John Riggi (Host) : Hello, everyone, and thanks for joining today. I'm John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association. Welcome to AHA Preferred Cybersecurity and Risk Providers Bringing Value, a podcast from the American Hospital Association.

Today's topic is where cyber strategy meets execution from problems to progress. Before we get into that, with my good friend Carter Groome from First Health Advisory, I'd like to chat a little bit about the current cybersecurity threat landscape. First from the tactical side and tactical impact up to the strategic side, which is impacting cyber risk for hospitals and health systems across the country.

At this point, and according to HHS Office of Civil Rights, we as a healthcare sector have experienced approximately 350 reportable breaches of protected health information impacting about 34 million Americans. That's a significant drop from last year's record breaking 258 million Americans, which were impacted primarily by the change healthcare breach. Now, I know the year's not over yet, and I'm quite frankly shocked that we are somewhat relieved to say that only 34 million Americans have had their protected health information compromised this year. We'll see what happens.

Also, at this time, we're watching very closely a significant vulnerability in Oracle Enterprise Software, which apparently according to published reports, is being actively exploited by Russian ransomware groups. If that is the case, fortunately, what we are only seeing at this point is data extortion, not encryption type ransomware attacks. Speaking of Russian ransomware groups, they continue to be the primary perpetrators of the most significant encryption ransomware attacks, targeting hospitals and health systems.

We've also seen this year that social engineering attacks continue to be one of the primary methodologies used to get into our systems. Unpatched known vulnerabilities, very significant as well. Third party risk continues to be a major source of risk for hospitals and health systems.

And folks, that's not just my opinion when we look at the data from OCR, the vast majority of reported breaches of protected health information originate from third parties and business associates and non-hospital healthcare providers. On strategic side, we face many, many strategic risks in terms of financial risk to hospitals and health systems. For instance, the One Big Beautiful Bill will cut Medicaid funding reportedly up close to one trillion dollars over 10 years, straining hospital and health system budgets.

We face continued regulatory and legislative threats as well. Again, hospitals under tremendous pressure, which ultimately will affect cybersecurity budgets. Geopolitics continue to play a role in cyber risk, which we are facing in the healthcare sector. Increasing tensions with Russia, China, and Iran are lending to the significant cyber risk that we are facing as the vast majority of our cyber adversaries originate from those countries.

So, let's get right into it. Again, I'm joined by my good friend and colleague, Carter Groome. He's the Chief Executive Officer at First Health Advisory. First Health Advisory is recognized as an American Hospital Association Preferred Cybersecurity and Risk provider. Carter, thanks for joining us today.

Carter Groome: John, thank you so much. Good to be here.

Host: Carter, let's start and perhaps add to the big picture that I've talked about here a bit. Cyber attacks, especially ransomware, are no longer just an IT issue. They're being called threat to life crimes, and we've been advocating that position for years here at the AHA, because they disrupt care and ripple across entire communities. Can you help us understand how today's cyber attacks, especially ransomware are impacting patient safety, hospital operations, and even posing a risk to entire communities?

Carter Groome: Yeah, sure. And just listening to your opening, John, it's just staggering the numbers that we see here and the pressure that just continues to be put upon the ecosystem of health and care. I tell you, it's hard to be optimistic with all the things that you just opened with. And yes, unfortunately, I absolutely agree that these are threat to life crimes that we're talking about. There's real impact here, and it's been studied, it's been documented, it's just awful. Yet bad actors keep coming back to healthcare for quick financial gain or to harvest information for future extortion and the really sickening side effect that our adversaries just don't care about is the collateral damage, that's the harm to the patient, the harm to the health consumer, it's the impact on the communities that may not have any other place to go for, let's say, an urgent cardiac cath or a critical scan if you're a stroke victim. And when operations are disrupted due to these cyber attacks, and these are the obvious things that create patient safety issues, but there's so much more, John, to be concerned about here when hospitals have what we call a bad day. And believe me, it's happening every day in the health system.

And when ransomware hits an organization, regardless of how well they've planned, how many drills they've done, the mock down times that they've been through, it's still a scramble to find out what your exposure is or how pervasive the attacker's foothold is. And really, in those times, out of caution, you want to take down a lot of functions. And that might be your network. It might be your electronic health record, it might be your PACS system, your wireless access, even things like label printers, you name it. And so, the risk is just massive when you take out lab, imaging, blood bank, even your ability to compound in the pharmacy. When that doesn't exist, the environment of care becomes extremely risky and it even becomes more crowded. You've got runners, running around doing things. You've got extra caregivers, trying to take care of your patients. And fatigue even becomes a factor too.

So, this is where health leaders have to start to then consider diversion and that just ratchets up the risk even more, John. So absolutely, in healthcare, when the business stops, lives might be lost. And the communities that are served there by those health systems, they're paying the price. We've got to do more, John.

Host: Couldn't agree with you more, Carter. And you raised a couple of good points. Part of the increasing risk and impact to hospitals and health systems as a result of a ransomware attack really is because of our increasing dependency on network and internet-connected technology. So if we have to shut down our network to prevent that encryption ransomware from spreading, disconnect from the internet, that's massive impact, really in a way that most hospitals and health systems still don't understand their dependency on network and internet-connected technology and data and the cascading effects until it happens. It's like when the electricity goes out, you don't realize, "Oh my goodness, I'm depending on this for so much." But I never give it a second thought until it's not there.

So, before we dive into some additional commentary and thoughts on the threat landscape and your perspective on the solutions, let's roll back just a little bit here and start with your journey. Carter, what inspired you to found First Health Advisory? And how has your experience shaped the way you support hospitals and health systems today? For our AHA members, can you briefly introduce First Health Advisory, its mission, and how it evolved to meet the cybersecurity needs of healthcare organizations?

Carter Groome: First off, my parents, John, were clinicians. It was kind of in my DNA. And I didn't really feel pressure to center a career around healthcare, but serendipity brought me to the IT side of healthcare very early on, and I became an electronic health record guy. This was pre-meaningful use days. I was with shared medical systems. That was the dominant player in the '80s and the '90s, and I spent time in large health systems. I went into consulting. And in those days in IT, your role wasn't so specialized. And so, you got exposure to every department, acute, ancillary, you name it. And you started to understand how technology supported operations and clinical workflows throughout, how it ultimately supported care.

And so, those were the roots of First Health Advisory now over 20 years ago, where we were optimizing electronic health records in those acute settings, those ambulatory settings. We understood revenue cycle. And through that time, long before we were talking about ransomware, I was consuming as much on cyber as I could. And I understood healthcare was vulnerable. And we got involved in one project for a client around medical device security, and that was back in the days when you just walk around and inspect them physically and do inventories physically. And that became a practice that then became a business unit, that became what First Health is today, our complete focus.

First Health retained that personnel from back when we were doing electronic health record work that understood operational, clinical, and financial areas. And we could couple that with cyber, with privacy risk management expertise to offer kind of a different partnership and understanding of our client's business risk. So today, that cross-disciplinary expertise makes a real difference when we talk about impact to patient safety, continuity of operations, and just understanding how cybersecurity aligns with the business priorities of health entities that we partner with. And that's really from strategy to execution. Our goal is to support our partners to reveal risk. That's the strategy in how you do that. But maybe even more importantly, how you actually reduce risk and become more resilient. That's the execution part. We're the doers that come in and build, they support, expand the programs to cover the gaps that maybe you know you have, but you just don't have the resources to do it.

And I would say that's really the other unique attribute of First Health, John. There was a lot of investment on our part to build a cyber-focused services firm with the talent to augment these teams in North America, not just a virtual CISO, which we have really talented ones, but the experienced boots-on-the-ground personnel that don't cost $500 an hour for someone that just got off the school bus. That's the difference at First Health Advisory.

Host: And it's really an important distinction. Carter, I've had the pleasure and privilege to know you for a number of years where you and I were volunteering in our very, very limited time to help develop best practices, standards, voluntary standards for the healthcare sector, trying to help improve the cybersecurity posture, the whole sector. Because you and I are aligned. This is a mission, it's a business, but it's a mission as well.

And I think the other aspect to First Health and what we look for in our firms is that healthcare and hospitals specifically. You're not working for a retailer one day and then you're coming in and working for a hospital the next day. You and your team are dedicated. First, there's very few firms-- cyber firms-- that have been around for 20 years, and even far fewer that are devoted strictly to healthcare and hospitals and health systems.

So when we talk about our partnership, obviously, we're very pleased and proud to name First Health Advisory recently as an AHA preferred cybersecurity and risk provider. What does this recognition mean to you and your team, and why is it really especially important for hospitals and health systems right now?

Carter Groome: Number one, John, I want to thank you. I want to thank the AHA team, I mean, Scott Gee... you've been fantastic to work with even in getting to the starting line of this partnership. The level of vetting that AHA puts into our team to validate industry trust and our services capability, it's quite comprehensive as it should be.

And that alignment, it just feels natural to us at First Health with AHA. And we're proud to be seen as an organization that has a level of dedication to healthcare and deep cybersecurity expertise to really warrant that recognition from AHA. And it goes without saying, but AHA's voice matters. John, your guidance makes a difference in this industry. And so, that alignment that we have together ultimately provides AHA members with better counsel, better support, again, from strategy to execution.

And I'll say, that 10 years ago, there is really little in the amount of education, awareness and overall advocacy for cyber health matters, and how risk is revealed, how risk is mitigated, where movement on the regulatory and policy side that you talked about earlier, how that influences decisions, et cetera, et cetera, by and large. That's changed within the technical community for good. That level of cyber fluency, it's improved yet together. First Health and AHA, I believe we can continue that uptick and fluency beyond the technical crowd to the executive suite, even the board level.

 For me, and you know this as well, John, you've been out there, that is absolutely critical. It sets the tone for the organization. And I can tell you that more broad understanding and proficiency at those levels make a difference in the security, privacy, and resilience posture of any healthcare organization.

Host: I totally agree, Carter, and thank you for the kind words. And the true on the vetting. Yes, it's a bit difficult, but challenging. Again, we like to say that our preferred providers are part of an elite team. And as well as I have known you, and when we started this journey, I still handed you a very lengthy application and that went through the vetting. And for folks who don't know me, I spent almost 30 years at the FBI. So, it was thorough vetting, and Scott was 23 years at Secret Service. So, we are taking a very objective investigative view of the qualifications of our firms.

I really like the phrase you use on terms of cyber fluency and elevating the conversation beyond the technical and tactical level so that the non-technical leadership can understand, understand the risk, understand their own organization, cyber posture, and then really make those hard leadership decisions to allocate resources, human, financial and technical to try to help mitigate the risk. Because ultimately, it is a patient care and safety issue.

So, Carter, how does First Health Advisory's partnership and approach through programs like CORE, C-O-R-E, and data privacy governance equip hospitals and health systems with the right expertise and support needed to move beyond risk identification and build that long-term resilience and stay focused on safe patient care?

Carter Groome: For me, the big takeaway is that this partnership, John, is designed to help solve cybersecurity problems. And the major challenge in the healthcare sector is expertise, expertise that's flexible and understands those budget constraints that you talked about earlier that all health systems are facing right now.

First Health is built for action. Yes, we assist many entities that need strategic guidance. They want to know where their gaps are. They want to know how to build or advance our program. Yet, on the other hand, we have the resources to take action where an organization, they may know what they need to do, they just don't have the talent to do it.

And so, our CORE program, the privacy work, the rigor we put into risk assessment, medical device building, management, security, third party risks, continuity work, all things that we do really well at, all those things may be at any stage in our client's lifecycle. We can assist or jump in at any point. And so, getting beyond the strategy and revealing or understanding the risk is much different than actually knocking out or reducing cyber risk. And that includes maintaining safe pace and care and just becoming more resilient as an enterprise. We do all of that.

Host: Thanks, Carter. And totally agreed. Again, a very, very unique capability that you bring to the fight, as I always say. So, looking ahead, what impact do you hope that this partnership-- and I've got to say this is not just a partnership, this is a partnership that what I would say in my old days is a force multiplier. Combined, I think we're going to have a tremendous effect. So, this partnership between AHA and First Health Advisory will have on hospitals, clinicians, and patients, especially as these cyber threats continue to evolve in complexity and severity and frequency.

Carter Groome: Both of us have spent time speaking all over the world on this topic. Educating policymakers here in DC, bringing awareness to really anyone that will listen-- boards, clinicians, other cyber practitioners in government and commercial domains-- that mission, it never fades.

And I'm confident that this partnership gives us increased power to amplify and advocate for those that may not have as strong of a collective voice. Now, that's impact to me. And if we're able to do that, that collective impact on patient safety, operational resilience, and even national security will be felt and that influence will carry others and give them confidence to share the message that we're bringing to the sector. That's my hope for this partnership.

Host: It's my hope as well, Carter. I mean, our collective combined expertise, our collective knowledge, our collective voices will add to the collective defense of hospitals, patients, communities, and the nations. We're all facing the same adversary. So Carter, thank you for joining the podcast and sharing your takeaways with the AHA members.

For our listeners, if you would like to learn more about AHA cybersecurity and risk programs, please visit aha.org/cybersecurity-risk. Also, special thanks to our frontline healthcare heroes for what you do every day to defend our networks, care for our patients, and serve our communities. This has been an AHA Preferred Cybersecurity and Risk Providers Bringing Value podcasts brought to you by the American Hospital Association. Stay safe, everyone.