Repurposing DR Infrastructure for Cyber Recovery
Christian Lindmark, CTO of Stanford Healthcare, presents a pragmatic approach to building isolated recovery environments without requesting significant new capital. Rather than maintaining separate infrastructure for disaster recovery and cyber recovery, he proposes splitting existing DR environments into dual personalities. The concept involves maintaining the traditional DR environment for active-active replication and storage replication, while carving out a minimal pilot light environment—a three-node cluster with modest storage—that serves as a cyber recovery zone. This approach acknowledges that in most cyber attacks involving domain admin compromise, the DR environment is likely already untrusted due to shared IP space with production. The strategy prioritizes slow design thinking upfront, which doesn't require physical assets, followed by rapid capacity expansion when needed. During a physical disaster, the borrowed cyber recovery resources can be rolled back to DR with an acceptable delay in failover time. During a cyber event, infrastructure teams can leverage the 12-24 hour incident response window to factory reset equipment and add capacity to the isolated environment.
Security Distance Over Geographic Distance
The discussion challenges traditional DR thinking by emphasizing that logical security distance matters more than geographic distance in cyber attacks. Lindmark notes that healthcare organizations have accumulated multiple copies of the same data—production storage, immutable backups, DR replication, DR backups, and air-gapped copies—all designed around historical physical disaster scenarios. This redundancy becomes less relevant when the threat is cyber compromise rather than physical destruction. The conversation addresses the complexity of different data types, particularly in healthcare where imaging data typically lacks backups due to file size, making DR the de facto backup. The key insight is that organizations don't need a full DR site for cyber recovery—only the minimum set of 20-40 critical applications required to maintain patient care. This reframing allows organizations to right-size their cyber recovery investments while maintaining appropriate protection for physical disaster scenarios.
Iterative Testing Over Exhaustive Planning
Both speakers advocate for moving away from lengthy business impact analyses and consulting projects toward practical, iterative testing. Lindmark emphasizes that most healthcare organizations already have application tier data from existing DR planning, eliminating the need for comprehensive new BIAs. The focus should shift to actually testing recovery processes rather than documenting theoretical plans. A critical advantage of isolated recovery environments is the ability to run drills during business hours without impacting production, removing the traditional burden of nights-and-weekends testing that plagued earlier DR practices. The conversation highlights the fog of war problem in cyber events—it typically takes 1-2 days just to determine the full blast radius of an attack, making predetermined recovery timelines unrealistic. By running automated Monte Carlo scenarios in the isolated environment, organizations can test various attack vectors and discover hidden dependencies before a real incident occurs. The philosophy is that every DR test reveals unexpected issues, and cyber recovery should follow the same learning-by-doing approach rather than waiting for the first real attack to expose gaps.
