Code Dark: Children’s Hospital Strives to Minimize Impact of Hacks

In healthcare, code blue signifies an emergency with an adult patient. Code red warns of fire. At Children’s National Hospital in Washington, D.C., staff have added another: code dark, for a cyberattack.

A nurse, doctor, or any staff member who sees something suspicious on a technology device, such as a screen displaying a ransom note or a system failing, must report it to hospital security staff, who then call the code.

At that point, technology specialists work to secure the network and all other hospital employees shut down machines near them, said Nathan Lesser, chief information security officer at the hospital.

“If we call a code dark, the entire hospital knows to disconnect devices anywhere they can,” he said. “And then suddenly, we have this additional perimeter. We can reduce the blast radius of malicious code running rampant across our network.”

Staff at Children’s National Hospital carry cards with code dark steps on lanyards.

Photo: Children’s National Hospital

Healthcare organizations are prime targets of hackers keen to get their hands on the personal and financial information they hold, or extort them for ransom, the logic being that they are likely to pay rather than risk patient care when digital systems go down.

Mr. Lesser said staff at Children’s National have learned about cyber threats and what they could do to counter hackers. They now have detailed instructions on how to power down devices, even pulling a power or network cord as a final resort. Training documents show photos of what different cables look like. The cyber team affixed reminder labels on machines such as monitors and network-connected devices, and hospital staff carry cards with code dark steps on lanyards.

“Someone who is an ER nurse or someone working in the operating room, they don’t necessarily know what a network cable is. You have to really make this accessible for everybody across the organization,” Mr. Lesser said.

The distributed nature of healthcare technology, growing use of internet-connected devices such as bedside terminals and strict regulations governing fines and public reporting for breaches not only leave hospitals vulnerable to cyberattacks, but also make them particularly damaging when they succeed.

Research from International Business Machines Corp. published last week found that the medical sector had the highest average cost per breach than any other for the 12th year in a row, at over $10 million.

Criminal hacking groups aren’t the only ones that see hospitals as a juicy target. In July, the U.S. government said it had disrupted a North Korean state-sponsored hacking campaign that targeted hospitals and other medical facilities in the U.S. for financial gain. Pyongyang has routinely denied involvement in cyberattacks.

Cybersecurity should be considered a critical risk for all medical facilities, said Phil Englert, director of medical device security at the Health Information Sharing and Analysis Center, a nonprofit that coordinates security among healthcare organizations. Hospitals should also develop comprehensive plans for dealing with individual medical devices, as their proliferation gives hackers more places to break into networks, he said.

Mr. Lesser, who joined the hospital in 2020, said he was asked by top executives and the hospital’s board to find ways to mitigate the long-term effects of cyberattacks, which have often taken healthcare systems around the world weeks or months to recover from. They wanted recovery time to be a week or less, he said.

Being able to do that requires the hospital to, among other things, cut the time it takes to spot that an attack is happening, he said, with detection speed critical to blunting its force. Hackers often dwell in systems for days or weeks before an attack, to learn how to move quickly across the network’s architecture once they detonate malware.

After an attack, technology teams can spend weeks restoring computers from backups where possible, formatting them where it isn’t, and generally rooting out the infection, often resulting in significant disruption to a business. Reducing the number of compromised systems, Mr. Lesser said, can mean less downtime.

To put code dark into practice, he harnessed the backbone of a hospital’s operations: its emergency operations plan. This plan covers hurricanes, active shooters, emergencies in clinical units and other crises, all of which are assigned a code so staff know how to react in specific situations.

Cybersecurity emergencies should be no different, Mr. Lesser said. The thousands of workers at Children’s National—clinicians, administrative and financial staff, security personnel and others—can be cyber first responders, he said.

Mr. Lesser’s efforts align with a growing consensus among medical experts that cybersecurity needs to form a core part of staff training. In the same way that staff learn how to operate medical technology correctly, Mr. Englert said, they must also learn about how to operate it safely when it comes to cybersecurity. Both are now essential to patient care, he said.

More From WSJ Pro Cybersecurity

Write to James Rundle at

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8