The Ransomware Ripple: The Texas Model for Cyber Resilience in Health Care

00;00;01;02 - 00;00;28;12
Tom Haederle
Welcome to Advancing Health. An effective cyber attack against a large hospital, especially a ransomware attack, often has a cascading effect on nearby hospitals as well, who may depend on the operational readiness of their bigger brethren. Experts call it a regional blast radius, and in this podcast, we learn how the Texas Hospital Association has stepped up with its members to meet that challenge.

00;00;28;15 - 00;01;01;01
John Riggi
Hello, everyone. Welcome to Advancing Health. This is John Riggi, your National Advisor for Cybersecurity and Risk at the American Hospital Association. I am so pleased and privileged to be here with my good friend and colleague, Fernando Martinez. Fernando is the Texas Hospital Association's chief digital officer. Fernando is also a former hospital CIO and chief information security officer. He's a certified IT security professional and a professional educator who's worked with some of the largest health care systems in the country.

00;01;01;04 - 00;01;19;17
John Riggi
Fernando has been with the Texas Hospital Association for over 11 years, and he's been an adjunct professor at Florida International University College of Business for over 15 years. Fernando, as I mentioned, so great to have you here, be on this podcast with me and talk about a great partnership.

00;01;19;20 - 00;01;21;00
Fernando Martinez, Ph.D.
Thank you John. My pleasure.

00;01;21;03 - 00;02;03;16
John Riggi
We've worked so closely with the Texas Hospital Association over the years with doing workshops, regional tabletop exercises and other educational events. And as we often discuss and as you've heard me say many, many times, cyber risk is an enterprise risk issue. But first and foremost, it is a risk to patient care and patient safety. We emphasize that hospitals should prepare for clinical continuity to mitigate the impact of a cyber outage, but also to understand what the regional impact would be to care delivery and the disruption to care delivery if a particular hospital is struck with a ransomware attack.

00;02;03;19 - 00;02;23;21
John Riggi
So our joint events focused on regional cyber incident response scenarios, just as we would all prepare for a regional physical disaster. From your perspective, how does this partnership enhance hospital resilience and patient safety across Texas?

00;02;23;24 - 00;02;55;20
Fernando Martinez, Ph.D.
Well, I have to tell you, I recall the first time that I heard you use the phrase "regional blast radius" I think this is the way you refer to it. And I thought to myself, well, you know, much of what we're doing to help our member hospitals prepare is really focused on individual hospital performance and intra-hospital performance, but really not something looking at the true operational impact to hospitals that would result as a result of a cyber incident.

00;02;55;22 - 00;03;24;12
Fernando Martinez, Ph.D.
And it's such an appropriate way to look at it, even more importantly than an individual hospital being prepared for incident response. It's really important to consider the impact that a hospital would have to endure, should they be the ones that are impacted or should any of the adjacent or in the same catchment area of patient care hospitals be affected the same way.

00;03;24;12 - 00;03;48;08
Fernando Martinez, Ph.D.
So they could be the source of the disruption and they could be the downstream recipients of the disruption. So the whole approach is quite brilliant, and I'm glad that we've been able to take that model to our hospitals in Texas. This is especially true because Texas has a lot of areas that are generally referred to as white space.

00;03;48;10 - 00;03;57;27
Fernando Martinez, Ph.D.
You'll have one level two or level one trauma hospital and ten, 12, or 15 smaller hospitals dependent on it.

00;03;58;00 - 00;04;30;03
John Riggi
Appreciate that, Fernando. And yes, unfortunately we have learned from the hundreds, hundreds of cyber attacks, but particularly the ransomware attacks, which caused victim organizations to disconnect from the internet and shut down their networks, ultimately resulting in, yes, as you indicated this is what we call ransomware blast radius. Victim is hit, but then there are cascading shockwaves throughout the entire region as patients and ambulances are diverted to surrounding hospitals.

00;04;30;06 - 00;05;00;02
John Riggi
And again, some of these surrounding hospitals, as you said, depend on the availability of the technology, whether it's the electronic medical record or linear accelerators that deliver radiation oncology of that victim organization. And with your help, we came to understand that, you know, we don't really need to develop a whole new series and set of rules and structure to develop cyber incident response plans on a regional basis.

00;05;00;02 - 00;05;25;19
John Riggi
They already exist to a certain extent. And, Fernando, your example of that white space. Unfortunately, we've had a couple of major ransomware attacks against level one trauma centers in Texas within in the past year. And I recall speaking to the CEOs and saying they were very concerned, saying, John, the next nearest level one trauma center is 400 miles from here.

00;05;25;21 - 00;05;46;29
John Riggi
So really placing not only just the patients, but entire communities at risk, really becoming a state issue as well. In Texas, again, very forward leaning on a lot of cyber issues and best practices. I understand Texas has established a cyber command. What does that entail and how does it support hospitals?

00;05;47;01 - 00;06;25;20
Fernando Martinez, Ph.D.
The Cyber Command was established in Texas, very forward looking position that the state of Texas government took, which is to build a consolidated  - at a state level - a consolidated threat intelligence, cyber readiness incident response organization that would support all of the government activities of the State of Texas. Texas has always had a cyber response organization but it's been part of the larger Texas Department of Information Resources organization.

00;06;25;22 - 00;06;59;05
Fernando Martinez, Ph.D.
What this piece of legislation, which was signed into law by the governor in June of this year as a result of the legislative session - House Bill 150...What they did is they appropriated, and this is all public domain information, they appropriated $135 million and took the cyber resources that are spread across several organizations, including Texas DIR, consolidated them into one cyber command for the state of Texas.

00;06;59;05 - 00;07;35;04
Fernando Martinez, Ph.D.
And so the idea here is to provide a baseline for cyber preparedness, for cyber threat analysis and threat intelligence and incident response. And then in doing so establish policy standards. That body is actually empowered with rulemaking. The chief is appointed by the governor. So it's a very forward thinking governance architecture and structure around cyber. Although it's initially the scope of command is limited to state government.

00;07;35;06 - 00;08;10;00
Fernando Martinez, Ph.D.
It does incorporate services that can be used in public sector education, higher ed in particular, but also public sector education and other public sector organizations like municipalities, city governments, down to and extending to critical infrastructure vertical departments that might be water power, a number of other sectors. So very forward leaning, forward thinking steps being taken to approach this at a state level.

00;08;10;02 - 00;08;36;25
John Riggi
Really a model for all states. And again, Texas being leader in this area. So Texas and through the Texas Hospital Association is leading in other ways, and with our work at the American Hospital Association we have joined forces with you to develop these regional tabletop exercises. Fernando, from your perspective, could you tell us what these regional tabletop exercises look like?

00;08;36;27 - 00;09;04;24
Fernando Martinez, Ph.D.
Sure. So the idea that you take a regional hospital, a level two, level one, trauma hospital that has a community relationship with ten, 12 or 15 smaller critical access or rural hospitals. We converge them. We bring them together into a day long activity, where is the primary dependency being the level two or the level one trauma center

00;09;04;26 - 00;09;41;07
Fernando Martinez, Ph.D.
suffers an incident, a cyber incident of some sort that interrupts the service that these downstream hospitals need that are required for life safety care to patients in their communities. And these are primarily non-IT executives that are brought together, operational clinical operations, hospital operations, emergency preparedness. By bringing those individuals from all the different hospitals together, they have an opportunity to flesh out the circumstances that they might have to confront.

00;09;41;09 - 00;10;07;27
Fernando Martinez, Ph.D.
You mentioned earlier, the fact that if a level two or a level one trauma center goes down, now you're talking about potentially transporting patients instead of transporting them 45 minutes, 30 minutes or an hour away. Now you've he's looking at 2 or 3 hours, which in the cases that that would have catastrophic consequences in terms of patient outcomes and clinical care and clinical safety.

00;10;08;00 - 00;10;32;11
Fernando Martinez, Ph.D.
They have been very effective in bringing those individuals together to talk about how it is that they would work together. What are the alternatives? How would they address incident response? How would they leverage each other's resources? As simple as how would they communicate with each other? That's proven to be very effective. The exercise we did last year was remarkable

00;10;32;13 - 00;11;04;09
Fernando Martinez, Ph.D.
inasmuch as there actually was two days before the exercise, there actually was a level one trauma center hospital upstream that went down and affected the actual host hospital that was in fact upstream from the small hospital. So we know that the threat is real. And we know that this is a very effective way to bring many hospital executives together to consider obstacles that they would not necessarily contend with during their traditional

00;11;04;15 - 00;11;09;19
Fernando Martinez, Ph.D.
standalone emergency preparedness exercise. Brilliant approach on the part of AHA.

00;11;09;21 - 00;11;32;14
John Riggi
Thank you for that, Fernando, truly a great partnership with THA. And you know, when we did that exercise, many thought that the exercise and the news of the ransomware attack upstream was all somehow connected. Very unfortunate coincidence that it happened at that time. But talk about a sense of realism to really conduct an exercise during the heat of battle

00;11;32;14 - 00;11;49;03
John Riggi
in a sense. What do you think, Fernando? Again, having been there now for several of these exercises, helping me moderate these, what do you think some of the key lessons learned are from these exercise? And how do you think these exercise build trust and coordination across the attendees?

00;11;49;05 - 00;12;17;22
Fernando Martinez, Ph.D.
Well, first of all, communication was the key takeaway. A lot of the hospital executives, from a risk averse point of view, a lot of the hospital executives look at cyber incidents as something that they don't want to communicate to anyone else for a variety of reasons, many of them prompted by being legally discreet and not disclosing information that might jeopardize the organization.

00;12;17;24 - 00;12;56;09
Fernando Martinez, Ph.D.
Unfortunately, when you look at emergency preparedness, other types of emergency response circumstances, whether it's mass casualty or acts of nature, the communication protocols were all there so that organizations can notify each other. But where cyber incidents are concerned, something as simple as just communicating indicators of compromise, right? Techniques and tactics. Those are bits of information that would help downstream organizations potentially identify if there was a threat that was being directed at them, so that they would avoid the same set of circumstances.

00;12;56;12 - 00;13;30;08
Fernando Martinez, Ph.D.
And that's not there. So one of the big takeaways was hospitals need to develop these communication pathways that will allow them to share a small amount of information, just sufficient information without disclosing more detail than they need, disclosing the fact that there is an incident underway, that there are some of the indicators of compromise are XYZ, so that the adjacent hospitals have the opportunity to prepare to look for and potentially avoid being victims.

00;13;30;10 - 00;13;42;26
Fernando Martinez, Ph.D.
I can assure you that the bad guys are sharing information the moment that they exploit one organization, then they know regionally that they can go to other organizations with similar success.

00;13;42;29 - 00;14;18;09
John Riggi
Communication, within the organization with their peer organizations in region, with the federal government, with the state. Really crucial during these exercise, although there is this tension between trying to preserve confidentiality, risk of civil liability and potential regulatory liability, all these factors tend to shape an organization's outlook. But with education they understand they can mitigate all those risks and develop these trusted relationships which will not expose them to legal and regulatory risk,

00;14;18;09 - 00;14;45;07
John Riggi
again, if they have these preexisting relationships in agreements in place. Fernando, I view the work being done at the Texas Hospital Association quite frankly as a model for other states. And I just want to let you know I value your partnership and your capabilities and all that you do, not only for all the hospitals in the state of Texas, how you've been contributing on the national level as well, helping me, helping AHA to do our job for national benefit.

00;14;45;10 - 00;15;03;28
John Riggi
So thank you again, Fernando, your partnership, your friendship and all that you do. And thanks to all our listeners for all that you do every day to defend networks, care for patients and serve your communities. This has been John Riggi, your National Advisor for Cybersecurity and Risk.

00;15;04;00 - 00;15;12;11
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and write us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.