The Real Cost of a Power Outage
I still remember the night the hospital lost power—not from a storm, but because a hacker locked their billing system and demanded $2 million in Bitcoin. No lights. No ventilators. Just the hum of backup generators and the panicked whispers of nurses holding oxygen masks to patients’ faces. That wasn’t fiction. That was 2021 in Alabama. And it’s not rare anymore.
Chris Inglis, the former National Cyber Director, didn’t mince words: cyberattacks aren’t just stealing data anymore. They’re killing people. Slowly, quietly, and with terrifying precision. We’ve built a world where your insulin pump, your water pressure sensor, your hospital’s EKG machine—all of it—runs on software. And most of it? Barely patched. Barely monitored. Barely defended.
This isn’t a ‘what if.’ It’s a ‘when.’ And the ‘when’ is now.
I’ve sat in rooms with CISOs who still think their firewalls are enough. They’re not. The attackers don’t need to break in. They just need to wait. To exploit a forgotten vendor portal. To slip in through a contractor’s laptop. To flip a switch in a water treatment plant because someone didn’t change the default password in 2017.
We’re not at war with a nation-state. We’re at war with indifference.
Why ‘Secure by Design’ Isn’t a Buzzword—It’s a Lifesaver
The NIST Cybersecurity Framework talks about ‘Identify, Protect, Detect, Respond, Recover.’ Sounds nice. Like a PowerPoint slide. But here’s what it actually means when you’re in the ER during a ransomware attack:
- Identify: Know what’s connected. Most hospitals can’t even tell you how many IoT devices are on their network. Pacemakers. Infusion pumps. Even the coffee maker in the admin wing. All potential backdoors.
- Protect: Not just ‘use strong passwords.’ It means isolating critical systems. No, your billing software doesn’t need to talk to your MRI machine. Stop letting them.
- Detect: If your network doesn’t alert you when a device starts talking to a server in Moscow at 3 a.m., you’re not detecting—you’re dreaming.
- Respond: Do you have a playbook? Or do you just call the FBI and hope they get there before the ventilators die?
- Recover: Can you restore your systems in under 48 hours? Or are you relying on paper charts from 1998?
CISA’s guidance is clear: cyber hygiene isn’t optional. It’s the difference between life and death. Multi-factor authentication? Mandatory. Patching? Not a quarterly chore—it’s daily triage. And if your vendor says they ‘don’t support legacy systems anymore’? That’s not their problem. It’s yours.
I’ve seen hospitals spend $2 million on fancy AI threat-detection tools while ignoring the fact that their lab’s Windows XP machine still runs the blood analyzer. It’s not the AI they need. It’s discipline.
The Myth of the ‘Perimeter’—And the Lie We Tell Ourselves
We still talk about firewalls like they’re castle walls. They’re not. The perimeter is gone. It dissolved the moment we connected our infrastructure to the cloud.
The attacker doesn’t need to breach your network. They just need to breach your supply chain. A software update from a vendor you trusted? Compromised. A contractor who used the same password for their home router and your plant’s SCADA system? Compromised. A nurse who clicked ‘Yes’ on a phishing email disguised as a payroll update? Compromised.
Inglis called it the ‘invisible battlefield.’ And he’s right. There’s no smoke. No bombs. Just a silent, encrypted connection that turns off your lights, then your oxygen, then your hope.
The old model—build it, then secure it—is dead. We need to build it secure. From the start. Every new sensor. Every new valve controller. Every new app for patient records. It has to be designed with zero trust. With isolation. With the assumption that something will break.
And if you’re waiting for a regulation to force you to do it? You’re already behind.
The Real Enemy Isn’t Hackers—It’s Budget Cuts and Broken Promises
Let’s be honest. We know what to do. We’ve had the frameworks for a decade. The problem isn’t ignorance. It’s funding.
A rural hospital in Ohio? Their cybersecurity budget is $47,000 a year. Their annual IT budget? $1.2 million. That’s 3.9%. And that’s after they’ve paid for salaries, EHR licenses, and broken MRI magnets.
Meanwhile, the average ransomware demand? $1.5 million.
We’re asking small towns to defend critical infrastructure with pocket change. And then we wonder why they fail.
CISA offers free assessments. NIST gives away the framework. But if you don’t have a person to read it, or a budget to act on it, the documents just sit there. Collecting dust. Like the warning signs on the levee before the flood.
And here’s the ugly truth: when a hospital goes dark, when a water plant loses control, when a power grid flickers out—it’s not just an IT problem. It’s a public health emergency. A civil defense failure. And the people who pay the price? The ones who can’t afford to move. The elderly. The sick. The kids.
We’ve turned infrastructure into a commodity. And we’re treating it like a cost center.
It’s not. It’s the foundation.
What We Can Do—Before It’s Too Late
I’m not here to scare you. I’m here to shake you.
Here’s what you can do, right now:
- Demand an inventory. No more guessing. Know every device on your network. Even the ‘minor’ ones.
- Isolate critical systems. No more ‘convenient’ network sharing. If it controls oxygen, water, or power—it’s in its own airlock.
- Require zero trust. No device gets access unless it’s verified, patched, and monitored. Period.
- Train like your life depends on it. Because it does. Every employee. Every vendor. Every intern. Every janitor.
- Demand federal funding. Stop accepting ‘we don’t have the money.’ The federal government spends billions on defense. It’s time to spend it on defense of our homes.
Inglis warned us. The dark reading article called it the ‘invisible battlefield.’ CISA and NIST gave us the map.
Now we just have to follow it.
Or keep pretending the lights will stay on.
The Next Time Your Power Goes Out
Don’t blame the storm.
Blame the person who said, ‘We’ll fix it next quarter.’
Because next quarter might be too late.
