John Riggi, the American Hospital Association’s first National Counselor for Cybersecurity and Risk, has tracked cyber threats to more than 5,000 AHA members, many of whom are engaged in mission-critical tasks such as ransomware recovery and response. We have helped you cope. For the past 5 years.
Prior to that, he spent nearly 30 years at the FBI and CIA investigating and thwarting other crimes and national security threats.
Rigi, who is scheduled to deliver the opening keynote address at the HIMSS Healthcare Cybersecurity Forum on September 7, said he is concerned about the recent “exponential increase” in attacks on hospitals and health care systems.
“They come in two main forms,” Rigi said. First, healthcare organizations face increased risk from “massive data theft attacks by foreign-based criminal gangs and spies from hostile nations seeking to steal patient information and medical research for their own purposes.”
But the attacks he is most concerned about, he said, “we’re seeing a very dramatic increase” in, are attacks that shut down hospital computer networks and prevent clinicians from accessing much-needed patient information. He said it was a high-impact ransomware attack.
“Unfortunately, we have seen time and time again that these attacks disrupt and delay healthcare delivery and ultimately pose very serious risks to patient safety, particularly in stroke, trauma and cardiac Especially if there are emergency cases, such as seizures, and the ambulances transporting those patients are in an emergency situation.” ”
Cyber investment catches up
Good news? After years of underfunding and back-and-forth, hospital boards appear to have finally recognized the financial, reputational and, importantly, patient safety risks of such attacks. And they’re starting to spend on security at a level commensurate with the threat.
“It’s become very clear to hospital board leaders, at least those I’ve been listening to, that cyber risk is truly a corporate risk issue,” Riggi said. “It impacts every function within an organization, but most importantly the risk to patient safety.
“The threat vector has increased significantly.”
John Riggi, American Hospital Association
“Every CEO I talk to ranks cyber risk as the number one or two risk issue,” he said. “And they are looking to strengthen their defenses by adding cyber budgets, adding technology, and maturing their overall cybersecurity programs.”
Labor shortage, AI threat
But there’s also some bad news. There are several challenging workforce factors that are hampering the ability of hospitals to adequately staff to manage cyber risk. And attacks are becoming more sophisticated by the day, especially with the help of rapidly evolving artificial intelligence.
“There is a dramatic shortage of trained cybersecurity professionals, and unfortunately, we are competing for the same limited talent across all private sectors within government,” Riggi said. “The AHA is working with all of our partners, including HIMSS and the federal government,” to try to come up with some very unique and creative solutions to fill that gap, that shortage of cyber professionals. ”
Hospitals are thinking creatively about this challenge.
“Among the things we discussed was increased training for internal personnel,” he said. “Can we train people who are already in the company to be cybersecurity experts? Maybe it’s an IT guy or someone who’s interested in technology.”
More programmatically, national programs include “for example, educational incentives for universities to retrain veterans, develop cybersecurity, and in some cases loan repayment programs for cybersecurity students. There is a possibility that it may be useful for
One idea that Rigi said he would like us to consider is, “For those who serve as volunteers in rural hospitals, we might waive student loans after serving at least three years. The idea is to launch a program that says, “It’s the same as what we do.” People in important roles and professions and others. ” Because the stakes are high and the current threat environment requires hospitals to pull together.
AI can be a very useful tool for incident detection and response and other cyber imperatives, but bad actors are also getting better at using it.
“I believe that artificial intelligence is the beginning of an AI-powered cyber arms race,” Riggi said. “That is why bad guys are using AI to quickly identify vulnerabilities and develop highly complex malware that can infiltrate networks. We are developing highly convincing phishing emails that may include deepfake audio and may be accompanied by “.” or a video of someone you can trust.
“But at the same time, the good guys, cyber defenders, network defenders, and allied governments are using AI to detect these advanced threats and put controls in place to stop them. ” he said. Added. “That is why there is now a massive investment and focus on the offensive and defensive use of AI by the good guys and the bad guys.”
“There is no question that the threat vectors have increased significantly,” Rigi said, adding that the AHA is working diligently to help boards and senior executives understand the impact of cyber threats.
“Frankly, we on the technology side need to understand how digital risk translates into strategic risk and enterprise risk for the organization, and ultimately how that vulnerability translates into patient safety risk. , financial risks and how they translate into legal regulations are often poorly understood, as well as risks and reputational damage.”
We also work with agencies across government to build and strengthen our response capabilities to address a range of threats.
“We are taking action across the federal government with a policy that views cyber threats as threats to national security, threats to public health and safety,” said Riggi. “From my experience working with leaders at the FBI, CISA, HHS, and the White House, I can tell you that everyone is committed to sharing information across government and the private sector.”
He said the government is now treating cyberattacks that “broadly threaten public health and safety” as terrorist attacks. We at the AHA have been publicly advocating for that policy for many years. Based on my background, a good portion of it was counter-terrorism. I think there are many similarities between the current cyber threat environment and the terrorism issues we have addressed. ”
High-impact ransomware attacks are “not just economic crimes, white-collar crimes, or victimless crimes, but truly life-threatening crimes,” Rigi said.
“These attacks are life-threatening as they disrupt and delay health care delivery, especially in emergencies. They threaten not only patients in hospitals, but public health and safety. , endanger entire communities that depend on society.” Whether emergency departments and hospitals can accommodate them. ”
Mr. Ridge’s opening keynote, “The Global Cyber Threat Landscape: Healthcare Risks, Impact, and Response,” will be held on Thursday, September 7, at 8:40 a.m. HIMSS Healthcare Cyber Security Forum In Boston.
Mike Miliard is Editor in Chief of Healthcare IT News
Email the author: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.