Working to protect against cyber threats
The Riggi File
CV
- National advisor for cybersecurity and risk, American Hospital Association (AHA)
- Managing director and head of cybersecurity and financial crimes practice, BDO USA
- Section chief — senior executive service, National Cyber Outreach Section, Federal Bureau of Investigation (FBI).
- Senior adviser, Cyber National Financial Investigative Program, FBI.
Accomplishments
- The first national advisor for cybersecurity and risk at the AHA.
- The George H.W. Bush Award for Excellence in Counterterrorism.
- The FBI Director’s Award for Special Achievement in Counterterrorism.
- Represented U.S. hospitals before the Senate Homeland Security Committee.
- Assisted in the passage of PL 116-321 on behalf of cyberattack victims.
Education
- Bachelor of Science in criminal justice, Northeastern University, Boston.
John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA), has focused his career on helping to protect critical U.S. sectors. This month, he talks with HFM about the greatest cyber threats impacting health care and the work the AHA is doing to help protect hospitals and health systems.
How did you begin your career in cybersecurity, and what is your role now?
My career in cybersecurity began back when I was working for the Federal Bureau of Investigation (FBI) investigating international Russian organized crime. After that, I began working on counterterrorism matters post-9/11. While running national counterterrorism programs and being assigned to the Central Intelligence Agency (CIA) as an FBI senior representative, I began to realize all of this was relevant to cybersecurity and cyber investigation. Whether it was Russian organized crime, terrorist organizations or nation-state actors from Russia, China, Iran or North Korea — they had all evolved to utilize cyber methods.
Ultimately, I began consulting with the FBI cyber division as a senior adviser on financial investigative programs. The majority of cybercrime is financially motivated — not among the nation-state actors, but the criminal aspect is mainly financially motivated. I was then promoted to the senior executive position in the FBI cyber division to run their national outreach program. My role was to establish mission-critical relationships with [the] private sector, including critical infrastructure sectors.
One of the main avenues I relied on to reach a vast portion of the health care sector was associations. Hence my involvement with the AHA. If I needed to reach all 6,000 hospitals in the U.S. with one phone call or email, that was through the AHA. The AHA continues to be a powerful platform to relay information to the entire health care sector. After I retired from the FBI, I was fortunate that the AHA saw a need for an internal subject matter expert on cybersecurity. The AHA and CEO Rick Pollack understood that cyber threats were going to increasingly be a major issue for hospitals and health systems. I like to joke that, in my career, it seems that I can only work for three-letter organizations — FBI, CIA and now the AHA.
What are some of the major factors that have intensified cybersecurity recently?
Since my arrival at the AHA in 2018, cyber threats against health systems have increased dramatically and, with the onset of the pandemic, they increased again exponentially. Part of it is what I call “the COVID-19-induced cyber triple threat.” The first prong is an expanded attack surface due to the rapid onset of the pandemic. We had a rapid deployment of network- and internet-connected remote technologies and nonclinical workforce. That created more entry and access points for bad guys to get into our networks and access our data.
The second part is increased attacks. In the spring of 2020, cybercriminals recognized that U.S. health care was consumed with responding to the global health crisis, and the bad guys saw this as an opportunity. Criminal organizations increased dramatically the theft of patient health data while nation-state actors heavily targeted our COVID-19 research, treatment protocols and vaccine development in cyber espionage campaigns. Most concerning is that we also saw a dramatic rise in highly disruptive, high-impact ransomware attacks. These attacks disrupted health care delivery.
The third prong is that during the pandemic we had fewer resources to deal with these increased threats. Hospitals and health systems lost significant revenue and human resources in the beginning of the pandemic, adding to the burden on an already strained workforce.
As the reliance on technology has increased, we need more workforce to help defend against potential cyber threats. Part of the problem is that our education system cannot churn out cybersecurity professionals fast enough. Health care is competing for a limited workforce amongst each other and other sectors.
What are the dangers to health care when cybersecurity is not prioritized?
Health care includes network- and internet-connected devices. Not only do we have data stored in electronic medical records, but also in medical devices, billing databases and third-party service providers. Health care is required by regulation to share data with other providers. Plus, we have had the vast growth and expansion of network-connected and interoperable medical devices. All of these technological advancements are positive as they help improve outcomes, deliver care in remote areas and increase access. However, the ubiquitous use and reliance on technology also comes with additional cyber risk that must be identified prior to deployment.
I advise members in leadership and on boards to approach cyber risk as a strategic risk to the organization and, first and foremost, as a risk to patient care and safety. When a hospital emergency department is shut down because of a ransomware attack, this often causes ambulance diversions of stroke, heart attack or trauma patients, creating delay in life-saving treatment. Ransomware attacks on hospitals not only victimize the hospitals, but they victimize our patients and the communities we serve.
How can ASHE members partner with information technology departments to deal with concerns?
Connected building technology and building automation are great for efficiency and network monitoring, but they also may unintentionally introduce cyber risk into the organization if they’re not protected and network segmented. The reliance on the network-connected technology for mission-critical services may create risk if that technology is lost due to a cyberattack. If mission-critical technology, like an HVAC system, gets shut down or loses power because of a cyberattack, it will have impact on patient care delivery and safety. Because of this, [health care systems] need to have in place redundant and resilient features, and have established on-premises and cloud-based business continuity plans and downtime procedures.
Especially with the war in Ukraine, we’ve learned that Russians are very good at attacking industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems. There is concern that the Russian government might launch an attack against the energy sector or financial services with some of these ICS- and SCADA-targeted malware. We may become collateral damage in attacks directed at domestic or foreign entities through connections with common third parties.
What is the AHA doing to help protect health care from cyberattacks?
We serve as a national platform to disseminate threat intelligence from the government, but we also serve as a platform to collect threat intelligence from our members and pass it back to the government. If one of our members is the victim of a ransomware attack and needs direct assistance, we facilitate that interaction.
I publish cyber threat intelligence along with my commentary in AHA Today, and post government strategic and technical cyber threat intelligence on aha.org/cybersecurity. We also deliver educational events, cyber tabletop exercises for leadership and conduct day-long cyber workshops in the field.
We’ve also developed the AHA Preferred Cybersecurity Provider Program. We have a vetted list of cybersecurity providers that we recommend to our members. There are thousands of vendors out there. To help members weed through that, we have a curated list of vendors to assist hospitals of all sizes.