John Riggi (Host): Hello, everyone, and thanks for joining today. I'm John Riggi, your National Advisor for Cybersecurity and Risk at the American Hospital Association. Welcome to AHA Preferred Cybersecurity and Risk Providers Bringing Value, a podcast from the American Hospital Association. Today's topic is Cyber Strong, AI-Ready: One Year of Progress in Rural Hospitals.

Today, the healthcare threat landscape continues at a very accelerated pace, targeting hospitals and health systems and other components of the US critical infrastructure. Although we don't have the Change Healthcare Breach to deal with this year, ransomware attacks against hospitals and health systems continue at a very sustained pace, often resulting in the disruption and delay to healthcare delivery, risking patient safety and community safety, especially in our rural areas where the increase in distances also results in increased risk as patients in ambulances are diverted to alternate care sites, which might be much further away in rural areas.

So today, I'm really pleased to be joined by Laura Kreofsky from Microsoft, one of our best, most impactful partners in helping reduce cyber risk in US healthcare, but particularly in our rural areas. Today, we'll discuss how we will prioritize strengthening security programs to reduce risk, to help protect patient trust and ensure operational resilience in the face of all these increased threats.

Today, we'll also discuss how AI is being deployed to streamline operations and improve patient outcomes, while also addressing the persistent cybersecurity vulnerabilities that disproportionately affect rural providers, from outdated infrastructure to limited IT staffing. Again, I'm joined today by Laura Kreofsky. She's the Program Director for Rural Health Resiliency at Microsoft. And Microsoft is recognized as an American Hospital Association-preferred cybersecurity and risk provider. Laura, welcome to the podcast. Always a pleasure.

Laura Kreofsky, MBA: Yes. Thank you, John.

Host: So, let's just get right into this, Laura, if we could here. Let's start off the conversation today by learning more about your professional background, your expertise, and what experiences brought you to Microsoft.

Laura Kreofsky, MBA: Yeah. And thanks again for having me. It's always a delight to be at the AHA Leadership Event and any of your events, particularly this one, and Nashville's always a fun city. So, I've been in healthcare and healthcare IT my entire career, spanning 30 years, right? And it's been fascinating. Every time you turn the corner, there's a new challenge or a new opportunity. And I think we're seeing both right now in the landscape. We have the cybersecurity challenges, we have new opportunity and innovation.

Really, and as I look back at my career, there's been a through line of working in what I would consider the safety net or with lower resourced organizations. After I got my MHA and MBA, I did my first Project at an FQHC in downtown Minneapolis. And then, I've worked all over the industry. I've worked in public health at State Department of Health and with critical access hospitals and back to FQHCs and have learned so much and have such a tremendous appreciation for hospitals and healthcare providers.

And about a year, a year and a half ago, really at the request of the AHA or the wisdom of the AHA and the White House, Microsoft came together with you and with the National Rural Health Association to launch this program around cybersecurity for rural hospitals. And I happen to have the great fortune of being asked to lead this initiative at the national level. And it's been fabulous. And I think we're just getting started.

Host: Thank you, Laura. You and Microsoft have been fantastic partners. And I often speak about how Microsoft answered the bell. We rang the bell, but you all came forward very quickly and developed really the perfect public-private solution to a very, very significant issue. Obviously, there was lots of discussions across government about the challenges being faced by rural hospitals on cybersecurity. Of course, our response is the lack of resources, what's the government doing? And the discussion turned to how Microsoft can help. And you all did come forward in a very, very big way, especially through your philanthropic services. And I just can't thank you all enough for helping secure our hospitals. But as I always say, it's not just about the hospitals as an organization, it's about the patients in the hospitals, but also these communities that depend on the availability of their nearest hospital in an emergency.

So given all that, Laura, as we've talked about, hospitals and health systems face, many challenges among them are the cyber attacks and the physical threats, unfortunately, that our AHA members take very seriously. Can you give us an overview of what progress has been made in the past year to strengthen cybersecurity across rural hospitals?

Laura Kreofsky, MBA: Yeah. And I think starting from the big picture and sort of honing in and what Microsoft and Microsoft and AHA have done together, I think, will help give sort of the sense of breadth and depth. I think the last couple of years, we've just seen an in increased awareness across all sectors around the importance of cybersecurity, and particularly in healthcare. I also hear it a lot in the education sectors. But I think that's helped a lot and the work that the AHA does and other leading organizations do to bring visibility that I think has been sort of critically important.

And you touched upon this earlier in your opening comments around just the disproportionate risk of rural hospitals being hacked, and the numbers, like 70% of cybersecurity attacks happen to rural or smaller organizations just because they don't have the resources. So, I think the awareness is there. And certainly as you said, Microsoft, Microsoft philanthropies have really stepped up.

Now, I remember sitting here a year ago with you. We just launched the program. And we didn't know what to expect. We had some lofty targets. And now, looking back one year later, it's been an incredible journey. We have over 700 rural hospitals participating in the cybersecurity program.

Host: That's amazing. Now, there are 754 critical access hospitals, over about 2000 rural hospitals. What amazing progress in a year for a brand new program.

Laura Kreofsky, MBA: Yeah.

Host: Really congratulations to you and Microsoft for helping bring this to fruition.

Laura Kreofsky, MBA: Yeah. Well, thank you. And we've approached it from a couple of angles. One are the pro bono cybersecurity risk assessments that we've been doing. And really, talk a little bit more about the findings of that. But those were to really help organizations understand where they are and sort of meeting essential goals towards cybersecurity best practices, -resiliency.

The other really important thing that we've done from a Microsoft philanthropy standpoint is made independent critical access hospitals and rural emergency hospitals eligible for Microsoft non-profit pricing for a wide swath of products. What that allows them to do is, one, save money, but two, very often, scale up the core cyber and security capabilities of their business product platform. In a way, that allows more built in security features, keeps the whole organization safer.

Host: Right. So folks, our listeners, if you're not aware of these non-profit pricing that's being offered for our rural hospitals folks, this isn't some, fly by night, 10%, 20% up. This is up to approximately 75% off regular published rates. Real savings year after year. No expiration date. Folks in this environment, I would say our financial threat environment, especially passage with the latest One Big Beautiful Bill that will place really tremendous financial strain as AHA has publicly said, we need to find creative ways to reduce cost. And again, Microsoft with this program certainly will result in significant cost savings for those that qualify.

So, it's interesting also that you're doing these risk assessments. So, we are gathering a bit of intelligence, not only the business intelligence, but real threat intelligence, understanding where the vulnerabilities are that rural hospitals have. So based upon the data that you're collecting, can you share with our listeners what you found so far on the most common cybersecurity vulnerables that affect rural hospitals?

Laura Kreofsky, MBA: Yeah. Thank you. And the data has been fascinating, right? So as I said, we've done upwards of 400—I think 430 last time I looked—cyber risk assessments. And these are done by outside cybersecurity firms, right? So, this isn't Microsoft doing it. We've actually hired firms to do these assessments.

Host: And great firms, I've met them personally.

Laura Kreofsky, MBA: Yep. And they provide the results and sort of high level findings and recommendations and a roadmap to each of the organizations doing the assessment.

So as I mentioned, we actually anchored these assessments in the health and human services, essential cyber performance goals, right? And we did that because they are like future forward-looking, right? And kind of take a broad perspective on best practices. So, there's 10 of those essential goals. And what we found and how we frame this up is we actually said, "What's a passing score?" Right? So, roughly around for each of the 10 essential goals, there was four or five questions we got to. So, we talk about like email security example. That's one of the essential goals. There was three, four, maybe five questions around the organization's capabilities around email security. So, each of those subset of questions helped inform a goal. We said, "Okay, well, if you're around 80%, you're probably pretty solid in your security practices."

Host: Knowing nobody will ever achieve a hundred percent, no matter what, not even the federal government.

Laura Kreofsky, MBA: Right. So, somewhere 75-80% was a "passing score." Now, for those 10 essential cyber goals, in six of those 10 goal areas, less than 50% of rural hospitals had what we qualified as a passing score. And I think they've looked across all 10 of those goals in only one scenario, which was multi-factor authentication. Did we even get to the 70% of hospital threshold?

Host: Wow. Really significant. And folks that are listening, I'm not sure, you may or may not be aware, but the cybersecurity performance goals were actually developed by the AHA with the government, but with the field. We have experts from hospitals and health systems help us write those cybersecurity performance goals. Our mandate, and as we promulgated through the group, is, "Hey, how are we getting beat? There's great frameworks out there, but let's look at the threats. Let's look at the attacks. How are they succeeding? And what are the best mitigation practices?" And that's how we came up collectively with the cybersecurity performance goals is the anchor foundational, best cybersecurity practices. So, really valuable threat intelligence that you've been able to identify.

Laura Kreofsky, MBA: Yeah. And just one more thing on the goals. I think you nailed it when you said they were practical. They're pragmatic. Practitioners in the field can get their hands around it. So, again, we've done 430 of these assessments. And the areas that the collective respondents were the weakest in were strong encryption, separation of privileged and user accounts. And then, not surprisingly, vendor supplier cybersecurity requirements.

Host: Third party risk.

Laura Kreofsky, MBA: Third party risk. So, I put this in the context of rural health, right? So, the strong encryption, I was surprised to see that as low, but the technology is complex. The regulatory landscape and what's a recommendation versus a requirement. And that's a lot for a small organization with one or two IT people and somebody's probably wearing the compliance hat at the same time to work through. So when I put it through that lens, it's not as surprising. Separate user and privileged accounts, again, this is an environment where people wear a lot of hats, right? So as important that is, it's not surprising to see so many organizations score sort of below the watermark on that.

Host: And, you know, it's interesting. People think, "Well, encryption, isn't that required?" Well, it is required for the electronic health record. What happens, unfortunately, in any hospital is health information is scattered or dispersed throughout the network. It's on shared drive, it's on medical devices, it's on desktops and laptops. And ultimately, it's not that hospitals are negligent. It's the data is where it's needed to provide patient care, and that's job one for hospitals. Cybersecurity is very important. But we've got to make the data available to provide care, protected as best as we can as well. Network segmentation privileges sounds great. We can give great tools, Microsoft tools. But if they don't have the human resources, the technical capability to implement them, then it's not going to be effective.

Laura Kreofsky, MBA: Yeah. I think that we'll talk a little bit more about this. It's one of the biggest challenges we face, and just the resource and the talent shortage. And the last part the organization scored a lot below the watermark on is just that third party risk, right?

Host: Yeah, exactly.

Laura Kreofsky, MBA: And it's such a challenge across the industry. Again, I think more pronounced in lower resourced organizations and just--

Host: It is perhaps more reliant on third parties, because they don't have the internal resources.

Laura Kreofsky, MBA: Exactly.

Host: So, it's interesting. Again, third party risk, just this morning, I checked my favorite website, the Health and Human Services Office of Civil Rights Breach Portal. And I monitor it closely, and I'm always tallying figures. Often, I get the chance to provide it right back to the government and saying, "No, this is based on your data that we've come to this conclusion."

But once again, I think this is about the fourth year in a row, the vast majority of breaches affecting healthcare, 75% originate from third parties, business associate and non-hospital providers. Huge issue we're still struggling with.

So, let's get back to the rural health issues directly here. So, Microsoft, the AHA, and the National Rural Health Association, as we've been discussing, are working in partnership to combat cyber criminals, targeting rural hospitals. What have we learned about building digital resiliency in resource-constrained environments?

Laura Kreofsky, MBA: Well, I'll tell you, in the last year, year plus, we've learned a lot. And one of the things that I sort of knew intuitively, but really became more pronounced, is the importance of trust in these relationships. Working in partnership with the AHA and with the NRHA has been a tremendous benefit to Microsoft, because you bring those trusted relationships and that credibility. Because when anybody comes to you and says, "Hey, we're big tech and we wanna give you something for 75% off," you're like, "Yeah."

Host: With no strings attached.

Laura Kreofsky, MBA: With no strings attached. You're like, "Yeah." In fact, I had some CIOs and some executives said, "We're good." But this is legitimately a philanthropic motion, because Microsoft appreciates the vital role of critical infrastructure in communities. So, working in collaboration with your team has been really important. I mean, we've had all sorts of support from HRSA. We've had support from the State Offices of Rural Health. Everybody's helping get the word out, and I think that's really important. There's other good tech firm partners that are stepping up to see how else they can support rural health. So, those are all the good things.

I think the other thing—and John, we talk about this all the time— is that we're in this talent conundrum.

Host: Yes.

Laura Kreofsky, MBA: Right? And we are starting now to see a sort of a groundswell of education and certification opportunities for people moving into cyber roles, which is great. But we're in this last mile problem where it's, "No, you can't get experience until you have a job and you can't get a job until you have experience." So, I think that's been a real aha moment the last year, and I think something we're going to work to tackle as we move forward.

Host: I totally agree. It is a tremendous challenge. As I talked to my son's friends and so forth, they're very interested in cybersecurity, have studied it. But as you said, without the experience, they can't get the positions. So, we've got to figure this out from internally as well and to the sector. How do we provide opportunities for folks to gain experience, maybe under the supervision of some more experienced folks? Or do we start providing opportunities while they're in college, these co-op experiences or filling in as internships to gain some experience? So, they're able to help us as soon as they come out.

But it is a problem across all sectors, and we've suggested even retraining veterans and so forth, or folks that are existing within the rural hospitals that might have an interest and capability to be trained up in a sense for cybersecurity. And again, thank you again so much for the partnership.

When you said it was part of the philanthropic divisions of Microsoft and others are starting to come in, that's because of your leadership, you and Microsoft stepping forward. Demonstrating to the rest of the cybersecurity community how to be good corporate citizens, because it's ultimately within all our interests to help protect rural hospitals.

So Laura, before we wrap up, can you close our discussion by sharing some proactive steps rural hospital leaders should be doing right now to prepare for the next wave of cyber and AI challenges?

Laura Kreofsky, MBA: Yeah. I think there's a lot we can be doing and we are doing, right? So, you mentioned AI. And I'm glad you did that because no conversation is complete without AI. But seriously, there is such an interconnectedness between cyber and AI, right? And really, organizations need to start looking at that holistically.

I also think it's a great way to continue to make cyber attractive to the next generation workforce, is to build the skilling on the cyber as well as on the AI side, and it makes them even more valuable in those healthcare organizations. So, I think that's a big part of that.

I think what we talk about is kind of working in collaboration with the industry to bridge that last mile of experience is really important. More internships, apprenticeships, and just more collective getting those students into practical roles.

I'm excited about the Rural Health Transformation Fund. It's all pretty broad and it's still pretty nebulous, but they did specifically call out cybersecurity in that as an area of focus and opportunity. So, there's more we can do there. So, I do feel like. This is always going to be a challenge. Cybersecurity is always, always going to be a challenge. But collectively, we're coming together. Microsoft has, as you said, been a catalyst in this. The AHA certainly is. I think we're now in a place, we're better positioned than we ever have been with a better and richer toolkit to support the work that hospitals and healthcare organizations need to do around cybersecurity.

Host: Absolutely agreed, really, Laura, on all points. AI is here. It will be absolutely integrated into every technology we use, all services we use, creating new areas to understand and protect. So, AI already has led to the improvement of patient outcomes for many, many patients, but has created additional risks. AI can also be used to defend against these new cyber risks. AI is being used by the bad guys to conduct more sophisticated and accelerated attacks.

So, we are at the very, early stages of—I say in cyber terms—of an AI-fueled cyber arms race. But again, collectively, we can't just say, "This is a government's problem," it's our problem collectively. It's a whole of nation issue. Again, partnership with private sector and government to come to together to develop solutions, like the more Microsoft Rural Hospital Program.

So Laura, thank you again for joining our podcast today. Always a pleasure and a privilege to be with you. And thank you again for sharing your takeaways with our AHA members. For our listeners, if you would like to learn more about Microsoft and AHA Cybersecurity programs, please visit aha.org/cybersecurity.

Also, special thanks to our frontline healthcare heroes for what you do every day to defend our networks, to care for our patients, and serve our communities. This has been an AHA Associates Bringing Value Podcast, brought to you by the American Hospital Association. Stay safe, everyone.

Laura Kreofsky, MBA: Thank you, John.