Most hospital cyber response plans are written for a 72-hour window. Real incidents last weeks. Lake Ridge Health's CISO explains why closing that gap starts not with better technology, but with better leadership.

When a cyber incident hits a hospital, it does not behave like a software outage. Systems that clinical teams depend on go offline. Paper-based workflows activate. Dialysis schedules, oncology treatments, and diagnostic imaging all become manual processes. And the decisions that determine whether patient care is protected or compromised are not made by IT staff. They are made by executives, clinical directors, and board members.

Michael Cole, Chief Information Security Officer at Lake Ridge Health, has spent the last several years designing simulations that force that reality into the room before an incident does. Ahead of the Healthcare Innovation Showcase 2026, he spoke with PSN about what those exercises reveal, what most organizations are still getting wrong, and why the most dangerous assumption in healthcare cybersecurity is that a 72-hour response plan is enough.

Building Leadership Muscle Memory, Not Just Technical Plans

Most organizations treat cyber simulations as a validation exercise: run the scenario, confirm the playbook works, move on. Cole takes a different view.

"We're not really just testing our IT systems. We're testing leadership behaviour when systems are unavailable and information is incomplete."

At Lake Ridge Health, simulations are designed around the leadership behaviours that determine whether recovery accelerates or stalls: clear escalation paths, structured communication, and disciplined decision-making across clinical, administrative, and executive teams. Recent tabletop exercises have focused on domains including communications, staffing, patient care, finance, supply chain, and legal, with clinical areas such as emergency dialysis, laboratory diagnostics, and oncology receiving dedicated attention.

The objective, Cole says, is to reinforce the full life cycle of a cyber response: protect, detect, identify, respond, and recover. And to make those behaviours automatic before a real event demands them.

Where Incident Response Plans Break Down

When asked where response plans most often fail under pressure, Cole is direct. The breakdowns are not primarily technical.

"Earliest breakdowns occur in authority, clarity, communication, decision coordination. When leadership response structure is clear and aligned, recovery accelerates significantly. When it's not, operational and clinical disruptions extend and recovery slows down."

To address this, Lake Ridge runs three separate tabletop exercises targeting three distinct groups: one focused on the IT team and technical response, a second for clinical and administrative directors, and a third for health system executives. Each exercise generates different insights and surfaces different gaps, allowing the organization to build on its strengths while addressing weaknesses at every level of the leadership structure.

Cyber Events Are Clinical Events

The reframe that runs through Cole's approach is a straightforward but consequential one: a cyber incident at a hospital is not an IT disruption. It is a patient care event.

Decisions about whether to divert patients, delay treatments, or revert to paper-based workflows in areas like dialysis and oncology directly affect clinical outcomes. Lake Ridge has responded to that reality by repositioning cybersecurity as a clinical continuity and organizational continuity responsibility, not a technology function.

"Our organization has reframed cybersecurity from an IT issue to a clinical continuity and organizational continuity responsibility. Decisions are grounded in patient safety, not just system recovery."

This reframe also shapes how simulations are run. Lake Ridge deliberately creates uncertainty within exercises, including, in some cases, running them without advance notice so that participants arrive to find their email and digital systems already unavailable. If downtime procedures were stored in a SharePoint file, they are no longer accessible. The scenario forces leaders to operate in conditions that mirror a real incident, not a rehearsed one.

The Most Underestimated Risk: Endurance

Asked what lesson most healthcare organizations still underestimate when preparing for a cyber incident, Cole's answer is immediate.

"Endurance. So many hospital response plans are based on 24 to 72 hours, maybe a week. These take weeks. The ancillary areas you need to focus on from financial and legal can well go into the six to eight-week window."

The human dimension of that timeline is significant. After the first 24 hours, intensity peaks. After several days, fatigue sets in. After weeks, it is not just leadership that is being tested, but the resilience of frontline clinical staff who are sustaining manual workflows across an entire organization.

Cole is clear that this is not a reason for alarm, but for preparation. Simulation builds that endurance before the event occurs. The goal is not to rehearse worst-case scenarios, but to develop the institutional capacity to sustain leadership, protect patient care, and maintain operations across a prolonged disruption.

From Tabletop to Boardroom

Once a simulation ends, the findings need to travel upward. Cole describes translating tabletop insights into enterprise risk language that boards and executives can govern alongside clinical quality and financial stewardship. Clinical impact, financial exposure, legal implications, reputational risk, staff communication: all of it maps to a risk mitigation framework that makes cybersecurity legible at the governance level.

"It really shifts cyber internally at Lake Ridge from being viewed as a tech issue to being understood as a core organizational risk."

As healthcare systems become more digitally integrated and AI-enabled, that shift from reactive defence to proactive preparedness is not optional. The attack surface is expanding. The incidents are lasting longer. And the decisions that matter most are being made by leaders who may never have been trained to make them under pressure.

Michael Cole will be speaking at the Healthcare Innovation Showcase 2026, taking place April 28-29 in Toronto as part of Health Innovation Week. His session sits within the AI Cybersecurity, Strategy, Risk and Governance track, which brings together CISOs, CROs, risk executives, and healthcare leaders to examine how organizations can build resilience and governance into every layer of digital transformation.

Health Innovation Week 2026 takes place April 28-29 in Toronto. Learn more at https://publicsectornetwork.com/events/healthcare-innovation-week/