John Riggi on how hospitals can reduce cyber risks

John Riggi, AHA senior advisor for cybersecurity and risk (pictured above), sat down with AHA Today to share takeaways from a recent Senate Cybersecurity Caucus briefing on cybersecurity and health care. Criminal and nation state cyber adversaries are adopting more sophisticated tactics, such as targeted ransomwareattacks, which can shut down and encrypt both a hospital’s main information networks and its backup data, Riggi notes. This can directly impact public health and safety by forcing hospitals to cancel medical procedures and divert ambulances, while making it harder to restore care delivery operations without paying hackers to release the data. 

Q: Why are data breaches a growing threat?  
A: We know criminal hackers target data-rich health records to engage in lucrative fraud schemes. We also know that adversarial nation states such as China, Russia, Iran and North Korea target medical records to identify and target individuals with access to sensitive data, such as classified information or intellectual property.  

Q: Why do cyber criminals target health care?
A: In comparison to other sectors, data from the health field often include a combination of data sets such as financial data and personally identifiable information, making health records more valuable to cyber thieves. Simply put, hackers target health care because these combined data sets make it is easier for bad actors to monetize medical records – either through sale on the dark web or through lucrative fraud schemes such as false medical billing and identity theft.  

Q: Are all health care data breaches attributable to hackers?
A:  Not all breaches are attributable to hackers. Some breaches, such as those reported to the Health and Human Services Office of Civil Rights, are due to insider threats and accidental exposure of health records; for instance, if staff look at records they shouldn't or email [accidentally] unencrypted health records. 

Q: What can hospitals and health systems do to protect patient records?
A: It is essential for hospitals and health systems to create a top-down culture where every member of the staff feels empowered and obliged to protect patients and data from cyber threats. The AHA encourages hospitals and health systems to prioritize cyber risks based on their potential to impact: 1) care delivery and patient safety; 2) security and privacy of patient and other sensitive data; and 3) business functions. It also is important to map and classify all data, systems, devices, endpoints and vendors, and implement tight controls around data storage and access, especially backup systems, to reduce the risk of compromised protected health information and the threat of ransomware.

Q: How can patients be more proactive and knowledgeable to protect their own health records?

A: Patients can do a few things to protect their health data. They should understand how and to whom they grant access to their medical records; read consent agreements carefully; and store their medical records in secure physical or electronic environments.