning and testing are the most important thing. Making sure that you're working very closely with your business continuity team. That you're thinking about redundancy. That when your team is talking to you about DR and all these other types of things, you're really thinking about that. That you understand the state of your backups.

(36:39):
But then it's practice as much as possible, because at the end of the day this is about the ability to care for patients in any given situation. The more that you can practice the situation, the more the muscle memory works. The more you understand that it's not necessarily going to be running out of people to take things it places, it's going to be running out paper. It's going to be getting people to go to Staples, and realizing that Staples is not open on Thanksgiving Day.

Rae Woods (37:03):
Wow.

Anika Gardenhire (37:03):
And you don't have nearly enough paper to print everything for four days in a row. It's those types of things. It's making sure that you really understand how people are going to show up in your business when something untoward is happening. I think as much as you can practice that, the better off you will be. I will say, I do agree with you. I don't think it's a matter of if, it's a matter of when. You should simply be preparing for your when.

Rae Woods (37:30):
This story doesn't actually end here. You took Ardent Health Services public eight months after this. Marty, did this event, this attack end up affecting the IPO?

Marty Bonick (37:42):
It did not affect the IPO. Now, in the moment ... If you go through an IPO process, it's multi-months, six to nine months. We had already started in the background, preparing and having bank meetings, and organization meetings before this event had happened. The first thought is "well, the IPO is off." Because again, to your point, many great systems before us have gone through this with months of recovery. The fact that we were able to get the system back up and running in 12 days, but by the end of the first quarter, we were essentially fully recovered.

Rae Woods (38:13):
Wow.

Marty Bonick (38:13):
As if it didn't happen. Cashflow has received ... Now, think about this. There's no electronic charts capture, so people are writing notes on note pre-printed forms that you used to have. Freeform, handwriting notes. Our revenue cycle partners ensemble brought in an army of people to help translate all those notes, scan them. Bring in semi trucks to scan them, get them back in to Epic system, code them manually. Do manual chart entry. Bill those things out and then get the cash back in the door.

Rae Woods (38:42):
Remarkable.

Marty Bonick (38:42):
It was not just the 12-day recovery, but really getting up within a quarter. Which many businesses that have gone through this are dealing with this for multiple quarters after the event happens. If it wasn't for, again, the resiliency of our team and our partners, we probably wouldn't be a public company today. I can safely say that.

Rae Woods (39:01):
Did you eventually get to eat Thanksgiving dinner?

Anika Gardenhire (39:04):
My husband brought Thanksgiving dinner to the office Thanksgiving night. I think myself, and Petro, and several other team members at our turkey and our sides. Yeah, we did.

Rae Woods (39:17):
Talk about a moment of culture building and bonding. Well, Marty, Anika, thank you so much for coming on Radio Advisory.

(39:30):
As I re-listen to and reflected on my conversation with Marty and Anika, there's something new that I learned. It's how important every single person was to minimizing the damage and accelerating the recovery at Ardent. That's frankly hard for any organization, let alone one as big as Ardent Health Services. It speaks to why you, our listeners, are so important. Both when it comes to dealing with a disaster, or any of the twists and turns that we're always facing in healthcare. And remember, as always, we're here to help.

(40:30):
If you like Radio Advisory, please share it with your networks. Subscribe wherever you get your podcasts, and leave a rating and a review.

(40:36):
Radio Advisory is a production of Advisory Board. This episode was produced by me, Rae Woods. As well as Abby Burns, Chloe Bakst, and Atticus Raasch. The episode was edited by Katie Anderson, with technical support provided by Dan Tayag, Chris Phelps, and Joe Schramm. Additional support was provided by LeAnn Austin and Erin Collins. Special thanks to Stephen Petro, Ardent Health's executive vice president and general counsel. We'll see you next week.