John Riggi on how hospitals can reduce cyber risks

Sep 04, 2019 - 08:46 AM
webbanner-riggi-900x400

John Riggi, AHA senior advisor for cybersecurity and risk (pictured above), sat down with AHA Today to share takeaways from a recent Senate Cybersecurity Caucus briefing on cybersecurity and health care. Criminal and nation state cyber adversaries are adopting more sophisticated tactics, such as targeted ransomwareattacks, which can shut down and encrypt both a hospital’s main information networks and its backup data, Riggi notes. This can directly impact public health and safety by forcing hospitals to cancel medical procedures and divert ambulances, while making it harder to restore care delivery operations without paying hackers to release the data. 

Q: Why are data breaches a growing threat?  
A: We know criminal hackers target data-rich health records to engage in lucrative fraud schemes. We also know that adversarial nation states such as China, Russia, Iran and North Korea target medical records to identify and target individuals with access to sensitive data, such as classified information or intellectual property.  

Q: Why do cyber criminals target health care?
A: In comparison to other sectors, data from the health field often include a combination of data sets such as financial data and personally identifiable information, making health records more valuable to cyber thieves. Simply put, hackers target health care because these combined data sets make it is easier for bad actors to monetize medical records – either through sale on the dark web or through lucrative fraud schemes such as false medical billing and identity theft.  

Q: Are all health care data breaches attributable to hackers?
A:  Not all breaches are attributable to hackers. Some breaches, such as those reported to the Health and Human Services Office of Civil Rights, are due to insider threats and accidental exposure of health records; for instance, if staff look at records they shouldn't or email [accidentally] unencrypted health records. 

Q: What can hospitals and health systems do to protect patient records?
A: It is essential for hospitals and health systems to create a top-down culture where every member of the staff feels empowered and obliged to protect patients and data from cyber threats. The AHA encourages hospitals and health systems to prioritize cyber risks based on their potential to impact: 1) care delivery and patient safety; 2) security and privacy of patient and other sensitive data; and 3) business functions. It also is important to map and classify all data, systems, devices, endpoints and vendors, and implement tight controls around data storage and access, especially backup systems, to reduce the risk of compromised protected health information and the threat of ransomware.

Q: How can patients be more proactive and knowledgeable to protect their own health records?

A: Patients can do a few things to protect their health data. They should understand how and to whom they grant access to their medical records; read consent agreements carefully; and store their medical records in secure physical or electronic environments.

Related News Articles

Headline
Agencies release guidance on AI data security 
The National Security Agency, Cybersecurity and Infrastructure Security Agency and international partners May 22 released guidance on securing data used for…
Headline
Russian state-sponsored cyber actors targeting tech companies, others 
The FBI, along with the National Security Agency and other international cybersecurity agencies, this week released a joint agency advisory on cyber operations…
Headline
FBI warns of cyber actors exploiting end-of-life routers
The FBI's Internet Crime Complaint Center released an alert May 7 warning of cyber actors exploiting vulnerabilities in end-of-life routers. Routers dated 2010…
Headline
FBI warns of malicious text, voice-messaging campaign impersonating senior U.S. officials
The FBI’s Internet Criminal Complaint Center May 15 released an alert warning of a malicious text and voice messaging campaign involving impersonators…
Headline
AHA blog — 3 Must-know Cyber and Risk Realities: What’s Ahead for Health Care in 2025 
In his latest AHA Cyber Intel blog, John Riggi, AHA national advisor for cybersecurity and risk, examines the state of cyber and physical threats in 2025 as…
Headline
Report: Health care had most reported cyberthreats in 2024 
Health care had more cyberthreats last year than any other critical infrastructure industry, according to the FBI's 2024 Internet Crime Report released April…