For those in IT, saying cybersecurity represents a massive enterprise-level risk is not breaking any news, but it is incumbent on those IT folks to make sure that message is clearly communicated to the business leaders in the C-suite. Conversely, it’s also incumbent on business leaders to demand that their IT counterparts translate IT risk into language they can understand. Only then can risk-based decisions be made and preparations to deal with outages be addressed appropriately. It’s an approach that American Hospital Association National Adviser for Cybersecurity & Risk John Riggi advises, along with embracing as much transparency as possible if an attack is suffered. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Riggi covers a host of issues around keeping hospitals as safe as possible from a cyber attack.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
What I’m proffering, suggesting here, is that we leverage the work we’ve already done and the resources that have already been allocated for emergency preparedness, and we combine that with our cyber incident response planning and our downtime procedures, so that a cyber incident is considered a hazard, just like a fire or flood or hurricane, that’s incorporated into our emergency management planning.
Just think about it, if your house in on fire and it’s raging, you don’t want to have a discussion with the lawyer, “Should we call 911 now or not? What are the risks of calling 911 versus the rewards?” That has to be baked in so there’s no hesitancy to contact the government …
I would encourage the leadership of all hospitals and health systems to really look at cyber risk as not just an IT issue, to really understand it and demand that it be translated to them in such a way that they understand the enterprise nature of the risk, to understand that it is a risk to all functions, and primarily a risk to patient care and patient safety.
Anthony: Welcome to healthsystemCIO’s interview with John Riggi, National Adviser for Cybersecurity and Risk with the American Hospital Association. I’m Anthony Guerra, Founder and Editor-in-Chief. John, thanks for joining me.
John: Thanks. Great to be here, Anthony.
Anthony: All right, John, looking forward to a nice chat. Why don’t you start off by telling me a little bit about your organization and your role.
John: The American Hospital Association is the primary advocacy organization for the nation’s hospitals and health systems. We represent over 5,000 hospitals and health systems of all types and sizes, from very small rural hospitals, all the way up to multi-state systems and we’ve been in business since 1898, 125 years which is actually longer than my previous 3-letter organization, the FBI.
Anthony: Yes, very good. Very good. So you like to work for places that have been around a while.
John: That’s right. In organizations where I can remember the name easily, 3 initials. That’s it.
Anthony: Love it. Love it. So interesting, your title has risk in it. I interview a lot of CISOs and one told me recently it’s all about risk. If you’re focusing on vulnerabilities, you’re going down the wrong path. You have risk in your title. I don’t know if anybody had this position before you or if you’re the first one to hold this position, if you had some input into deciding what it would be called, but it’s just interesting that you have the word risk in there.
John: Very astute observation, Anthony. There was a very specific reason why I included that word in the title. First of all, cybersecurity is, in fact, primarily an enterprise risk issue. It is not just an IT issue. It is a risk issue which impacts every function in the organization, and for hospitals; most importantly it is a risk that impacts patient care and patient safety.
Also based upon my background, fortunately and unfortunately, I have lots of experience dealing with other types of risks as well, physical risks to hospitals and unfortunately, we’re seeing a big uptick in hospital violence, counterintelligence issues and other, again, types of risks that hospitals are facing. So we wanted to make it all encompassing, cybersecurity being the priority issue that I address and that basically my role is to act as the national advocate and advisor for hospitals, that trusted advisor for the C-suite but understanding there are other risk issues that hospitals face beyond cybersecurity.
Anthony: Right. You talk about it as an enterprise risk issue and it seems obvious to those – if you take a quick look at it, it seems obvious. Some folks that I’ve spoken to, some CISOs, talk about – I don’t know if they feel like it’s funneling up to – and as somebody who’s looking at enterprise risk from that level, there’s a feeling that it’s not being funneled up to that overarching look of enterprise risk. What do you think about that? Do you see that as a challenge?
John: We do see that as a challenge. However, unfortunately, as these attacks continue to occur and occur at a rapidly increasing pace, many CEOs and boards truly understand now that cyber risk is not just a technical issue; it is that risk that impacts the entire organization and brings with it other types of risks beyond just patient care and safety. It brings with it financial risk, legal risk, regulatory risk, reputational harm, and I think as C-suites and boards become more enlightened to what truly cyber risk is, it is now included in many enterprise risk management programs.
Generally, quite frankly, many of the CEOs I speak to – and I speak to hundreds per year – all rank cyber risk as their number 1 or number 2 risk issue, and they also are enlightened enough to understand that they don’t look at it as a silo, as a separate risk such as financial risk or business risk; they look at it as a risk which transcends every other risk. Cyber risk is part of financial risk. Cyber risk is part of patient quality and safety risk.
I think we as a sector and we in the technology side, CIOs and CISOs have become better at translating how digital risk impacts the entire organization and translates into financial risk and patient care and patient safety risk as well. We need to do a better job on the technical side translating cyber risk from those technical terms, those broad risk concepts. CEOs now are asking very probative questions of the technical folks so that they can understand in layman’s terms how cyber risk translates to enterprise risk.
Anthony: Well, I’m glad to hear that you feel like it’s getting there because it’s one of the few – it’s an existential risk.
John: Potentially, right.
Anthony: We know hospitals that have gone out of business. They’re few and far between. But it has happened. If you’ve got a very thin margin, this can knock you out, not only the patient safety stuff, but this can finish you off. The risk is phenomenal.
John: That’s right.
Anthony: As you said, they get it that it’s a top three. It’s just phenomenal. It’s almost like you don’t realize how dangerous it is if you look at it. As an example, the Joint Commission just came out with this preserving patient safety after a cyber attack document that I looked at a couple of days ago, and it was astounding in terms of what they wanted everyone to do to be prepared for a cyber outage. It’s almost inconceivable to think of functioning without your software.
John: It’s beyond the software, right. I would say for better or worse, the healthcare sector, hospitals and health systems, in particular, have increased their reliance on network-connected and internet-connected data and technology. It is pervasive throughout our hospitals and health systems and there are many reasons for that.
Primarily, this ubiquitous use of technology, network and internet connected technology improves patient outcomes and saves lives. That’s job one. But with this tremendously expanded use of network and internet-connected technology, we have come to learn that there is often hidden and embedded risk within all this technology. Again, I must say that to clarify, the technology we’re using is not the hospital’s technology. We didn’t build the computers. We don’t write generally our own operating system code. We’re relying upon third party technology providers to deliver us secure technology.
Unfortunately, the current state and really we, as consumers, have come to accept that all technologies delivered to us are secure by default. What do I mean by that? Think about when you open up, turn on that new computer or you download that software, what’s the first thing we have to do? We have to update it for security and other features and then we have to continuously update it for the lifespan of that technology for security patches. I think we can do a better job as a nation and the technology industry.
The embedded risk in our use of technology is that all technology will contain technical vulnerabilities which the bad guys, foreign bad guys will seek to exploit, to penetrate our networks. But there is a more abstract, potentially more dangerous risk that comes with this ubiquitous use of technology – network and internet-connected technology – and that’s our dependency on the availability of that technology to do our jobs, to care for patients and continue business and clinical operations.
When that technology suddenly no longer available such as during a ransomware attack, it creates significant disruption and delay to healthcare delivery and potential risk to patient safety; hence, the Joint Commissions advisory. Hey, we’ve got to be prepared. How do we do business without technology in every function and every department in the hospital? How do we do business, care for patients and save lives without the technology we depend upon every day?
Anthony: From my observation, when I looked at the preparation they recommended, it sounded impossible. I just don’t think people are going to have the time, the resources. Remember, hospitals operate 24/7. There are staffing shortages. There’s no excess capacity of people sitting around. The undertaking that’s expected to function without electronic systems for a prolonged period of time, let’s say more than a day, and sometimes we’re talking about two weeks or whatever, seems implssible.
John: Three to four weeks actually.
Anthony: The instinct of most people in the hospitals is to wait for the systems to come back up. It’s not to continue on paper. That’s like the last thing they want to touch. What I’m saying is I’m concerned – I feel like there’s concern out there that it’s such a big deal to transition to a paper-based workflow that I just don’t know. I don’t know if the preparation is there. It’s just a concerning issue.
John: It is a concern and of course, it would take a tremendous amount of resources to be devoted to that preparedness. I think I want to clarify – I believe those, the document is recommendations, it’s not requirements.
Anthony: Yes, I think so. Yes, definitely.
John: It’s not requirement as of yet. But I think that hospitals can leverage existing programs. For instance, to help prepare, to help understand what the risk is and then develop plans and processes to have the ability to continue operations for three to four weeks. Now, the reason I’m saying this is that most hospitals, I think all hospital have emergency preparedness, planning and functions. They do, in fact, test downtime procedures. That is part of the job. But generally downtime procedures have been limited to paper charting to the electronic medical record and now we understand that we have to have downtime procedures for all systems involved in the clinical care, diagnostic technology, labs, pharmacy, radiation, oncology, chemotherapy.
We have to think about if we lose the internet or we have to shut down our network, really three simple questions I always pose to leaders – to think about this in strategic terms. If we have to shut down our network, voluntarily or involuntarily, we have to shut down our internet connection of every department, every leader, asks these three questions – what will work, what won’t work and what’s the plan to continue to deliver safe and quality patient care.
There are functions already. There are resources devoted to emergency preparedness and in fact, our emergency preparedness teams do a really good job at preparing for other types of hazards such as fires, and floods and hurricanes. They have mutual aid agreements with surrounding hospitals. What I’m proffering, suggesting here, is that we leverage the work we’ve already done and the resources that have already been allocated for emergency preparedness, and we combine that with our cyber incident response planning and our downtime procedures, so that a cyber incident is considered a hazard, just like a fire or flood or hurricane that’s incorporated into our emergency management planning.
Anthony: It makes a lot of sense. You talked about regional impact. I assume that in your previous work doing other things, you’ve dealt with regional impact of different types of events…
Anthony: …and looked at that. There was a paper that came out (Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US), a study that came out recently that talked about the regional impact of a cyber event on a hospital and how that affected the other hospitals in the area because they had to deal with the overflow and I was just thinking now, if I know my local hospitals had a ransomware event and they’re on paper, I’m not going. I’m going somewhere else. I’ll tell you that right now. I’m not going. You’re going to have a regional impact. You’re going to have the other facilities in the area where their volume is going to increase. You’ve talked about mutual assistance type things, that can even happen in the IT departments. (Also see healthsystemCIO interview with UC San Diego Health CISO Scott Currie & Medical Director of Cybersecurity Christian Dameff)
John: That’s right.
Anthony: That’s been talked about, right, where the hospital that’s affected can get some resources, some help from the other IT departments in the area. Any more thoughts on regional impact either the overspill of patients and then this mutual assistance idea?
John: Yes, absolutely. Thanks for raising that study, Anthony. I know the author very well, Dr. Christian Dameff.
John: In fact, I did a podcast with him recently and we talked about real world examples when there is a high impact ransomware attack on a particular organization, especially if it’s a large health system as we’ve seen in the past and unfortunately, are ongoing incidences currently. There are widespread shockwave reverberations throughout the region. Just as you said, as ambulances and patients are diverted to surrounding facilities so that creates extra stress on those hospitals and if their ICUs and emergency departments are already at capacity or near capacity, it really does create significant strain on the entire healthcare in the region. It’s what I call the ransomware blast radius. The initial victim is hit and there are shockwaves throughout the region, disrupted shockwaves throughout the region.
It’s another reason to leverage the emergency preparedness planning in systems we already have in place and mutual aid agreements so that other organizations can support the victim organization during an attack with personnel, resources, and technology; and we do need just as we plan for a hurricane or flood or tornado, to plan for a cyber attack on a regional basis. That’s why I’ve advocated for what I call the 5 Rs – regional, readiness, response, resiliency and recovery planning – 5 Rs.
Absolutely a great point, and I think organizations now are starting to think regionally. Quite frankly, we have to work together with our competitors. There is no competitive advantage when it comes to defending against and responding to cyber threats just as when during the pandemic we all came together to mutually face and fight that disease. As I always say, and I said when I was dealing with terrorists and organized crime, to defend one is to defend all. I think we’re realizing that. We have to apply that same philosophy when it comes to cyber threats and attacks.
Anthony: Very good. It’s been said that it’s a good idea for the CIO, or whoever is heading up security in health system whether it’s a CIO or a CISO, to have pre-established a relationship with the FBI. That’s going to be your key entity if you have some ransomware issue. I guess you don’t want to be Googling the phone number of the local FBI when that happens because you might not be able to be Googling anything.
What’s your advice there about what the folks that lead security in hospitals should do beforehand so they’re prepared to take the proper steps and maybe laid some ground work and actually have a name of someone to reach out to? What are your thoughts there?
John: Anthony, absolutely correct that as organizations develop their cyber incident response plans, they should have a trusted contact identified, with their 24/7 contact information, not only in the FBI but also in the Cybersecurity and Infrastructure Security Agency, CISA. They’re really more on the preventative side. What would say is left of boom, right.
John: They can help organizations prepare with tabletop exercises, tools available to scan their networks for free. The FBI, again that personal trusted contact should be established and the legal department, the general counsels have to be involved in that so they understand the organization’s position and process for contacting the FBI during an attack. All too often, for example, I see extended delay and discussion when a victim organization is struck with a cyber attack or ransomware attack, about whether we should call the FBI.
Suddenly, internal counsel, external counsel become concerned if we talk to the FBI or CISA, they’re going to call OCR, the Office of Civil Rights, and we’re going to be exposed to legal and regulatory risks, not understanding that you actually have protections for cyber threat information sharing with the government. I’m not a lawyer, let me just say that, but there is a statute that I’ll point to, general counsels and outside counsels too, it’s called the Cybersecurity Sharing Act of 2015.
That discussion should be had whether to talk to the government and how transparent we should be with the government. That should be had prior to any incident and be resolved prior to suffering an incident.
Just think about it, if your house in on fire and it’s raging, you don’t want to have a discussion with the lawyer, “Should we call 911 now or not? What are the risks of calling 911 versus the rewards?” That has to be baked in so there’s no hesitancy to contact the government and ultimately, it’s going to become the law, probably within a year, not for the FBI but to report incidents to CISA. It’s actually a law that’s already been passed and that will be implemented 2024, 2025.
Anthony: You’re not a lawyer but are you saying that you would discourage any hesitancy of transparency, that you would be concerned that that might not be the best road to go down?
John: I would. I’ll speak from – again, not from the legal aspect but again I point to the statute for counsels, I encourage counsels to take a look at that. In fact, we at AHA recorded a podcast with one of the lead attorneys at the Department of Justice that was one of the primary architects of that statute, talking about the protections afforded victims of cyber attacks, private entities. The protections afforded to the private sector in sharing cyber threat information with the government, so lots of civil and regulatory protections there. I encourage folks to look at that statute.
But yes, here’s why transparency with the government under the protections of the statute and under protection of even legal privilege through outside counsel is important; it’s because the FBI and CISA and other government agencies may be in a position to help you identify the malware strain, to provide their experience in investigating this malware strain and pointing to where and how the malware penetrated the organization and maybe the best routes to recover and help mitigate the attack. Plus there is an inherent national interest in understanding who attacked the organization, what the impact is, regional impact to safety. Then understanding and identifying the malware signatures of that ransomware, for instance, and warning the nation, developing an alert to warn the nation without attribution to the victim.
Ultimately, it’s in the victim’s best interest to provide confidential protected transparent information to the government, cooperation with the government, and it’s in the national interest of the victim to cooperate to help prevent other attacks.
Anthony: It’s also probably in your own interest in terms of your reputation because we’ve read stories about – well, sometimes they don’t know that they’re in the network. It comes out that the bad guys were kicking around the network for three months. Well, that never makes anybody feel very comfortable about the organization, but if the public finds out after the fact that not everything was done as quickly and transparently as possible, that’s not good for the reputation. It’s always better to say this is what happened and immediately we did A, B and C, not we sat around for two weeks and did nothing, right? It seems like it hits all the notes, all the right notes, transparency.
John: I think it does. Again, but it’s a little bit more complex than that. I think most organizations when they identify that they’ve been penetrated, they act, and sometimes they have no choice because their networks are shutdown so there’s no hiding the fact that, hey, we’re diverting ambulance and we’re cancelling surgeries and so forth. Each organization has to understand that transparency, in my personal opinion, goes a long way in continuing the trust of the community during the attack and post attack.
I do cite, for instance, the University of Vermont Medical Center ransomware attack in 2020 and I just did a podcast with Dr. Leffler, the CEO at the time, President and CEO of UVM. When they were attacked, there was a massive regional disruption to particular services for care delivery, for particular services they offered for the rest of the state. They’re the only level 1 trauma center in the state. Most of the small hospitals in the state depended on UVM for a variety of services. Dr. Leffler had the courage and the leadership to be upfront and say we were attacked by foreign bad guys. Here’s the disruption and here’s what we’re doing, the work with the communities, the work with our hospitals. In fact, it was so bad in Vermont that the governor, because of this attack, declared a state of emergency and sent National Guard Cyber Troops to assist UVM in the recovery.
Now, UVM is not the litigious West Coast. For them, that strategy worked. In other more litigious areas, transparency may bring about other problems.
Anthony: Your background with the FBI is very interesting. Sometimes these things are going to be clearly a crime when there’s a breach.
John: They’re all a crime. It’s all a crime.
Anthony: True, true. But there are breaches and compliance breaches and insider things where somebody – not everything is nefarious, right. That’s what they say.
John: Okay, to clarify – if you were to compromise a PHI that’s not an actual criminal act.
Anthony: Right, like somebody did it by accident.
John: Oh yes, not a crime.
Anthony: I guess I don’t know if it’s a crime if somebody looks in a celebrity’s record. That’s a little different than a cyber attack from a nation state. My point being, sometimes it’s obviously a legal issue, sometimes it’s not quite as clear if it’s an insider issue. That’s one point.
A lot of the CISOs, to my surprise, I speak to really are not interested in any punitive approach even for repeat offenses – the phishing campaigns they do internally to test and you get the same person that keeps clicking on the bad link.
Anthony: They try to tell them, but then nobody wants to be punitive. Nobody wants to fire anybody. It’s healthcare. Everybody wants to be happy. You’re a law guy. You’re a crime guy. So what are your thoughts around that? How many strikes do you get?
John: Right, right. Let me unpack that a little bit. First of all, we’re not talking about compliance issues – it’s very, very rare that we have insider threat. Let me just clarify that. When you look at the reports, the OCR, the vast majority, 90, 95% of the reported breaches, compromised healthcare records, are due to external hacks, so bad guys. We want to reassure the public, hospital staff are not – there’s no large scale snooping of personal health information going on. If that happens, that’s a wholly separate issue. That’s a compliance issue, maybe a crime in certain areas if that’s done intentionally.
But in terms of the other issue you mentioned is how punitive should we be on folks who just are not paying attention, repeatedly clicking on test phishing emails. The organizations I’ve spoken to have adopted specific policies that do provide progressively punitive measures for these say repeat ”offenders” that click. Almost all start with remedial cybersecurity training. That’s the first step. Then, some organizations begin to notify supervisors. They may actually limit access and then ultimately, they may remove access for somebody who they believe is just incorrigible in a sense.
Anthony: That’s a good word. I like that. (laughing)
John: Look, ultimately, if an employee is extremely negligent and gave up their credentials that resulted in a high impact ransomware attack that threatened patient safety, I think organizations take a different look at that and may result in termination. But I also say, don’t just have sanctions, have rewards program too. Let’s encourage folks, let’s be positive. If you have an employee that is really outstanding, boy, they catch every phishing test and you have an employee who actually defended and deflected against a real attack, let’s recognize them.
John: Let’s reward them in some way. It doesn’t have to be a large reward but have the CEO say boy, great job by employee X, it really saved the organization and protected patients. There has to be balance, sanctions and rewards.
Anthony: Very good. Two more questions.
Anthony: One a fun one and then a final thought. Now, my fun one is I looked at your LinkedIn profile, you’ve had a pretty cool career. You have a career and you’ve done work that it’s like in TV shows, the theme of a TV show. Not many people do work where what they do for a living could be in a TV show. Now, the question is I assume you are by background and initial interest a law enforcement, crime fighting guy, right? At some point, you got into computers or technology or cyber. How did that happen?
John: Good question, Anthony. I get that asked a lot of times because my background is more focused on, as you said, more proactive type violent crimes. I started off my career in New York City in 1990, in the battle days when drugs were priority. Drug trafficking was the scourge of the planet and international organized crime including Russian organized crime. I was in New York City on 9/11 working and subsequently working counterterrorism which led me to focus on more of the nation state type threats and counterintelligence, and then, ultimately into cyber.
What I didn’t realize was all that other experience on international organized crime, counter terrorism, counterintelligence was actually directly relevant to cyber risks, cyber threats because, ultimately, it was the same bad guys who would evolve from more physical means to cyber means, to technology means. They had evolved. What my role was in the cyber division is to be that private sector liaison, lead the national program and also understand and look at risk from that big strategic perspective.
As cyber became the latest leading cutting-edge threat, that’s where I gravitated. As I did my entire career, I always wanted to work the priority. Whatever the priority, busiest threat, most significant threat we were facing, that’s where I wanted to be, just last caveat, it’s not always like TV. There’s a lot of paperwork. We don’t solve crimes in one hour and aren’t surrounded by glamorous people. It was a lot of paperwork.
Anthony: A lot of paperwork.
John: A lot of paperwork, a lot of office work. But some days it was better than TV.
Anthony: That’s awesome. You probably understand technology at a high level. I mean there are guys that are doing cyber for the FBI that are really…
Anthony: Yes, that’s not you, right.
John: Coders. That’s not me. No. That’s not me.
Anthony: But you need those guys, right?
John: I absolutely need those guys from the technical and tactical all the way up. What I do I is I look at it from the strategic risk perspective and then help organizations translate that technical/tactical risk into a strategic risk for the enterprise.
Anthony: All right. Final question, John. I had a lot of fun with this interview. Final question is your best thought piece of advice for – you talked about the AHA 5,000 hospitals, it goes from small to huge. Giving one piece of advice for all of them doesn’t really make sense but do the best you can in terms of the people that are heading up security at the hospitals – what’s your best piece of advice? What do you want them to know maybe about what AHA is doing and what you can do for them or resources or things you’re lobbying on? Just your best piece of parting advice.
John: Sure. First of all, I would encourage the leadership of all hospitals and health systems to really look at cyber risk as not just an IT issue, to really understand it and demand that it be translated to them in such a way that they understand the enterprise nature of the risk, to understand that it is a risk to all functions and primarily a risk to patient care and patient safety.
Cybersecurity means patient safety ultimately. The best tool, the best service, the best way to approach cybersecurity – what is the most effective way to do that? I stay it starts with leadership. Ultimately, it’s up to the leadership to recognize the nature of the threat and to take action and resource the organization to be able to defend against it and be able to respond to it when they are attacked.
Again, I think it starts there. What the AHA is doing, we’re very vocal as I am, I’m not a shy guy and I went back to my government colleagues and I talked to them about the impact; and we’re fighting hard for hospitals and health systems to have the necessary support from the government, and to help the government understand that we’re not the perpetrators here, we’re the victims. Ultimately, the patients that we care for and the entire community we serve are at risk and are the victims when we are attacked.
There is hope – there is hope. Everyone is coming together so I am encouraged for the future.
Anthony: Great stuff, John. I could talk to you for another hour. I would love to sit at a bar with you and talk to you for an hour because I read a lot of true crime and I’m sure you have a lot of good stories, but we’ll have to leave that for another time. Thank you so much for your time today.
John: Thanks, Anthony. Great to be here and thanks for your interest in doing this.