John Riggi on how hospitals can reduce cyber risks

Sep 04, 2019 - 08:46 AM
webbanner-riggi-900x400

John Riggi, AHA senior advisor for cybersecurity and risk (pictured above), sat down with AHA Today to share takeaways from a recent Senate Cybersecurity Caucus briefing on cybersecurity and health care. Criminal and nation state cyber adversaries are adopting more sophisticated tactics, such as targeted ransomwareattacks, which can shut down and encrypt both a hospital’s main information networks and its backup data, Riggi notes. This can directly impact public health and safety by forcing hospitals to cancel medical procedures and divert ambulances, while making it harder to restore care delivery operations without paying hackers to release the data. 

Q: Why are data breaches a growing threat?  
A: We know criminal hackers target data-rich health records to engage in lucrative fraud schemes. We also know that adversarial nation states such as China, Russia, Iran and North Korea target medical records to identify and target individuals with access to sensitive data, such as classified information or intellectual property.  

Q: Why do cyber criminals target health care?
A: In comparison to other sectors, data from the health field often include a combination of data sets such as financial data and personally identifiable information, making health records more valuable to cyber thieves. Simply put, hackers target health care because these combined data sets make it is easier for bad actors to monetize medical records – either through sale on the dark web or through lucrative fraud schemes such as false medical billing and identity theft.  

Q: Are all health care data breaches attributable to hackers?
A:  Not all breaches are attributable to hackers. Some breaches, such as those reported to the Health and Human Services Office of Civil Rights, are due to insider threats and accidental exposure of health records; for instance, if staff look at records they shouldn't or email [accidentally] unencrypted health records. 

Q: What can hospitals and health systems do to protect patient records?
A: It is essential for hospitals and health systems to create a top-down culture where every member of the staff feels empowered and obliged to protect patients and data from cyber threats. The AHA encourages hospitals and health systems to prioritize cyber risks based on their potential to impact: 1) care delivery and patient safety; 2) security and privacy of patient and other sensitive data; and 3) business functions. It also is important to map and classify all data, systems, devices, endpoints and vendors, and implement tight controls around data storage and access, especially backup systems, to reduce the risk of compromised protected health information and the threat of ransomware.

Q: How can patients be more proactive and knowledgeable to protect their own health records?

A: Patients can do a few things to protect their health data. They should understand how and to whom they grant access to their medical records; read consent agreements carefully; and store their medical records in secure physical or electronic environments.

Related News Articles

Headline
CISA extends comment period for proposed rule on cyber incident reporting
The Cybersecurity and Infrastructure Security Agency May 3 extended the comment period to July 3 for the April 4 proposed rule that would implement cyber…
Headline
White House releases critical infrastructure memo empowering CISA to strengthen health care security 
The Biden Administration April 30 released a memo announcing updated critical infrastructure protection requirements, which include the Cybersecurity &…
Headline
Agencies issue cyber advisory on North Korean spear phishing efforts 
The FBI, State Department and National Security Agency issued a warning about attempts by North Korean state-sponsored cyberthreat actors to exploit improperly…
Headline
Lawmakers grill UHG CEO at hearings following Change Healthcare cyberattack
Senate and House lawmakers May 1 grilled UnitedHealth Group CEO Andrew Witty about the continued fallout from the Feb. 22 cyberattack on Change Healthcare —…
Headline
AHA advertorial: Is UnitedHealth Group ‘Too Big To Fail’? 
“If you are asking yourself how a cyberattack on a single company could cause such massive damage, you are asking the right question,” an AHA advertorial in…
Headline
AHA provides update to Senate, House committee leaders ahead of hearings on fallout from Change Healthcare cyberattack 
The AHA April 29 provided the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations an update regarding…