Hackers are after hospitals’ and health systems’ information security systems and data like never before. And John Riggi, AHA’s senior adviser for cybersecurity and risk, is here to help protect them. Riggi joined the AHA in February after a stint as a cybersecurity consultant and nearly three decades at the FBI. In the past eight months, he’s conducted educational seminars, traveled to various hospitals and health systems to help health care leaders safeguard their protocols, and testified on Capitol Hill to remind Congress about how dedicated the field is to maintaining the latest security protocols.
In a recent conversation with AHA News, Riggi talked about his background, including his nearly three decades with the FBI; what the changing landscape of cyber threats mean for patients and health care CEOs; and how he can help AHA members on this important issue.
As told to Genevieve Diesing
On being a resource for AHA members
I’m available to provide strategic advisory services to help improve hospitals’ and health systems’ existing information security programs. If a hospital has a major cyber incident and they need an outside perspective or help navigating that incident with the government, I am available and willing to provide my perspective. I can provide educational resources to hospitals and health systems as well.
Because of the growing risk presented by cyber threats, the AHA has designated cybersecurity as one of the key issues to be addressed for members through the recently launched AHA Center for Health Innovation. We will be focusing on new educational tools, resources and services designed to help our member hospitals and health systems defend against this significant challenge. (For more, visit www.aha.org/center.)
On what he’s been up to since joining the AHA
I have been working with hospitals and health systems of all different sizes and scopes, ranging from some of the largest health systems to small, rural hospitals. During on-site engagements, I have had the opportunity to educate and create awareness about cybersecurity through strategic presentations to CEOs and other executive leaders. I have briefed leaders on the cyber threat landscape, offered suggestions on how to improve their information security programs, and create awareness of their potential vulnerabilities.
I visited a major health system that was conducting a lot of medical research with very little protection or controls around it. Once they realized that bad actors, specifically nation states, could potentially target them not just for protected health information but for intellectual property and research, they decided to make some immediate changes. Intellectual property and research can be more valuable to the adversary than protected health information.
We spent two days with them onsite and conducted an in-depth review. As a result, they plan to make significant changes to their cybersecurity program, including incorporating cybersecurity into an overall enterprise risk-management program.
Based on our assessment, they are going to revisit their strategy on defending their intellectual property, enhancing their incident response plan to include ransomware scenarios and testing of backups, as well as understanding which life-critical medical devices they have on their networks and how they may be susceptible to cyber-attacks.
We are finding that even if a hospital or health system has a strong cybersecurity plan and culture in place, they benefit from having some outside validation and perspective. Through my role at the AHA, I am helping leaders see beyond the daily technical defenses – like blocking phishing emails – to help them think more strategically about potential cyber adversaries and risks.
This helps health care leaders take a strategic and holistic view of their information security programs and focus on issues beyond protected health information. It also gets leaders to think about what other sensitive data sets they may hold that might encourage nation states to target them.
On testifying on the Hill about cybersecurity this summer
In July, I spent two days briefing congressional staff on cybersecurity threats facing the health care sector and shared how hospitals and health systems are responding. That same week, I testified on this issue and others before the House Committee on Oversight and Government Reform Subcommittee on Intergovernmental Affairs. Helping hospitals and health systems defend against the many cyber threats they face is definitely a bipartisan issue.
On the top action a health care CEO can take to protect his or her organization from cyber threats
CEOs should focus on what they do best: leading organizations. They should lead by example in developing and fostering a culture of cybersecurity. This culture should take a top-down approach that permeates the entire organization. Everyone needs to understand his or her roles and responsibilities for defending the organization against cyber threats.
On navigating patients’ increased access to their data
Patients having access to their own health records is a positive thing. It certainly helps improve outcomes and makes them specifically aware of the treatment that they are receiving. But with that increased access comes increased responsibilities. Today, patients have the individual responsibility to protect their data and they must become aware of how they are downloading that information, how they are storing it, and how they are transmitting it. They have to be aware that a file they are downloading should be done in a secure fashion, with secure storage and secure transmission. Provider education and awareness about the proper cybersecurity protocols helps ensure the safe delivery of care for their patients and communities.
On the national scope of cyber threats
My experience with the FBI, especially in the cyber division, gave me great insight into what cyber threats health care and hospitals in particular face, who the adversaries are, and what data they are after. I gained very specific insight on the tactics, techniques, and procedures those adversaries are using to break into networks and steal data, as well as the most useful defenses against these types of crooks.
We can generally group [these adversaries] into three broad categories: the activist types, criminal cyber adversaries and the national security sponsor. With activist types, we have to decide: Are they generally ideologically or politically motivated? Are they targeting organizations based on the type of research that they are doing, positions that they have taken, or even patients that they are treating? This could be the case if the hospital is treating a potentially controversial domestic or foreign political figure.
Then there are the criminal cyber adversaries, which are broken down into two general categories: insiders and outsiders. Insiders are employees, and we know that health care is the only field where the insiders are responsible for the majority of breaches. However, there is a nuance to that. Not all those insider threats are malicious acts; they can be due to employee errors. For instance, emailing patient records that are unencrypted or a laptop being stolen or lost.
Lastly, there are the foreign-based, international criminal organizations that are attempting to break into networks and steal data – whether it's health data, payment information or intellectual property – and monetize it. There are also the nation-state threats such as Russia, China, Iran or North Korea, who may attempt to access health care networks and other critical infrastructure to advance their national interests, and to steal data. This can range from intellectual property or health care records on government, military, intelligence personnel or politicians. In the worst-case scenario, they insert malware for potential future offensive operations.
From the FBI to the AHA
I was very fortunate that I knew I wanted to be an FBI agent by the age of 12. That helped me focus on staying out of trouble, working hard at school and gearing my higher education toward law enforcement and criminal justice. I was very, very fortunate and blessed then to have the opportunity to join the FBI.
I grew up in a very blue-collar city north of Boston filled with hardworking folks, but I was exposed to a lot of crime there. I also got to see firsthand both sides of the law. I knew that I wanted to be in law enforcement and then ultimately realized that I wanted to do something at a national level.
I was at the FBI for 28 years. Afterwards, I worked with a major consulting firm running their cyber security and financial crimes practice. I have had an ongoing and productive relationship with the AHA for several years, spanning back to when I was at the FBI leading the national cyber outreach program. The AHA really brings me closer to public service. It would be my privilege to help those who help others. I say it all the time, but I genuinely mean it.
On his proudest accomplishment
No one person in the FBI, CIA or any national security organization does anything of significance on their own. I was very fortunate to be part of a great team of dedicated patriots and to have participated in the direct interruption of terrorist activities and the capture of terrorists overseas and the prevention of a major cyber-attack that targeted our critical infrastructure.
His life outside the AHA
I don't have any fun. Just kidding. I like to spend time with my family, exercise and do lots of things outdoors. I also like photography and traveling.