Skip to main content

All Access Subscription

Get unlimited access to our full publication and article library.

Get Access Now

Interested in Group Sales? Learn more

Response Plan Crucial for Cyberattack Recovery

A recent cyberattack against an Illinois hospital is a strong reminder a robust and well-tested incident response plan is a critical component of cybersecurity, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with Baker Donelson in Baton Rouge, LA. The hospital partly blamed a cyberattack for its decision to temporarily close.

In 2022, the average cost of a cyber incident in the healthcare industry was more than $10 million, Rush says. The cost of the legal and regulatory response is exacerbated by the cost of business interruption. The average downtime after a ransomware attack is three weeks, so a quick recovery can help minimize the loss of revenue.

Hold Tabletop Exercises

Rush recommends tabletop exercises during which key stakeholders walk through the worst-case scenarios and adjust their response plan accordingly. Those exercises can mean the difference between an outage lasting a few days or several weeks.

“Tabletop exercises are a great way to consider some of the novel things that might happen with an attack and think about how you would handle them,” Rush says. “We look at situations that have hit similar types of entities, some things that they may not think of but have happened to others. That helps people just look at the potential risks from a different viewpoint.”

Unusual Scenarios

Rush encourages hospitals to consider unusual scenarios. One example is an incident that hits only the hospital’s billing software and the effect on revenue. In another, she encourages facilities with good data backups they could use after an attack to consider what they would do if the attack takes out the servers and they cannot run the processes.

Because the prevalence of cyberattacks has increased in the last five years, premiums for cyber insurance have increased dramatically and coverage has decreased, Rush says. Carriers are imposing significant deductibles and policy limits, so hospitals could find themselves shouldering much of the financial responsibility for a cyberattack.

“We had clients experience an incident, they had good coverage, and insurance covered everything. But at their next renewal, they got a 40% premium increase and a reduction in coverage,” Rush says. “We’re seeing that across the board, premiums are increasing, and coverage is eroding. There may be a million-dollar deductible on a ransomware payment that you didn’t see a few years ago, so you really have to look closely at your coverage.”


  • Layna Cook Rush, CIPP/US, CIPP/C, Shareholder, Baker Donelson, Baton Rouge, LA. Phone: (225) 381-7043. Email: [email protected].