Bill Klaproth (Host): Welcome to the ASHRM Podcast made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management, you can visit ashrm.org/membership to learn more and to become an ASHRM member. I'm Bill Klaproth. With me today is John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association, and Scott Gee, Deputy National Advisor for Cybersecurity and Risk at the American Hospital Association. As we talk about cyber risk, this is a big topic and what you need to know.

John and Scott, welcome.

John Riggi: Thanks, Bill. Great to be here. Thanks for having us. Always great to chat as usual.

Scott Gee: Absolutely Bill, thanks for having us. It's nice to meet you.

Host: You bet. Thank you John and Scott. Looking forward to this. John, let me start with you. From your national perspective, what is one thing that you would like every risk management professional to take away from this podcast conversation today?

John Riggi: Thanks for that Bill. I think first and foremost, really fundamentally, I think risk professionals should understand that cyber risk isn't just a technology risk, it's an enterprise risk that really impacts every function in the organization and truly may be the source, or at least a contributing factor for other types of risk, such as operational risk, business continuity, financial risk, legal and regulatory risk, reputational risk, very important, but most importantly, cyber risk is a risk to patient care and patient safety. I also, besides being an enterprise risk issue, I think risk professionals, many are thinking this way, but should think of cyber risk not only as enterprise risk, but as a strategic risk. So the way I define the difference between enterprise risk and strategic risk is that strategic risk is something which originates from outside the enterprise boundaries and is most likely beyond the control of the enterprise, in this case, hospitals and health systems such as geopolitics, insecure technology, and third party risk. Scott?

Scott Gee: And the thing I like to emphasize about technology is that the entire operation is dependent on technology. It's not only email and phones and things like that. It's building access, building management, all of the systems that are tied to cyber networks, and if cybersecurity fails, if there's a network outage, all of those things are going to be impacted and you have to be prepared for those impacts.

Host: Yeah, absolutely. So preparedness obviously is job one. So John, let me ask you this. How might risk management professionals best talk to their colleagues about the need to prepare for cyber events?

John Riggi: Well, just following on what Scott said, I think first and fundamentally very important to educate the staff about their dependency on the availability of technology. As Scott said, on building automation systems, but really for everything. Our staff, hospitals, and health systems depend on technology, network, and internet connected technology and data on their internal networks, in the cloud, and with third parties to provide care for patients from the moment they are admitted, to the moment they check the electronic medical record, they send the patient for imaging, radiology, labs, pharmacy, telemetry, treatment, surgeries, discharge, post-hospital, rehabilitation. All of these things are dependent on the availability of technology. And then we want the staff to think about the leadership actually and the staff to think about how would all of those functions be impacted if suddenly,all that technology went dark, and as we say, enter the stage of digital darkness. Think about the impact, and then think about how would we provide care, step by step for patients for every function, without the availability of technology? And not just for a few hours or 24 hours, but for 30 days or longer.

That's the length of outages that we have seen in high impact attacks. How would we provide care, safe and quality care for patients for 30 days or longer? Every step of the process.

Host: Yeah. John, when you say that as Scott said earlier, it's not just email and phone when you mentioned all those things, Admission, EMR, imaging, pharmacy, treatment, surgeries, discharge. Oh my goodness. It encompasses all of that. And then be ready to be without that for 30 days, what are you going to do?

Oh my gosh. So that really does put it into perspective. Then John, how have you seen cyber events evolve in the past 12 to 24 months?

John Riggi: Well, unfortunately, Bill, we have seen a dramatic increase, so in the turn, in the sense of the frequency, sophistication and severity of the attacks have increased dramatically, and, especially with an increase in not only data theft cyber attacks, but most significantly, these ransomware attacks, which disrupt and delay healthcare delivery, ultimately posing a risk to patient and community safety.

The other phenomena that we have seen is that the bad guys, primarily, Russian based or Russian speaking ransomware groups have been targeting the healthcare sector's mission critical third party providers in supply chain. For instance, last year we had a ransomware attack by the Black Cat ransomware group, Russian speaking group, which attacked Change Healthcare, systemically important for revenue cycle, insurance verification, pharmacy prescriptions.

It touched and disrupted almost every hospital in the country. So the bad guys have figured out which nodes in healthcare provide the broadest access and impact if they're attacked. So that has been a very disturbing phenomena that we've actually seen increased pretty significantly over the past couple years.

Scott Gee: Bill, as John mentioned, the attackers focusing on third parties and supply chain. Another area we've seen that is we've actually seen a couple of attacks on the blood supply by cyber cybercriminals. And that is a particularly disturbing attack because it will immediately put healthcare delivery in jeopardy for everyone in the community where the blood supply is attacked. One of them was an organization called OneBlood in Florida.

And when they went down, they were the primary blood supplier for the entire state of Florida. They also had operations in Georgia and the Carolinas. So huge impact from an attack on OneBlood. So yeah, those third party risks, or third party attacks are particularly dangerous.

Host: Yeah. Wow. It's just, it's evil, quite frankly. Terrible.

So John, if you could look into your crystal ball, what do you foresee for the next 12 to 24 months looking like, and what new challenges will emerge?

John Riggi: Yeah, great question Bill. I wish I did have that cyber forecast crystal ball. Sometimes we try to anticipate just what's going to happen next month, but looking long range here as best as we can, I think quite frankly, a lot of cyber risk is actually sourced or originates from broader geopolitical risk.

And what do I mean by that? For example, the majority of ransomware groups, as I mentioned earlier, are Russian speaking or based in Russia or the aligned states with Russia. If Russia fully cooperated with US, law enforcement to go after these bad guys, to disrupt them, to extradite them, we could make a big dent in ransomware attacks against US critical infrastructure. So there are potentially signs of hope there, as in relations seem to be improving with Russia. Geopolitical risk also includes the nation of China, which is a primary source of cyber risk, targeting our critical infrastructure, and not just for the theft of intellectual property like the old days. China has been directly implicated in a variety of destructive malware campaigns, malware placed on our critical infrastructure.

Like the electric grid, like water and wastewater treatment facilities, even internet and telecommunications, poised to detonate if and when they invade Taiwan. So if, depending on our improving or degrading relations with China, this risk may actually escalate or deescalate. There's been rich, pretty significant increase in the sophistication of social engineering schemes and perhaps Scott could talk a little bit about that.

Scott Gee: Sure. The adversaries are using AI to vastly improve their engineer their social engineering attacks. The giveaways to phishing emails before were, it was obvious that the person wasn't, English wasn't their first language. AI really bridges that gap for them. It sounds like a person in the US wrote the email and that's a tremendous advantage for the adversaries. They're also using AI and for research, quite frankly. They're using AI to determine who critical individuals are in an organization so they can target them for phishing or, even target the help desk of the organization so that, they can appear to be the CEO of the hospital, for instance.

And they, you know, I need you to reset my password right now. Right. It's a very, well-crafted attack that is quite frankly, enabled by AI, enabled and improved.

Bill Klaproth (Host): It seems like we're taking incoming fire from all directions here and on many different fronts. Oh my goodness. So what are common errors or omissions, John, that you see health systems routinely make, which end up costing them when it comes to experiencing a cyber event?

John Riggi: I think fundamentally, the most common issue is it's a mindset issue. One. Often there may be organizations, I won't say often, but let's say there's some organizations who believe that a massive ransomware attack would not happen to them. It's quite frankly, a psychological defense that we all have. We never want to believe that we are at risk in thinking only that would happen to the other person.

That not understanding that a ransomware attack or a cyber attack can and will happen to anybody and everybody regardless of the quality of their cyber defenses. So that's one, not understanding, the old question used to be, it's not a matter of if, but when. What we say now is the question is not if you will be attacked. The question is how well prepared are you?

 And it's that preparedness point where I think many organizations, may not fully understand and comprehend. They need to be prepared to carry on their functions to carry on lifesaving, life sustaining critical care for patients for 30 days or longer without the availability of technology.

And even if they're not attacked, they may not understand the strategic cyber risk we face as a nation. From China, in particular, our number one cyber adversary that if they in fact take down the internet, the electrical grid, or telecommunications they need, hospitals and health systems need to understand that this is a clear and present danger and that we must be prepared for that possibility as well.

Scott.

Scott Gee: Bill, what I would add here is there are, John mentioned that not thinking it would happen to you is a common problem, not understanding that if it happens to your neighbor, it's also happening to you is something I would say is another common problem. Right? Because if the hospital down the street from you gets hit and they go down, all of their patients are coming to your hospital, right?

And that's a huge impact. That's what we often refer to as the ransomware blast radius. It's not just the hospital that's attacked, it's all the hospitals around them that are now overwhelmed with patients with additional workload. From a technical side, one of the common things I see, well, hopefully not common, but one of the things I have seen is just a lack of asset management in terms of cybersecurity, right?

This happened to Change Healthcare. Change Healthcare had one server on their system that didn't have multifactor authentication and had a weak password. That's, that was the point of compromise for Change Healthcare. Took down, pretty much, took down healthcare in the United States for a few weeks, and it was that asset management, asset inventory and asset management was that's where that failed, right.

You have to have robust security, but you have to have it everywhere and if you leave one door unlocked, the adversary's going to find that and they're going to use it. The other thing I see from a technical, a more technical side is the issue of patch management, right? We're getting overwhelmed with critical vulnerabilities and things like that.

And, there's a lot of work to do to maintain cyber systems. And quite frankly, sometimes folks get behind. They just don't have the people or the resources or maybe the know-how to update things and keep computers up to standard. And that's a huge vulnerability because as soon as a vulnerability is made, public bad guys are using AI again to search for machines that are vulnerable to that particular issue, and they're able to exploit those machines and cause chaos.

So that's the more technical side of the sort of common errors we see.

Host: Yeah. So let me ask you this. And Scott brings up a really good point there. A lot of these hospitals or health systems just don't have the resources or know-how and how to prepare for these cyber attacks. John, what would you say to somebody that doesn't have the resources or know-how, and it's already got a thousand things to do.

How can they start being prepared? What should they do first or how can they try to get ahead of this?

John Riggi: Great point by Scott and great question. So one of the things we would always point them to is at least implement the most basic recognized cybersecurity standards, which have been proven to reduce the greatest amount of cyber risk. So the AHA has worked with the healthcare sector coordinating council across government agencies to get up the, lemme say that again.

To develop a series of best practices that are known to help reduce cyber risk, and these are known as the voluntary cybersecurity performance goals. There's a set of 10 essential practices, like Scott said, patching, vulnerability management, email security, encryption, social, making sure defenses are prepared against other types of social engineering, attacks and a whole series.

So spells it out very clearly. 10 essential and then 10 enhanced cybersecurity performance goals. Such as network segmentation. But if an organization is looking where to start, that's a great guide. There's also a series of practices in a whole body of work known as the healthcare industry cybersecurity practices, really developed for the small or medium healthcare providers. Gives step by step, tech guide on technical implementation of basic cybersecurity controls. Then, so again, all free resources. Then the government offers a whole variety of threat intelligence resources. CISA, also cybersecurity infrastructure Security Agency can provide free penetration testing and once in a while, free exercises.

And of course, we here at the American Hospital Association provide a whole range of services to help prepare hospitals, whether it's leadership briefings, tabletop exercises, clinical continuity programs and implementation, so take advantage. Our guidance would be to what's out there and available to you at free or very low cost.

Host: That is great, John, thank you for saying all of that, and very good that the AHA provides these materials as well as you said the government does too. So a series of best practices you can follow. And as you said, there's a voluntary cybersecurity goals, kind of a checklist it sounds like, that you can certainly put in action at your hospital or health systems.

That's really great information, John. Thank you for that. So say someone does get hit with a cyber attack, John, how can risk management professionals best work with their cyber insurance carriers, because that's another aspect of this when it comes to protecting the hospital in the event of an incident.

John Riggi: Well, hopefully those conversations start long before there's ever an attack, and of course, just as we encourage hospitals and health systems to have ongoing dialogue and relationship with the government, and obviously third parties, but certainly with their insurance carrier, they should understand from their insurance carrier, especially when they're writing that policy, what resources are available from the insurance carrier? As I mentioned, there are a lot of free resources out there, including from the carriers. The carrier may provide a tabletop exercise, then understanding exactly what the terms and conditions are and the carrier would provide during a cyber attack.

Will they provide the forensics teams and so forth? Will they provide crisis communications folks, negotiators, all of these? What is the limitation of the liability? How much will they pay towards a ransom? And then I think very importantly, they must also understand what the insurance carrier expects of the hospital health system in terms of their cybersecurity posture for defensive capabilities and then also what is the posture of the hospital or health system, the preparedness posture, should they be attacked? So all of these things should occur long before any event. Then of course, those are the questions to ask if you don't know the answer in the event of an attack.

Host: Yeah, that makes sense. Conversation should definitely happen before an attack. And as you said earlier, John, it's not if you will be attacked, but how prepared are you? So you're right, those conversations need to be happening long before that. This has been a great conversation, John and Scott, thank you so much.

Before we wrap up, I'd love to get some final thoughts from each of you. John, can I start with you? Is there anything else you would like to share with us as we conclude this podcast?

John Riggi: I always like to conclude with a positive message, despite all of the risk and negativity and the dark and evil world that's out there trying to attack us through all that. Folks, we want everybody to understand there is hope. And the reason why there is hope is because all of us in the healthcare community across critical infrastructure and work with the government, have banded together to understand the nature of the threat and really have been applying resources and acknowledge exchange for what I call the collective defense.

So there is hope there. And then also I have seen in the C-suites across the country, CEOs, chairs of boards really understand the nature of cyber risk as an enterprise risk issue and as a risk to patient care and safety and right down on the front line, care providers, we have seen that they now understand cyber risk is really a patient safety risk, and ultimately cyber hygiene is as important as medical hygiene, to protect the patient, there is hope folks.

Host: Yeah, I like that phrase, cyber hygiene. You also mentioned collective defense. I love that phrasing, and good to hear that the C-suite is starting to recognize the threat that's out there and taking action to be prepared in case of a cyber attack. Scott, how about you? Any final thoughts or anything you want to add?

Scott Gee: Bill, the thing I like to remind people is that cybersecurity is not an end state. Cybersecurity is an ongoing process and it takes everyone to support that process from not only the CIO and the CISO and the technical folks, but everybody that uses that system is responsible for cybersecurity and it's the teamwork that makes this successful.

Host: Great thought on that, Scott as well. Not an end state, and it really takes all hands on deck approach it sounds like really to be fully prepared in the event, of an attack for sure and to help prevent as well. John and Scott, thank you so much. This has really been a thoughtful discussion, really important discussion as well.

 It sounds like, the message still needs to get out there that we need to be prepared for cyber attacks. So podcasts like this hopefully can help spread that message. And John, I love the ending on an optimistic note. I love that. Thank you for that. Because it was sounding like, oh my God, what are we going to do here?

So, I'm so glad you said that, but John and Scott, thank you again for your time. We really appreciate it.

John Riggi: Thank you, Bill. Always a pleasure.

Scott Gee: Thanks Bill. It was great to meet you and look forward to speaking with you again.

Host: That sounds great, and once again, that is John Riggi and Scott Gee. To hear other great podcasts on important healthcare risk management topics, just visit ashrm.org/podcast. And the ASHRM podcast is made possible by the American Society for Healthcare Risk Management to support efforts to advance, safe and trusted healthcare through Enterprise Risk Management. You can visit ASHRM.org/membership to learn more and to become a member.

And if you found this podcast helpful, please share it on your social channels and check out the full podcast library for topics of interest to you.

Thanks for listening.