John Riggi, the first national advisor for cybersecurity and risk for the American Hospital Association, has been tracking cyber threats to the AHA’s more than 5,000 members, and helping many of them deal with mission-critical tasks such as ransomware recovery and response, for the past five years.
Before that, he spent nearly 30 years investigating and disrupting other criminal and national security threats at the FBI and CIA.
Riggi – who’s scheduled to deliver the opening keynote on September 7 at the HIMSS Healthcare Cybersecurity Forum – says he’s been concerned recently about a “dramatic increase” in attacks on hospitals and health systems.
“They’re primarily taking two forms,” said Riggi. First, healthcare organizations are facing intensifying risk from “large data theft attacks from foreign-based criminal organizations and adversarial nation state spies that want to steal patient information and medical research for their own purposes.”
But the attacks that have him most concerned, which “seen a very dramatic increase,” he said, are those high-impact ransomware attacks which shut down hospital computer networks and deny clinicians access to very much needed patient information,” said Riggi.
“We have seen, unfortunately, over and over again that these attacks disrupt and delay healthcare delivery, ultimately posing a very serious risk to patient safety, especially when we have these urgent cases of stroke and trauma and heart attack and ambulances carrying those patients have to be diverted.”
Cyber investments catching up
The good news? After years of underfunding and foot-dragging, hospital boards have finally seemed to recognize the risks – financial, reputational and, critically, to patient safety – of these attacks. And they’ve begun to spend on security at a level commensurate with the threat.
“It’s become crystal clear to hospital leaders in the boards, at least the ones that I speak to, that cyber risk is truly an enterprise risk issue,” said Riggi. “It impacts every function in the organization. But most importantly, it is a risk to patient safety.
“The threat vector has increased pretty significantly.”
John Riggi, American Hospital Association
“Every CEO I speak to ranks cyber risk as their number one or two risk issues,” he said. “And they are absolutely trying to bolster their defenses by adding more cyber budget, trying to add more technology, and really trying to mature their cybersecurity programs overall.”
Workforce shortages, AI threats
But there’s some bad news, too. There are some challenging workforce factors that are hamstringing hospitals’ ability to properly staff up to manage cyber risk. And the attacks are getting more sophisticated by the day – especially with the help of fast-evolving artificial intelligence.
“There is a dramatic shortage of trained cybersecurity professionals and unfortunately, we’re all competing for that same limited pool across all private sectors in the government,” said Riggi “The AHA is working with all our partners, including HIMSS and the federal government, to try to come up with some very unique creative solutions to try to fill that gap, that shortage of cyber professionals.”
Hospitals are thinking creatively about the challenge.
“Some of the things we’ve talked about include increased training for in-house personnel,” he said. “Can we train folks that we already have on board to be cybersecurity professionals? Maybe it’s an IT person or somebody who has a technology interest.”
More programmatically, there’s potential in national programs that “could help retrain veterans, for example, or education incentives for universities to develop cybersecurity and then possibly loan repayment programs for those who study in cybersecurity.”
One idea Riggi said he’d like to see explored is to set up a program where “those who volunteer to serve out in a rural hospital, maybe we forgive their student loans after serving for at least three years, somewhat like we do with military folks and others in critical roles and occupations.” Because stakes are high, and in the current threat environment hospitals need all hands on deck.
AI can be a very useful tool for incident detection and response and other cyber imperatives – but the bad guys are getting pretty good at using it too.
“Artificial intelligence has created what I believe is the beginning of an AI-fueled cyber arms race,” said Riggi. “So we have the bad guys using AI to develop highly complex malware which can quickly identify vulnerabilities and penetrate networks. They’re using malware to develop highly convincing phishing emails that may contain malicious links or attachments and may be accompanied by a deep fake audio or video of somebody they trust.
“But at the same time, the good guys, the cyber defenders, the network defenders, and the governments of our allied nations are using AI to detect these advanced threats and to put in place controls to help try to block those threats,” he added. “So there’s massive investment and focus on offensive and defensive use of AI right now – by the good guys and the bad guys.”
No question, “the threat vector has increased pretty significantly,” said Riggi, who said the AHA is working intently to help boards and the senior leadership understand the impact of cyber threats.
“Quite frankly, we on the technical side often don’t do a very good job translating how digital risk translates into strategic risk and enterprise risk for the organization – and ultimately how that vulnerability translates into patient safety risk, financial risk, legal and regulatory risk and reputational harm as well.”
It’s also working with agencies across the government to build out and strengthen the response capabilities to meet the scope of the threat.
“We have policy commitments and action across the federal government to view cyber threats as threats to national security, as threats to public health and safety,” said Riggi. “And I can tell you personally, from my experience in dealing with the leadership of the FBI, CISA, HHS, the White House, everyone is committed to sharing information across the government and with the private sector.”
The government now treats cyberattacks, “which broadly threaten public health and safety,” as a terrorist attack, he said. We at the AHA have publicly advocated for that policy for a number of years. Based on my background – quite a bit of it was counterterrorism – I see lots of parallels here between the current cyber threat environment and the terrorism problem that we dealt with.”
High-impact ransomware attacks are not just “economic crimes or white collar crimes or victimless crimes, they are truly threat-to-life crimes,” said Riggi.
“When these attacks disrupt and delay healthcare delivery, especially in urgent cases, lives are threatened – not just the patients in the hospital, but public health and safety is also threatened. These attacks also place at risk the entire community, which depends upon the availability of the emergency department and the hospital to be there for them.”
Riggi’s opening keynote, “The Global Cyber Threat Landscape: Healthcare Risk, Impact and Response,” is scheduled for 8:40 a.m. on Thursday Sept. 7, at the HIMSS Healthcare Cybersecurity Forum in Boston.
Mike Miliard is executive editor of Healthcare IT News
Email the writer: [email protected]
Healthcare IT News is a HIMSS publication.
