AHA security leader sees ‘AI-fueled cyber arms race’
John Riggi, the American Hospital Association’s first national cybersecurity and risk advisor, has identified cyber threats for the AHA’s more than 5,000 members and helped many of them perform mission-critical tasks such as disaster recovery and response ransomware, for the past five years.
Previously, he spent nearly three decades investigating and disrupting other criminal and national security threats at the FBI and CIA.
Riggi — who will deliver the opening keynote at the HIMSS Healthcare Cybersecurity Forum on September 7 — says he’s concerned lately about a “dramatic increase” in attacks on hospitals and healthcare systems.
“They mainly take two forms,” Riggi said. First, healthcare organizations face increasing risks from “major data theft attacks from foreign-based criminal organizations and hostile national spies seeking to steal patient information and medical research for their own purposes.”
But the attacks he’s most concerned about, which have “seen a very dramatic increase,” he said, are the powerful ransomware attacks that are crippling hospital computer networks and denying doctors access to much-needed patient information, Riggi said. .
“Unfortunately, we have seen time and time again that these attacks disrupt and delay the delivery of care, which ultimately poses a very serious risk to patient safety, especially when we have these urgent cases of stroke and trauma and heart attack and ambulances transporting these patients are diverted become.”
Cyber investments are catching up
The good news? After years of underfunding and foot-dragging, hospital boards appear to finally be recognizing the risks (financial, reputational and, crucially, to patient safety) of these attacks. And they’ve started spending money on security at a level commensurate with the threat.
“It has become crystal clear to hospital leaders on the boards, at least those I speak to, that cyber risk is truly an enterprise risk problem,” Riggi said. “It has consequences for every function in the organization. But most importantly, it is a risk to patient safety.
“The threat vector has increased quite significantly.”
John Riggi, American Hospital Association
“Every CEO I talk to considers cyber risk as their number one or two risk issue,” he said. “And they’re definitely trying to strengthen their defenses by adding more cyber budget, by adding more technology and by really trying to mature their cybersecurity programs in general.”
Labor shortages, AI threats
But there is also bad news. There are a number of challenging workforce factors that hinder hospitals’ ability to deploy sufficient staff to manage cyber risk. And the attacks are becoming more sophisticated by the day – especially with the help of rapidly evolving artificial intelligence.
“There is a dramatic shortage of trained cybersecurity professionals and unfortunately we are all competing for that same limited pool across all private sectors of government,” Riggi said. “The AHA is working with all of our partners, including HIMSS and the federal government, to try to come up with some very unique creative solutions to fill that gap, that shortage of cyber professionals.”
Hospitals think creatively about the challenge.
“Some of the things we’ve talked about include better internal staff training,” he said. “Can we train people we already have on board to become cybersecurity professionals? Maybe it’s an IT person or someone with a technology interest.”
More programmatically, there is potential in national programs that “could help retrain veterans, for example, or educational incentives for universities to develop cybersecurity and then potentially loan repayment programs for those studying in cybersecurity.”
One idea Riggi would like to see explored is creating a program where “those who volunteer to serve at a rural hospital might have their student loans forgiven after serving at least three years, kind of like we do with the army. people and others in critical roles and professions.” Because the stakes are high, and in today’s threat environment, hospitals need all hands on deck.
AI can be a very useful tool for detecting and responding to incidents and other cyber liabilities, but the bad guys are getting pretty good at it too.
“Artificial intelligence, in my opinion, has created the beginning of an AI-powered cyber arms race,” Riggi said. “So we have the bad guys using AI to develop very complex malware that can quickly identify vulnerabilities and penetrate networks. They use malware to develop highly convincing phishing emails that can contain malicious links or attachments and be accompanied by deep fake audio or video from someone they trust.
“But at the same time, the good guys, the cyber defenders, the network defenders and the governments of our allied countries are using AI to detect these advanced threats and put in place controls to help block these threats,” he says. added. “So there is currently a huge investment and focus on the offensive and defensive use of AI – by the good guys and the bad guys.”
There’s no doubt about it: “the threat vector has increased quite significantly,” said Riggi, who said the AHA is working hard to help boards and senior leadership understand the impact of cyber threats.
“Frankly, on the technical side, we’re often not good at translating how digital risks translate into strategic risks and enterprise risks for the organization – and ultimately how that vulnerability translates into patient safety risks, financial risks, legal and regulatory risks. and reputational damage.”
It is also working with agencies across government to build and strengthen response capabilities to address the scale of the threat.
“We have policy commitments and action across the federal government to consider cyber threats as threats to national security, as threats to public health and safety,” Riggi said. “And I can tell you personally that, from my experience dealing with the leadership of the FBI, CISA, HHS and the White House, everyone is committed to sharing information within the government and with the private sector.”
The government now considers cyberattacks, “which broadly threaten public health and safety,” to be a terrorist attack, he said. We at the AHA have been publicly advocating for that policy for a number of years. Based on my background – a lot of it was counter-terrorism – I see a lot of parallels here between the current cyber threat environment and the terrorism problem we were dealing with.”
High-impact ransomware attacks are not just “economic crimes, white-collar crimes or victimless crimes, they are truly life-threatening crimes,” Riggi says.
“When these attacks disrupt and delay healthcare, especially in urgent cases, lives are threatened – not just patients in hospital, but public health and safety are threatened as well. These attacks also endanger the entire community, which depends on the emergency department and hospital being available to be there for them.”
Riggi’s opening address, ‘The Global Cyber Threat Landscape: Healthcare Risk, Impact and Response’, is scheduled for Thursday, September 7 at 8:40 a.m. in the HIMSS Healthcare Cybersecurity Forum in Boston.
Mike Miliard is editor-in-chief of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.