John Riggi on how hospitals can reduce cyber risks

Sep 04, 2019 - 08:46 AM
webbanner-riggi-900x400

John Riggi, AHA senior advisor for cybersecurity and risk (pictured above), sat down with AHA Today to share takeaways from a recent Senate Cybersecurity Caucus briefing on cybersecurity and health care. Criminal and nation state cyber adversaries are adopting more sophisticated tactics, such as targeted ransomwareattacks, which can shut down and encrypt both a hospital’s main information networks and its backup data, Riggi notes. This can directly impact public health and safety by forcing hospitals to cancel medical procedures and divert ambulances, while making it harder to restore care delivery operations without paying hackers to release the data. 

Q: Why are data breaches a growing threat?  
A: We know criminal hackers target data-rich health records to engage in lucrative fraud schemes. We also know that adversarial nation states such as China, Russia, Iran and North Korea target medical records to identify and target individuals with access to sensitive data, such as classified information or intellectual property.  

Q: Why do cyber criminals target health care?
A: In comparison to other sectors, data from the health field often include a combination of data sets such as financial data and personally identifiable information, making health records more valuable to cyber thieves. Simply put, hackers target health care because these combined data sets make it is easier for bad actors to monetize medical records – either through sale on the dark web or through lucrative fraud schemes such as false medical billing and identity theft.  

Q: Are all health care data breaches attributable to hackers?
A:  Not all breaches are attributable to hackers. Some breaches, such as those reported to the Health and Human Services Office of Civil Rights, are due to insider threats and accidental exposure of health records; for instance, if staff look at records they shouldn't or email [accidentally] unencrypted health records. 

Q: What can hospitals and health systems do to protect patient records?
A: It is essential for hospitals and health systems to create a top-down culture where every member of the staff feels empowered and obliged to protect patients and data from cyber threats. The AHA encourages hospitals and health systems to prioritize cyber risks based on their potential to impact: 1) care delivery and patient safety; 2) security and privacy of patient and other sensitive data; and 3) business functions. It also is important to map and classify all data, systems, devices, endpoints and vendors, and implement tight controls around data storage and access, especially backup systems, to reduce the risk of compromised protected health information and the threat of ransomware.

Q: How can patients be more proactive and knowledgeable to protect their own health records?

A: Patients can do a few things to protect their health data. They should understand how and to whom they grant access to their medical records; read consent agreements carefully; and store their medical records in secure physical or electronic environments.

Related News Articles

Headline
ARPA-H launches new program to enhance, automate cybersecurity for health care facilities 
The Department of Health and Human Services' Advanced Research Projects Agency for Health May 20 announced the launch of a $50 million cybersecurity program…
Headline
Agencies issue guidance on mitigating cyberthreats with limited resources 
The Cybersecurity and Infrastructure Security Agency along with international agencies May 14 released guidance for high-risk nonprofit and other resource-…
Headline
Report: Delayed or missing payments increased for hospitals in first quarter
Hospitals and health systems nationwide saw a sizable increase in delayed or missing payments in first quarter 2024, according to a report released May 10 by…
Headline
Agencies warn of accelerating attacks on health care by Black Basta ransomware group
The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information…
Headline
DOJ charges Russian national with developing, operating LockBit ransomware
The Department of Justice May 7 announced more than two dozen criminal charges against Dimitry Yuryevich Khoroshev, 31, of Voronezh, Russia, for his alleged…
Headline
AHA, other hospital groups urge UHG to formalize breach notification plans following Change Healthcare cyberattack 
The AHA and other national hospital groups May 8 sent a letter to UnitedHealth Group, urging the organization to formally accept responsibility for issuing…