Cyberattacks on hospitals are urgent threats to patient safety, care delivery and public trust. In this conversation, Ajay Gupta, board chair of Trinity Health Mid-Atlantic and CEO of HSR.health, speaks about the vital role hospital boards play in preparing for and responding to cyber incidents. What strategic questions should boards be asking, and how can cyber preparedness make or break a hospital’s ability to deliver care when it matters most?
View Transcript
00:00:01:06 - 00:00:23:23
Tom Haederle
Welcome to Advancing Health. Cyberattacks directed against hospitals continue to increase, and many cyber threats quickly escalate into a governance and patient safety issue. In today's podcast, we learn about how board members can educate themselves and prepare to help their organizations face these threats.
00:00:23:25 - 00:00:48:15
Sue Ellen Wagner
I am Sue Ellen Wagner, vice president of Trustee Engagement and Strategy at the American Hospital Association. I'm delighted to be with Ajay Gupta today. He is the board chair of Trinity Health Mid-Atlantic and Holy Cross Health, and he's also the co-founder and CEO of hsr.health. It's nice to have you with us, Ajay, today to talk about cybersecurity and what trustees need to know.
00:00:48:18 - 00:01:08:16
Sue Ellen Wagner
I am hoping this podcast will be a nice 101 for board members to educate them about [what] their role is in cybersecurity, and what they should know to prepare for a cyber incident should one occur at their hospital or health system. Ajay, you have both business experience in the cyber industry and you're also a board member.
00:01:08:19 - 00:01:38:14
Sue Ellen Wagner
So your insight will be very valuable to our members and our listeners. Cybersecurity vulnerable cities and intrusions really do pose significant risks to hospitals and health systems, and the threats continue to increase each year. It's important for trustees to be ready should an incident happen at their hospital or health system. So, Ajay, can you tell us what trustees should know to be prepared should an incident occur?
00:01:38:16 - 00:02:04:04
Ajay Gupta
Thank you, Sue Ellen. It's great to be here with you today. And thank you for this question. It's a great overall question for a 101. I wish there could be a short answer, right? You only need to know a couple of things for cybersecurity. It's unfortunately not quite like that. I think the first place to start is to recognize that cybersecurity is a technical issue, and it's always really been thought of as something that IT would handle.
00:02:04:06 - 00:02:31:12
Ajay Gupta
But today we need to know that given how much of our care delivery relies on IT systems, should those systems become unavailable, whether due to a cyberattack or any cause - it very quickly becomes a patient safety and governance issue. As such, trustees need to ensure hospitals are prepared. And for cyber, preparation means can our clinical teams continue to provide care if systems go offline?
00:02:31:15 - 00:02:53:12
Ajay Gupta
The board's role is to provide oversight and confirm the organization is ready, not just to defend against the cyber attack, but also to operate through one safely. But this starts by understanding what the nature of our IT infrastructure is and how stable is it? How secure is it? Are we comparing ourselves against benchmarks? What measures are we taking to ensure its security,
00:02:53:12 - 00:03:15:09
Ajay Gupta
and are those measures tested? Are our IT and cybersecurity departments aware of the trends the security of the industry is facing overall from a cyber threat landscape? Because that will depend and it will influence what kind of measures we take in the defense and in the resilience during the middle of the year of an incident. I hope that's a good starting point for discussion.
00:03:15:12 - 00:03:34:25
Sue Ellen Wagner
It's a great starting point and cyber security is very complicated. You had mentioned, you know, patient safety and quality, which are very important. How do trustees know if their hospital or health system is secure to continue to operate and provide that clinical care that's safe should a breach really occur?
00:03:34:27 - 00:04:11:00
Ajay Gupta
Well, if a breach has occurred, Suellen, by definition, the system is not secure at that moment, unfortunately. But to more broadly respond to your question, trustees need to ask about the resilience of the IT systems in the face of a possible cyberattack. That's really the question that we need to say. Unfortunately, we are operating in an environment where some level of cyberattack, whether an overt attack from a bad actor or even just the system's combination of users across the spectrum and anything else causes an IT issue that brings systems down.
00:04:11:06 - 00:04:32:29
Ajay Gupta
We need to know how resilient we are in any and all of those systems. And the only way to know if operations can continue during a breach is to experience continuing during a breach. Of course, we don't want that. So we have to do the next best thing: testing, preparation and practice. All of that is more and more important.
00:04:33:06 - 00:04:59:24
Ajay Gupta
That means having an incident response plan in place, which is not terribly unlike plans we may have - we likely have - in place for a natural disaster, or if there is a an expected surge in trauma. We have plans in place for surge and we need to have a cyber plan in place as well. This is a plan that lets everyone know what to do exactly during a cyber event, without any confusion or momentary disarray, because we know that can cause patient harm.
00:04:59:27 - 00:05:27:15
Ajay Gupta
Our critical care workflows like medication administration, lab orders, and surgical schedules operational without digital systems. Do clinicians know how to access key information when digital systems go down? And do clinicians remember how to treat patients when they don't have access to all of the digital sources of information, like lab reports or film that they do typically use in the course of patient care.
00:05:27:18 - 00:05:29:20
Ajay Gupta
That's a big, big issue as well.
00:05:29:22 - 00:05:55:10
Sue Ellen Wagner
Well, relying on the digital world that we live in today is something that we're all used to. You had mentioned that, you know, most trustees won't have an idea of what a cyber security incident is until it actually happens to them. So preparing is really difficult. And I think that's something none of us want as board members. Can you explain to trustees the impact that that breach will have and what their role specifically should be?
00:05:55:10 - 00:06:01:21
Sue Ellen Wagner
Because management leadership has one role, the board has another. So can you just kind of describe that?
00:06:01:24 - 00:06:26:06
Ajay Gupta
It's important to remember that a breach is more than a tech failure. It is a system failure. It's a failure of our system and ability to deliver care. As such, trustees will have a specific role. A breach can paralyze care delivery, right? Shutting down systems, delaying surgeries, leaving clinicians without access to medical records. This means patients may not receive the care they need, the care they trust us to provide.
00:06:26:09 - 00:06:53:14
Ajay Gupta
It's important for trustees to know and understand that while the fault is not ours, the fault resides entirely with cyber criminals who perform the attack. But patients don't see the hackers. They see us. And so they see us as unable to provide the care they need when they need it. And this is a stain on our reputation. That is a critical thing for the boards and trustees to recognize.
00:06:53:16 - 00:07:15:12
Ajay Gupta
Breaches trigger reputational damage as well as regulatory damage and a financial fallout. For instance, health systems may face fines, according to the breach. The average cost of a cyber breach was reported at just under 10,000,000 in 2024, as reported by IBM, which was less than 2023 when it was reported at 11 million. However, I don't think that we can plan for that trend to continue.
00:07:15:16 - 00:07:43:03
Ajay Gupta
Trustees have to lead from the front by ensuring the organization is prepared with strong cyber governance, risk management practices and a culture of preparedness in place. Our role is to ask strategic questions and ensure readiness, and that we are able to continue serving patients and to recover swiftly, regardless of the situation. We need to make sure that we have the experts ready to act on our behalf in a cyber attack.
00:07:43:10 - 00:07:57:12
Ajay Gupta
Technical experts who can respond to the technical details and dimensions of the attack, as well as legal and communication experts that can help us communicate and handle some of the regulatory and legal fallout that may follow a cyber attack.
00:07:57:14 - 00:08:17:22
Sue Ellen Wagner
So I hope our listeners never have to deal with a cyber incident. We obviously can't control whether that will happen or not. So I'm hoping that this is really helpful for folks. I think if they listen to it, they can actually start asking their leadership if they don't have a plan to develop a plan, or the board should know what the plan is and what their role is.
00:08:17:22 - 00:08:28:24
Sue Ellen Wagner
So Ajay, the last question, can you highlight some of the key takeaways for our listeners, some nuggets of information that they should just, you know, take away from this podcast to prepare themselves?
00:08:28:26 - 00:08:53:25
Ajay Gupta
Absolutely. One thing I want to mention, what you just said is that we can't control. That's true, we can't. We can't control the weather. Yet hospitals and health systems in a hurricane prone region certainly know to prepare for a hurricane, right? In that same sense, hospitals have to be prepared for this. Cybersecurity is a patient safety issue because, as I said, we use technology in everything we do in a hospital today almost,
00:08:53:28 - 00:09:14:19
Ajay Gupta
or it seems. If it's a patient safety issue, it's a governance issue and the trustees have to be involved. The impact is very real. Any event that can halt care and erode trust and cost millions of dollars has to be of great concern. Continuity demands preparation. Again, just like we practice our surge plans, we practice our hurricane plans.
00:09:14:25 - 00:09:35:06
Ajay Gupta
We have to develop and practice technical continuity plans from a cyber breach perspective. And trustees must lead. Our role is oversight, which means we have to ensure management has thought through all aspects from defense against attack, resilience in the face of attack and addressing the potential fallout after the attack.
00:09:35:09 - 00:09:55:29
Sue Ellen Wagner
So thank you, Ajay. In addition to this podcast, AHA Trustee Services does have a few resources to help boards prepare should a cyber incident occur. So trustees should visit trustees.aha.org to access the resources. Ajay, I want to thank you so much for sharing your expertise with us.
00:09:56:02 - 00:09:59:11
Ajay Gupta
Thank you, Sue Ellen. It's great to be here.
00:09:59:13 - 00:10:07:24
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and write us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.