This audio is auto-generated. Please let us know if you have feedback.
Cyberattacks on hospitals can have devastating consequences for patient safety, access to care and critical operations — but the risks don’t stop at the targeted facility’s front door.
Nearby hospitals could see an influx of patients if an attacked provider needs to divert emergency patients. And with the number of cyberattacks against the healthcare sector rising, organizations need to plan on how they’ll operate amid an attack — and work with nearby facilities, cybersecurity leaders at the American Hospital Association said. [Are there any stories they told about lack of preparation regionally that could be an intro instead? That shows what you’re saying here in a story versus just saying it to help draw readers in? EO: They didn’t discuss any specific hospital cyberattacks.]
Helping hospitals with regional planning will be one task for Scott Gee, deputy national advisor for cybersecurity and risk at the AHA, who joined the organization last month. Gee and John Riggi, the association’s national advisor for cybersecurity and risk, joined Healthcare Dive to discuss Gee’s new role and what he’s learned from his previous jobs at Microsoft and the U.S. Secret Service.
This interview has been edited for clarity and length.
Permission granted by American Hospital Association
HEALTHCARE DIVE: What motivated the decision to bring you on as a deputy national advisor for cybersecurity and risk?
SCOTT GEE: John has built a fantastic practice for cybersecurity here at the AHA, and has helped untold numbers of hospitals and patients and clinicians and other folks through some pretty serious cybersecurity issues. From Change Healthcare to, most recently, the CrowdStrike issue, hospitals turn to AHA as an expert voice in terms of cybersecurity. I don’t know how he’s done this by himself for as long as he has. Even with me on board, there’s a lot to do.
What are some of the things that you plan to focus on in your new role?
JOHN RIGGI: One of the things that I’ve asked Scott to help me with is really understanding how we can help members prepare against the most significant, high impact cyberattacks we face, particularly ransomware attacks.
We are very, very focused on not only understanding how the bad guys are penetrating our networks — helping defend as we always have — but now we need to be prepared for resiliency in the face of an attack. Unfortunately, we’ve learned, as you’ve seen, no organization can 100% defend against these attacks.
So Scott’s going to be helping us prepare members for high impact ransomware attacks individually, but also on a regional basis. We’re starting to help develop protocols for regional cyber incident response planning and training. But bottom line, we’ll be focusing on those things that most directly impact patient care and patient safety.
GEE: And things that impact clinical continuity, right? The ability of clinicians to treat patients and deliver healthcare. One of the things that interests me, particularly from my background, is the physical effects, the physical impacts of a cyberattack.
When hospitals face a cyberattack that disables their networks, they could lose the ability to control door locks, control humidity, control lighting. All of these things have a direct impact on patient care and care delivery. And people don’t realize quite often how connected they are, right? So they don’t realize that if they lose the network, they may lose control of the lighting in the building or the HVAC climate control. So it’s expanding that part of the awareness of cybersecurity through these regional exercises, like John was talking about, that’s what I’m looking forward to.
When you say regional exercises, do you mean preparing other hospitals in the community? If one goes down, will the others be impacted as well?
GEE: It impacts everybody. If one hospital goes onto ambulance diversion because they’ve lost their clinical systems or diagnostic systems or whatever it is, the hospitals around them are absorbing that additional traffic.
[Hospitals] all have great plans for earthquakes, hurricanes, snowstorms, whatever sort of natural disaster would affect their region, but they haven’t necessarily thought through the cyber portion of that. A cyberattack can take a hospital offline just as much, just as quickly as the blizzard. And it’s harder to recover from a cyberattack, arguably.
You previously worked at Microsoft and the U.S. Secret Service. What did you take from those positions that you want to apply here at the AHA?
GEE: At Microsoft, I was directly involved in incident response and incident management and having playbooks set up for an incident before it happens. Not trying to figure it out on the fly is critical.
It was illuminating to me to see all of the machinery that goes into a good detection platform and a good cyber defense. You have to have logging. You have to maintain that logging for an adequate period of time to thoroughly investigate an attack that may have been going on for months before you knew about it. You have to have alerting systems. You have to have response plans for when an alert fires. Obviously, I understood that prior to going to Microsoft, but it was the day-to-day granularity and detail involved that was a learning experience. And I think that’s something I can help explain to members and help them understand the importance.
From the Secret Service, I dealt with international ransomware gangs and all sorts of other nefarious folks, and that’s who we’ll be dealing with in these cases. The targets have changed, the motivation may have changed, but at the end of the day, the ransomware gangs are the same.
Rebecca Pifer