Critical Condition: Cybersecurity in Rural Hospitals with Microsoft Part 2

00:00:01:04 - 00:00:36:12
Tom Haederle
Welcome to Advancing Health and part two of the conversation on cybersecurity attacks against rural hospitals, and what can be done to protect against them. In this conversation between John Riggi, the American Hospital Association's national advisor for Cybersecurity and Risk, and Justin Spelhaug, corporate vice president of tech for Social Impact, Microsoft Philanthropies, we learn more about the role tech leaders can play in helping rural health care providers cope with cyber attacks and preserve their ability to care for the nearly 60 million Americans who depend on them.

00:00:36:14 - 00:00:45:02
Justin Spelhaug
So the impact is clearly disruptive on these hospitals, clearly disruptive. Now, John, what can these hospitals do to protect themselves?

00:00:45:04 - 00:01:04:21
John Riggi
So there's many things that they can do. There's many things they need to do. But again, it generally comes down to a resource issue. So we generally say start with the basics. Look at your tools and policies. We know that there are certain cybersecurity practices, basic practices that can help mitigate the risk of the majority of cyberattack.

00:01:04:27 - 00:01:33:13
John Riggi
So example: multi-factor authentication, unified identity management, cybersecurity training for staff. We know that most of the attacks still start with those phishing emails, a psychological technique versus technological. Another step: join the Microsoft cybersecurity program. You all have been very generous in offering free cybersecurityassessments, curated learning pass product discounts to all rural hospitals in the U.S.

00:01:33:16 - 00:01:53:03
John Riggi
And I mean, these are the type of things that we need to do together to help shore up the defenses of rural hospitals. Now, Justin, can you tell us more about the Microsoft cybersecurity program for rural hospitals in the role you see technology leaders having in addressing these challenges?

00:01:53:05 - 00:02:17:22
Justin Spelhaug
Yeah, for sure, John. And of course, the technology leaders in these hospitals are on the frontline of driving change, and they're managing everything end to end with really limited resources. And so we wanted to pull together a program that would provide them more capacity, more capability to respond to the threats that you've just highlighted. And really, there are three big buckets. New offers that help make our technology more affordable.

00:02:17:24 - 00:02:41:18
Justin Spelhaug
That's bucket one. Bucket two is capacity building services to help organizations respond. And then bucket three is new innovation to help rural hospitals have more impact, particularly with AI. So let me click into those just really specifically for just a moment. In bucket one, in terms of new affordable offers, we're providing those hospitals that typically have the least resources.

00:02:41:18 - 00:03:28:10
Justin Spelhaug
And so that's independent critical access hospitals and rural emergency hospitals, those that are not in a health system, they can access Microsoft nonprofit pricing, which can provide up to a 75% discount for things like Microsoft 365 off of commercial pricing. So that goes a big way in helping some organizations really get access to affordable technology. Now, all other rural hospitals in the U.S. that are using Office 365 or M365 can get access to one year free of our most advanced security suite, Microsoft 365, E5 security and EMS E3 for one year to ensure that they can take action on their infrastructure immediately.

00:03:28:13 - 00:03:55:22
Justin Spelhaug
We've also for everybody, we've extended one year of Windows 10 Extended Security update at no cost. So that's on the technology side. On the capacity building side, we're providing every rural hospital in America, over 2000 hospitals, free security assessments, through a pre-vetted Microsoft security partner to help them evaluate their risks and identify strategies to mitigate those risks.

00:03:55:24 - 00:04:19:08
Justin Spelhaug
We've also, in this bucket, put together curated learning pathways for both technical staff and non-technical staff. And then the third area is AI innovation. Now, John, you were highlighting how stretched the finances of rural hospitals are, and CHQPR reports - and you said, John, that 30% of all rural hospitals are at risk of closure - that's a real statistic.

00:04:19:10 - 00:04:46:20
Justin Spelhaug
And that means that funding is limited and funding is limited for security expertise and the services that they need. So to help tackle this challenge, we've launched a Microsoft Rural Health AI lab, which we affectionately call RAIL, that is developing tools to help improve both financial and health outcomes. The first tool we built, which is in testing now with a number of hospitals, is an AI tool to support managing denied insurance claims.

00:04:46:27 - 00:05:08:15
Justin Spelhaug
We know that's a massively manual process for many hospitals. We know that if we can manage that more effectively, we can improve hospital revenue, which improves all outcomes. We've also been working to deploy nuance to improve patient and physician nurse experience through AI. And we continue to look at how we can use AI to support hospitals for a number of other scenarios.

00:05:08:18 - 00:05:40:22
Justin Spelhaug
Since we launched it, nearly 500 hospitals have registered for the program. That's about 24% of all the hospitals in the country. And that's in about the last four months. Over 335 hospitals are participating in a cybersecurity assessment, and many are getting access to the offers as well. And this is, John, part of a broader commitment to rural communities. We've been investing for years, actually, in rural communities, both tackling the broadband divide in America, as well as investing in innovation in rural communities through our Tech Spark initiatives.

00:05:40:22 - 00:05:46:26
Justin Spelhaug
So this is just the next step that we're taking for this acute challenge that we're dealing with at the moment.

00:05:46:28 - 00:05:54:12
John Riggi
Since launching the cybersecurity program for rural hospitals. Let me ask you, Justin, what has Microsoft learned?

00:05:54:15 - 00:06:15:25
Justin Spelhaug
Yeah. You know, John, we've learned a lot. And, you know, as I mentioned before, we've engaged just about 500 hospitals. And our learnings really break into two categories. So if you're watching this and you are a cybersecurity professional, pay attention to this next section because I want to tell you what we're learning from the hospitals that we're engaging with directly.

00:06:15:27 - 00:06:42:06
Justin Spelhaug
Four key technical learnings that we're having. Number one, privileged account management is the top liability that we're seeing in many rural hospitals. Only 25% of rural hospitals adequately separate end user and privileged accounts, i.e. those accounts that have broader access to systems and data. Getting that segmentation is critical in terms of protecting your footprint. That's probably learning

00:06:42:09 - 00:07:11:20
Justin Spelhaug
number one. Learning number two is mitigating known vulnerabilities, running basic vulnerability scanning, doing timely patching, establishing processes to remediate those issues. Only 49% of hospitals that we're working with right now receive passing scores on being able to mitigate vulnerabilities quickly. That's because they're stretched. They're doing everything. They've got a limited amount of resource. That's really the truth. But it's a challenge nevertheless.

00:07:11:22 - 00:07:45:22
Justin Spelhaug
Number three, less than 65% of rural hospitals have implemented some of those basic cybersecurity best practices that you were highlighting, John. So email security, about 63% of hospitals. NFA, probably the number one thing we need to implement right now to protect against some of these threat vectors, about 64% of hospitals. Network segmentation, about 62% of hospitals. So A, it's good that we've got 60 something percent implementing these technologies, but we have 35-40% of hospitals that remain exposed and uncovered.

00:07:45:22 - 00:08:24:02
Justin Spelhaug
So that's what our program is trying to get at and get across. And then number four, while most rural hospitals scored well across the category of asset management, one subcategory, which is super critical, endpoint management is a substantial risk for rural hospitals. Less than 35% of assessed hospitals met the expert informed passing score for endpoint management. And if you remember what I said about ransomware, the ransomware is coming through those devices that do not yet have endpoint management comprehensively, you know, securing them.

00:08:24:02 - 00:08:46:26
Justin Spelhaug
So that's a real challenge as well. So there's a lot of work to do, a lot of work to do across the community. Now, the second category is that this challenge is enormous. And we're talking about over 2000 hospitals here in the United States. And it is going to take strong public private partnership with, I think, a real shared spirit both of collaboration

00:08:46:26 - 00:09:07:07
Justin Spelhaug
but John, like you have, urgency. Because this is a life and safety issue as you mentioned. This is people's lives at stake and livelihoods of communities at stake. And this relates to technology. Certainly we need to get the technology out there, but it also relates to funding, developing long term cyber skills, job pathways in these communities, broadband access,

00:09:07:08 - 00:09:25:22
Justin Spelhaug
there's a lot of different things that we need to get done. And, you know, Microsoft is all in. I know AHA is all in. And we're going to need more partnerships to tackle the size of this challenge. Another question here for you, John. You know, how can we collectively address the near-term risks of cyberattacks for rural hospitals?

00:09:25:22 - 00:09:29:07
Justin Spelhaug
Some of those issues that I just talked about from your vantage point.

00:09:29:10 - 00:10:07:10
John Riggi
First, I absolutely agree with all of those basic cybersecurity hygiene controls, procedures, policies that you've discussed. In fact, if hospitals are in fact looking for kind of a clear and concise list of these practices, starting with that multifactor authentication, unified identity management privilege accounts, you can go to, HHS' website - Health and Human Services website - where they have a list of ten essential cybersecurity practices and ten enhanced cybersecurity practices.

00:10:07:10 - 00:10:27:01
John Riggi
These are voluntary at the moment. They may become minimum mandatory at some point, but that's a good place to get that concise list, which includes all those recommendations that you made. And then ultimately, hospitals have to have the resources, not just a list to help implement these measures effectively.

00:10:27:03 - 00:10:56:13
Justin Spelhaug
Yeah they do, John. You know, we've also learned to remediate many of the risks that we're seeing to bring partner services in. If a hospital wanted to fund that, let's say they didn't have the staff, maybe between $30,000 or $40,000 per hospital to get those immediate issues addressed. You multiply that by 2000 hospitals. That's $60-$80 million, which in the grand scheme of things, and we're talking about rural America and rural communities, is a big number

00:10:56:13 - 00:11:16:03
Justin Spelhaug
but it's not that big of a number. And we need to be mobilizing all of the resources we can to tackle that. Now, of course, there's more systemic challenges, such as the skills in the community and ongoing challenges to maintain the environments and to upgrade the software and the hardware over time. That's going to require systemic, capacity building, systemic sources of funding.

00:11:16:03 - 00:11:37:05
Justin Spelhaug
But that has certainly been a learning we've had as well. So, John, as we kind of conclude the discussion, how are you thinking really about insuring rural hospital resilience long into the future? Sure, we're facing these challenges right now, but how do we create resilience over time?

00:11:37:07 - 00:12:23:28
John Riggi
Again, great question, Justin, because that's really what this is about. It's about the long game. If we just address the near-term tactical threat that will not secure our future against these threats, nor will it secure our rural communities in the future. So really, what we do need is this sustained support from both public and private sectors to kind of help bolster these resources and really this continuing partnership in innovation across the rural areas, these public private partnerships, and we need to continue to invest in innovative solutions, workforce development, collaborative efforts to address these both systemic challenges, these international challenges, the strategic threat and then ultimately which translates down to the patient care and safety

00:12:24:00 - 00:12:32:07
John Riggi
risk. Again, what good is needed this continued whole-of-nation approach, and we're proud to have Microsoft as a partner in that effort.

00:12:32:10 - 00:13:12:15
Justin Spelhaug
Now we're proud to partner with you, John. AHA has been just such a staunch supporter, first of the rural hospital community and really advocating for that community broadly, getting partners like Microsoft to the table, helping us formulate effective strategies that provide as much capability to as many hospitals as we possibly can. And, we remain super committed to this effort and look forward to working both with you, other public and private sector partners that want to come together, that are of like mind, that want to collaborate, that are feeling the urgency like we're feeling and seeing the urgency and support these essential hospitals and these essential communities all across America.

00:13:12:18 - 00:13:25:18
John Riggi
Thank you, Justin, and thank you Microsoft. It's been a great pleasure discussing this important topic with you today, and look forward to our continued partnership to help defend America's hospitals against these cyberthreats.

00:13:25:20 - 00:13:34:02
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.