ºÚÁÏÕýÄÜÁ¿

00:00:01:01 - 00:00:26:02
Tom Haederle
Welcome to Advancing Health. Cybersecurity is a risk. And because of that, a priority for all hospitals and health systems. In this Leadership Dialogue, Tina Freese Decker, chair of the ºÚÁÏÕýÄÜÁ¿ Association, and John Riggi, AHA’s national advisor for Cybersecurity and Risk, discuss planning for cyber attacks, putting protections in place, navigating cyber threats, and rebuilding trust and confidence in the system

00:00:26:04 - 00:00:31:01
Tom Haederle
when cyber attacks do occur.

00:00:31:04 - 00:01:00:23
Tina Freese Decker
Hello, and thank you so much for joining us today. I'm Tina Freese Decker, president CEO of Corewell Health and the board chair for the ºÚÁÏÕýÄÜÁ¿ Association. From data breaches to ransomware attacks to outages, cybersecurity affects patient safety and enterprise risk and is increasingly a strategic priority for hospitals and health systems. Planning for cyber attacks and putting the proper protections in place is key to ensuring sustainability, patient privacy and clinical outcomes.

00:01:00:26 - 00:01:34:22
Tina Freese Decker
So I am so pleased to have the ºÚÁÏÕýÄÜÁ¿ Association's John Riggi joining me for today's conversation. John is an expert in this field, and he serves as the AHA's first national advisor for cybersecurity and risk. He joined AHA in 2018 after a long, distinguished 30-year career with the FBI. He brings with him tremendous experience in the investigation and disruption of cyber threats, as well as the unique ability to provide informed risk advisory services to hospitals and health systems.

00:01:34:24 - 00:01:41:26
Tina Freese Decker
So before we jump into the conversation, John, can you just tell me a bit about yourself so that our audience can get to know you a little bit better?

00:01:41:29 - 00:02:08:13
John Riggi
Thank you, Tina, so much for inviting me here today to discuss these topics, which unfortunately, as you said, top of mind for everyone. So when I ended my 30-year career at the FBI, I still wanted to be in a position to serve. I spent a lifetime doing that, and in my last role at the FBI, my job was to establish mission critical relationships with private sector, with critical infrastructure in the health care sector in particular.

00:02:08:15 - 00:02:29:22
John Riggi
That's when I had the privilege and honor to be introduced to AHA and Rick Pollack in talking about cyber threats. And that's when I really learned how critical a role that the ºÚÁÏÕýÄÜÁ¿ Association served for the entire health care sector. I could send over, you know, an immediate urgent alert to the and with a single press of a button

00:02:29:29 - 00:02:56:16
John Riggi
5000 plus hospitals received that alert. 50,000 executives received it. So I understood at that point we needed to engage in that continuing relationship. And when I retired, fortunately for me, Rick Pollack in the team said, John, you know, we've been listening to you and we think cyber will be an emerging threat, going forward. Unfortunately, none of us realized how significant a threat it would be.

00:02:56:19 - 00:03:00:12
John Riggi
And so, again, my privilege and honor to be here with you today.

00:03:00:14 - 00:03:22:21
Tina Freese Decker
Well, we are privileged and blessed that you are part of the ºÚÁÏÕýÄÜÁ¿ Association team, and you're helping us navigate so many of these issues that come forward. Let's start with kind of one of the underlying questions that I have. We've seen all these cyber and physical threats that have targeted hospitals and health systems. How have they evolved over the last, let's say, 7 to 8 years?

00:03:22:24 - 00:03:58:21
John Riggi
Yeah, unfortunately they've increased pretty dramatically. So not only are they increased in frequency, but also in complexity and severity of impact. So on the cyber front, we have seen a, for instance, in hacking of patient health information. In 2020, it was about 450 hacks impacting 27 million individuals, not inconsequential. Last year, last year with the Change Healthcare attack, we had 259 million Americans had their health care records stolen or compromised by foreign bad guys, by foreign bad guys.

00:03:58:27 - 00:04:24:17
John Riggi
If we add up the numbers, just since 2020, over 500 million Americans have had their health care records compromised or stolen. So, John, wait a minute. There's only 330 million Americans. That's the population. Meaning that every American in this country has had their health care records compromised more than once. But what really concerns us are the dramatic increase in ransomware attacks, which are often accompanied by data theft attacks.

00:04:24:19 - 00:04:51:12
John Riggi
So these bad guys, primarily Russian speaking, believed to be provided safe harbor by the Russian government primarily but not exclusively Russian, have increased these attacks so that the impact really is not only disablement of technology, internal networks get shut down, data gets encrypted, organizations are forced to disconnect from the internet has a very, very dramatic impact on care delivery.

00:04:51:15 - 00:05:18:21
John Riggi
So this resulting disruption, delay to care delivery and ultimately posing a serious risk to patient care and safety, not only for the patients in the hospital, but for the entire communities that depend on the availability of their nearest emergency department for life saving care, radiation oncology, so forth. So we've seen that evolve again very significantly, and one of the reasons I think it's evolved so dramatically.

00:05:18:23 - 00:05:30:21
John Riggi
Geopolitics is part of that. But I think on a very base level, we as a sector depend more and more on network and internet connected technology and data.

00:05:30:24 - 00:05:56:13
Tina Freese Decker
Very true. You know, I did a podcast earlier this year about trust and rebuilding confidence and trust and having that public trust in health care systems and hospitals. And when you have a cyber attack or an act of violence that targets hospitals, health systems, it impacts patients, like you said, it impacts staff and our communities. How can we go about building that trust and regaining that confidence when we have these instances occur?

00:05:56:15 - 00:06:06:23
Tina Freese Decker
And do you have some examples of stories or insights organizations have used that have helped them navigate those cyber threats and build that public trust?

00:06:06:26 - 00:06:32:07
John Riggi
Great question, Tina. And also on the on the violence side, unfortunately, as I wanted to mention as well, that's increased pretty dramatically to set the stage there. I was shocked, as a former law enforcement officer, to find out nurses are the second most assaulted profession outside of law enforcement. And, you know, we expect it as law enforcement officers to be engaged, confrontational engagements.

00:06:32:07 - 00:06:37:09
John Riggi
You're making arrests, but nurses who just want to deliver care to help people? Shocking.

00:06:37:09 - 00:06:38:19
Tina Freese Decker
It's sad and unacceptable.

00:06:38:23 - 00:06:58:27
John Riggi
Agree, totally. So I think how do we how do we get that trust in the community? I think one - and I think we've done a fantastic job with your leadership and the AHA - acknowledge the risk, acknowledge the threat. Let's not hide it. Let's not pretend it's not there. But then to take real steps to prepare and help mitigate the impact of these threats.

00:06:59:00 - 00:07:25:01
John Riggi
So now we see, on the cyber side, hospitals are actively working to develop better downtime procedures, better backup systems to help shorten the length of the impact and help recover more quickly. And work with the federal government. Exchange threat information across the sector with our partners in other sectors. And really understand if we're attacked, this isn't a stigma.

00:07:25:02 - 00:07:51:18
John Riggi
This isn't something that an organization failed to do. We're all in this together. And on the physical side, we're working very closely with the FBI to help develop resources to help identify and mitigate targeted acts of violence directed toward health care organizations. But most importantly, our frontline health care heroes, our frontline health care workers. And again, working with the community, this is all partnership with the community as well.

00:07:51:20 - 00:08:08:05
Tina Freese Decker
So I'm sure you have a top ten list of things that we could do to prevent these attacks. But if you could share the top three things that we should do to prevent these attacks and how we can be resilient. And when I say attacks, I'm talking cyber and physical. We have limited time, we have limited resources.

00:08:08:05 - 00:08:10:19
Tina Freese Decker
But what is the most important things that we should be doing?

00:08:10:22 - 00:08:36:21
John Riggi
I think the overarching umbrella that all the others follow under is leadership. And really looking at these risks, acknowledging them and ensuring that both cyber and physical risks are treated as an enterprise risk issue. And then within that, on the cyber side, making sure on the defensive side that you're following well known, well-established, recognized cyber frameworks, making sure you start there.

00:08:36:24 - 00:09:03:08
John Riggi
Second, really thinking about third party risk. What we have seen is that a majority, the vast majority of cyber risk, cyber attacks we face come to us through insecure third party service providers. Insecure third party technology and insecure supply chain. Doesn't negate us from our responsibility to do what we can, but we have to understand that. And then the third thing is ultimately prepare.

00:09:03:10 - 00:09:24:08
John Riggi
We must prepare for the attack. There's an often, I would say, overused expression in the cyber security world. It's not a matter of if, but when. It's true. But I would also change that a little bit about it's not a matter of if you will be attacked. The question is are you prepared? So focusing on resiliency and so forth.

00:09:24:10 - 00:09:55:13
John Riggi
And then with on the physical side, education of staff, leadership priority, and working with the FBI and local law enforcement to potentially identify ahead of an incident acts of targeted violence directed towards the hospital. And then working together as a community help mitigate and prevent that act. The police always want to respond, can respond after the FBI. But I can tell you from personal experience, we'd rather prevent a crime, prevent an act of violence than respond after the fact.

00:09:55:15 - 00:10:19:15
Tina Freese Decker
Agree. And I think that developing those relationships with local FBI, with local law enforcement is critical because you to your point, it's not if, but when. But we'd like to be able to prevent all of it. Having those relationships is key. So I know that the AHA has been working very closely with the FBI and some health care systems to exchange that threat intelligence and enhance collaboration across our sector

00:10:19:15 - 00:10:28:21
Tina Freese Decker
and with federal agencies. Can you share more about that partnership and how it has helped us in identifying and mitigating both physical and cyber threats?

00:10:28:24 - 00:10:51:26
John Riggi
Great question again, Tina, and thank you for highlighting what we're doing with the FBI. So on the cyber front, we've been actively engaged in cyber threat, information threat intelligence exchange. Both on a very technical level, exchanging what - without getting too technical - threat indicators, malware signatures and so forth, but also identifying big strategic threats that we may face as a sector.

00:10:51:28 - 00:11:19:23
John Riggi
So, for instance, working with the FBI, we helped identify last year a threat to the blood supply before it was on the government's radar. We helped the government understand that cyber attacks on hospitals are not just data theft crimes. These are truly threat to life crimes. So the federal government actually previously raised the investigative priority level of ransomware attacks on hospitals to equal that of a terrorist attack once they understood what the impact was.

00:11:19:24 - 00:12:00:17
John Riggi
We are working very closely with the famed Behavioral Analysis Unit of the FBI, the profilers that many books and TV shows and movies have been written about to develop resources to help hospitals identify targeted acts of violence, threats that are pending against hospitals, and again, help intercede, intervene and help prevent those attacks. We have a whole series of resources available on the first ever joint FBI and Joint Health Care Sector webpage. We're about to issue a manual coming out here within the next month or so, based upon, joint work with the FBI in the field on best practices and lessons learned to prevent these acts of violence.

00:12:00:17 - 00:12:06:08
John Riggi
So we have a robust, almost daily interaction with the FBI and other federal agencies.

00:12:06:10 - 00:12:25:15
Tina Freese Decker
It's so helpful to know that we have those robust partnerships at the national level, and then we can create it at the local level, and to make sure that we're all in this together to, help protect our patients and the people that we care for in our community. So that's wonderful. My last question for you is just one about how we look forward.

00:12:25:17 - 00:12:38:26
Tina Freese Decker
Can you tell us what you think about is going to happen in the threat environment for 2025 and maybe into 2026? What are those things we should be watching, looking out for? And is there anything positive that you can see?

00:12:38:29 - 00:13:11:18
John Riggi
I will let you know there is some hope. Talk about the realistic environment. Then we'll talk about where I see the hope. So first of all, I do believe that the frequency of the attacks may decrease, but I think the bad guys are looking to make a greater impact. We have seen them go after systemically important organizations that serves health care. Change Healthcare, for example. Last year, attacks against the blood supply. The year before they attacked - found vulnerabilities in a commonly used technology and software known as Move It.

00:13:11:21 - 00:13:41:03
John Riggi
By attacking that software, it gave the bad guys, a Russian ransomware group, were able to gain access to millions and millions of patient records. I do believe geopolitics will have a very significant influence, for better or worse, on the level of cyber threat we face. Depending on how we deal in the outcomes of our negotiations, of our diplomatic efforts with Russia, China, North Korea and Iran has the potential to mitigate or increase the cyber threats that we face.

00:13:41:05 - 00:14:08:19
John Riggi
And ultimately, again, third party risk, major, major issue. Where do I see the signs of hope? And there are signs of hope, folks. Honestly, I have never seen the sector come together to share threat information to prepare for attacks, best practices, lessons learned not only amongst the sector. We see channels of threat information sharing and best practice across with other critical and sectors, with the federal government.

00:14:08:21 - 00:14:45:26
John Riggi
We've had victim organizations, CEOs come out publicly. Dr. Leffler from University of Vermont, Chris Van Gorder from Scripps. We've had Eduardo Conrado from the recent attack against Ascension not only come out publicly, but testify before the UN Security Council last November about the impact of this Russian ransomware attack against Ascension. So what I see is hope. The fact we are banding together and with the government and I hope, as we did in the great fight against terror, international terrorism, we will come together in a whole of nation approach to help mitigate that risk.

00:14:46:01 - 00:15:09:17
John Riggi
Now, Tina, I know I've done a lot of speaking here, and if I may, and with all due respect, I'd like to ask you a question if I could. Tina, in your role, you have very unique dual role. You're CEO of a large health system, and you're also the chair of the ºÚÁÏÕýÄÜÁ¿ Association board. So how do you think about cyber and physical threats for your own organization

00:15:09:19 - 00:15:11:20
John Riggi
but on a national level?

00:15:11:22 - 00:15:33:26
Tina Freese Decker
Well, I believe that cyber and physical threats must be prioritized. It's a strategic risk. We have to understand how we focus on it, and we have to significantly prioritize it and emphasize what we're doing there. Previously, maybe 5 or 10 years ago, it was just thought of as a technical issue. It's not that. It's how we operate. Because like you said, we're so connected,

00:15:33:26 - 00:16:01:07
Tina Freese Decker
it's critical infrastructure and we must make sure that we are coming together. So for us as an organization, we prioritize our efforts, our investments, our work on it, but also prioritize business assurance. So how do we operate and make sure that everyone understands all the key components and the lessons that you shared on this discussion today, but also when we've had conversations before, how are we making sure that we know those and our teams know those?

00:16:01:09 - 00:16:25:19
Tina Freese Decker
I think the importance of safeguarding sensitive patient data and ensuring the integrity of our systems cannot be overstated. And that applies for my organization, and that applies for all of our members throughout the ºÚÁÏÕýÄÜÁ¿ Association. And so I think those are some critical points. As we think about this it is making sure that we are safeguarding sensitive patient data and ensuring the integrity of our systems, as we go forward.

00:16:25:19 - 00:16:59:14
Tina Freese Decker
That cannot be overstated. And as we do that, I think we all uphold that level of commitment to excellence that our patients and the people in our community want. So, John, thank you so much for your time today, for sharing your expertise. While we may not be able to prevent or mitigate everything, you have given us such great advice and we should make sure we take that down, but also listen to many of your podcasts that you put out or the Action Alerts that you sent through because they are helpful and direct and provide that great advice to move forward.

00:16:59:16 - 00:17:17:11
Tina Freese Decker
And I know that you are available to connect with all of our members if there is a specific situation, or they just want to learn more to make sure that we're better. So thank you, John, for being here. And thank you to all of those that have tuned in to this conversation. We will be back next month for another Leadership Dialogue.

00:17:17:13 - 00:17:25:24
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.