Zachary Lewis, CIO and CISO at University of Health Sciences and Pharmacy in St. Louis, Missouri, delivers a keynote address at HIMSS26 in Las Vegas.
Photo: HIMSS
LAS VEGAS – In the face of an overwhelming threat environment, cybersecurity is a collective responsibility for all healthcare stakeholders, not just IT departments, according to Zachary Lewis, chief information officer and chief information security officer at University of Health Sciences and Pharmacy in St. Louis, Missouri.
"Healthcare does remain the most expensive industry for breaches," he said as he opened the HIMSS26 Healthcare Cybersecurity Forum here on Monday.
The event is focused on building stronger cybersecurity workforces and leadership and deeper partnerships that will shape the future of healthcare's response to security threats.
"We are not getting any better at stopping the attacks," Lewis said. "But we are getting better at recovering from attacks."
While the costs of recovery have softened to an average of about $7 million per breach in 2025, attacks continue to increase.
With patient care hanging in the balance, expedience often influences decision-making.
"Typically, we'll pay that ransom to make sure operations continue," he said. "I don't think a lot of us thought about when we got into cybersecurity that we would have life-altering decisions ... where if we didn't act and respond, someone could die from that."
Lewis, who published the book "Locked Up: Cybersecurity Threat Mitigation Lessons from a Real-World LockBit Ransomware Response" in January, knows all too well how quickly costs can get out of control.
Most of the time in healthcare, business leaders will say that paying ransomware is justified, said Lewis. But there is likely a threshold.
"Know what you're comfortable with and what your business is not comfortable with," he said.
When the University of Health Sciences and Pharmacy experienced a LockBit ransomware attack in April 2023, the ransom started at $1.25 million.
Two years prior, the Department of Health and Human Services warned the healthcare sector about the group's ransomware-as-a-service affiliate program and its preference for using unpatched systems for intrusion.
The organization's vulnerability stemmed from an initial out-of-the-box, hardware-related firewall flaw that they discovered upon its arrival during the COVID-19 pandemic.
Lewis said they were told they would have to wait several months for a new one due to COVID-19-related supply chain delays.
They turned to a local ISP that offered a co-managed firewall to get their network operational. However, they could not provide multi-factor authentication on a virtual private network.
"It was in that period of time that the threat actors were able to come in through the VPN on an account that we are pretty sure was compromised from a personal computer," he said.
They were able to scrape cached passwords to get other credentials – the LockBit threat actors provided a list during the negotiations – and got into a hypervisor to take control and drop the ransomware payload.
While the organization was 95% operational by day four after the incident, three days later, its network crashed again.
That's when Lewis said his team found the ransom note.
At first, the LockBit threat actors claimed to have 75GB of data, but that number rose during negotiations to 175GB and then to 380GB of sensitive data.
While LockBit threat actors provided partial filepath lists, the organization was unsure of what the threat actors really had.
Meanwhile, Lewis' database team revealed that some protected information may have been stored on compromised servers, but they were unsure to what extent.
What he was sure of was that the threat actors found and deleted the organization's immutable backup.
Salvation, however, came in the form of a lapse in standard protocol and a third off-site backup.
One system user kept their login to the University of Health Sciences and Pharmacy's third offsite storage system, which was not tied to the network, in their own password manager on a local server.
"Definitely against policy, but I was OK with that breach that day because it saved us," Lewis said. "Without that, we wouldn't have gotten on, we wouldn't have been able to restore."
While he has since made modifications to procedures, Lewis said he prints passwords on paper and locks them in a safe.
"That's our control."
The IT team was then able to restore Active Directory using a gaming system it had.
Meanwhile, the LockBit threat actors negotiated their ransom down to $700,000. But the health system never paid the ransom, Lewis said.
When the deadline passed in mid-June that year, it turned out that the threat actors had actually stolen only 2.56GB of data, which included four Social Security numbers and one immunization record.
Lewis estimates the total cost of recovery at $300,000, including insurance deductibles, legal fees and time lost on other projects.
The following takeaways can help organizations recover faster from a breach:
- Conduct tabletop exercises with leadership and IT teams.
- Complete incident response plans.
- Check configurations.
- Ensure passwords are available
- "Backups, backups, backups."
- Establish alternate forms of communication not tied to network environments.
- Keep cyber insurance up to date.
- Be vigilant about MFA.
"Anything that you can do to take off the decision-making process in the heat of a ransomware incident is going to be key," Lewis said.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
