Protecting Care Delivery from Cyber Disruption

At the recent HIMSS cybersecurity briefing, Celerium CISO Vince Crisler convened AHA National Advisor for Cybersecurity and Risk John Riggi and Pecos, Texas-based Reeves Regional Health CIO John Gresham for a candid, eye‑opening discussion on the escalating cyber threats facing health care. Their message was unmistakable: Cybersecurity is no longer just an IT concern — it is an imperative for patient safety, business continuity and clinical continuity.

One of the most striking insights was the scale and persistence of data theft across the health care sector. Riggi emphasized that cyberattacks are not abstract risks, but daily realities driven by sophisticated global adversaries. As he noted, “Bad guys . . . continue to penetrate our networks to steal and monetize data.”

He highlighted that more than 80% of stolen health care data now comes from third‑party vendors, not hospitals themselves — a reminder that the attack surface extends far beyond the four walls of any facility.

Ransomware is the top patient‑safety threat.

The most urgent threat, according to Riggi, is ransomware. He warned that these attacks have the potential to cause direct physical harm by disrupting care delivery.

“Any type of attack that results in delay or disruption to health care delivery automatically increases the risk . . . especially in urgent cases,” he explained.

He referenced real‑world examples where ransomware delayed cancer treatments and critical surgeries, illustrating how cyber incidents can ripple into life‑altering outcomes.

Takeaway

Nation‑state actors and criminal groups are increasingly targeting hospitals with attacks that disrupt and delay patient care, posing a real risk to patient safety. Leaders must treat ransomware not as an IT problem but as a clinical risk with the potential to cause harm.

Third‑party risk is now the largest source of data exposure.

Another major theme centered on the hidden risks buried within everyday vendor relationships. During the discussion, Crisler pressed Gresham on the most urgent cybersecurity concerns facing his IT team.

Gresham, who leads IT for a 25‑bed critical access hospital in rural Texas, pointed directly to third‑party vendors as one of his greatest vulnerabilities. His team of six manages hundreds of vendor connections. They need tools that provide simple, actionable visibility into traffic, vendor connections and anomalies, because blind spots (like HVAC systems or offshore data flows) can create major vulnerabilities.

He explained that when Reeves Regional Health deployed Celerium, the team immediately uncovered an unexpected and potentially risky connection.

“One of the first things we discovered was a connection with our HVAC system we had no idea about,” he said.

The tool revealed active traffic flowing through that system, prompting the team to quickly shut it down. For Gresham, the moment was a wake‑up call. As he put it, “Something as simple as our air conditioner could be a huge vulnerability for the organization.”

Takeaway

Vendor ecosystems, cloud platforms, medical device companies and billing partners represent the biggest attack surface. As a result, leaders need formal, multidisciplinary third‑party risk management programs.

Cybersecurity requires full organizational buy-in.

Riggi urged organizations to adopt multidisciplinary governance, asking foundational questions before adopting any new technology: “Why do you need this? What data will it require access to? What are the network connections?”

He also emphasized the need to map where data actually resides, noting that “90% of the data is not stolen from the electronic medical record… it is stolen from other servers, medical devices and third parties.”

Takeaway

Gresham notes, “No cybersecurity program is going to succeed… unless you have buy‑in at every level: your board, your C‑suite, the clinical team.” Cyber risk is an enterprise risk, not an IT silo. Leadership culture determines resilience.

Clinical continuity planning is as important as business continuity.

Riggi encouraged hospitals to prepare for extended outages, asking teams to answer three deceptively simple questions: “If we lose the Internet or the network goes down, what will work, what won’t work, and what’s the plan?”

Gresham echoed this, urging organizations to treat downtime planning like muscle memory: “Your staff has to be prepared . . . it needs to become part of your daily practice.”

Takeaway

Hospitals must be able to deliver care even when systems fail: “How will we treat the patient without the availability of the technology?” Leaders should ensure downtime procedures are practiced, realistic and focused on life‑saving and life‑sustaining services first.

Cybersecurity is inseparable from patient care. Preparedness, visibility and collaboration are no longer optional; they are the foundation of safe, resilient health care.

To support its members, the AHA established the Preferred Cybersecurity & Risk Provider Program to identify trusted, vetted partners that can help hospitals and health systems safeguard patients and maintain operations amid cyber and physical threats.