In this episode of theCUBE’s MedTech Unplugged series, we present a comprehensive dialogue with John Riggi of the American Hospital Association, who serves as the national advisor for security and risk, and Scott Gee, the deputy national advisor for cybersecurity and risk. This insightful conversation, broadcast from theCUBE’s NYSE Studio, delves into the pressing cybersecurity challenges faced by hospitals in the context of rising ransomware attacks and the role of technology in safeguarding critical health infrastructure.
Drawing on decades of experience from their backgrounds in the Federal Bureau of Investigation and the Secret Service, Riggi and Gee provide invaluable expertise on the evolving landscape of cyber threats targeting healthcare facilities. Hosts John Furrier and theCUBE Research team guide the discussion, highlighting the duo’s strategic insights into handling these challenges while emphasizing the critical need for enhanced cyber resilience and proactive measures within the healthcare sector.
Key takeaways from the discussion include the increasing sophistication of cyber adversaries and their impact on healthcare operations. Riggi explains that these threats pose significant risks to patient safety and community welfare, extending beyond mere data breaches. Gee emphasizes the urgency of implementing comprehensive plans for clinical continuity to mitigate disruption during cyber events. The dialogue also highlights the importance of public-private partnerships and innovative solutions in fostering a more secure healthcare environment.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences. If you don’t think you received an email check your
spam folder.
Sign in to theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences.
Thanks for confirming your account. Now you can access theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences with this email address.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences. If you don’t think you received an email check your
spam folder.
Sign in to theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences
Please sign in with LinkedIn to continue to theCUBE + NYSE Wired: MedTech Unplugged, the Future of AI in Healthcare & Life Sciences. Signing in with LinkedIn ensures a professional environment.
play_circle_outlineRising Ransomware Threats: Analyzing Foreign Adversaries Targeting Hospitals and the Devastating Impact of Change Healthcare's Breach
replyShare Clip
play_circle_outlineRansomware as a service enables less-skilled hackers to conduct sophisticated cyber attacks.
replyShare Clip
play_circle_outlineProtecting Patient Lives: Enhancing Cyber Resilience in Healthcare Amid MedTech Attacks and Service Disruptions
replyShare Clip
play_circle_outlineEmpowering Entrepreneurs: Exploring Opportunities in Healthcare Cybersecurity and the Importance of Cyber Hygiene for Patient Safety
John Riggi & Scott Gee, American Hospital Association
Scott Gee
Deputy National Advisor for Cybersecurity & Risk, American Hospital AssociatiAmerican Hospital Association
John Riggi
National Advisor for Security & RiskAmerican Hospital Association
In this episode of theCUBE’s MedTech Unplugged series, we present a comprehensive dialogue with John Riggi of the American Hospital Association, who serves as the national advisor for security and risk, and Scott Gee, the deputy national advisor for cybersecurity and risk. This insightful conversation, broadcast from theCUBE’s NYSE Studio, delves into the pressing cybersecurity challenges faced by hospitals in the context of rising ransomware attacks and the role of technology in safeguarding critical health infrastructure.
Drawing on decades of expe...Read more
exploreKeep Exploring
What trends have been observed in cyberattacks against hospitals since 2020, particularly related to ransomware?add
What methods do cybercriminals use to target organizations that provide essential services, such as hospitals, and how do these methods impact the ability of those organizations to defend against ransomware attacks?add
What are the implications of cyber attacks on hospitals and how do they affect patient safety and healthcare delivery?add
What are the challenges facing the healthcare sector in terms of funding and cybersecurity?add
John Riggi & Scott Gee, American Hospital Association
search
John Furrier
>> Welcome back. I'm John Furrier, host of theCUBE. We are here at theCUBE's NYSE Studio. Of course, we have our studio in Palo Alto, California connecting Silicon Valley and Wall Street tech and money. Technology is the market. And we are here to bring you all the actions, part of our MedTech Unplugged series. This is where we're talking about cyber resilience, talking about all things around medical and now AI and technology, helping create a safer but also productive environment. Got two great guests here. We've got some great veterans who are involved in some pretty cool things. John Riggi, National Advisor for Security and Risk at American Hospital Association. And Scott Gee, Deputy National Advisor of Cybersecurity Risk at American Hospital Association. Gentlemen, thank you for coming in.
Scott Gee
>> Thank you for having us.
John Riggi
>> Thank you.
John Furrier
>> John, 28 years at the FBI for you. You retired. Congratulations. Thank you for your service. Scott, handshake for you. 23 years at the Secret Service.
Scott Gee
>> Yes, sir.
John Furrier
>> Both very mission-driven projects and assignments. Now you're at the American Hospital Association. A lot going on in healthcare and care. One, cyber attacks is the number one problem. Hospitals don't have the most sophisticated IT. They're not like JPMorgan Chase, which has a $10 billion IT budget. Okay, so a lot of these hospitals have critical systems. They're being attacked. You guys are an industry association looking at this ransomware. You don't need to be coming out of left field to know that there's been a real problem.
Scott Gee
>> That's right.
John Furrier
>> Where are we right now with the adversaries? How vulnerable are we? What's the state of the market?
John Riggi
>> Yeah, so unfortunately attacks against hospitals in particular have been increasing pretty dramatically since the last 2020 really? And not coincidentally, they've kind of increased along with the development of the pandemic. So we saw ransomware attacks in particular skyrocket with the onset of the pandemic. And really, again, the attacks mainly come from foreign-based cyber adversaries, both criminal and nation-state, primarily from Russia, China, North Korea, and Iran. Yes, they're involved in data theft of basically theft of protected health information. And again, last year, unfortunately, was a pretty good year, but compared to the year before in 2024, we had the largest healthcare attack in history when Change Healthcare became a victim of a ransomware attack. So the healthcare records of 192.7 million Americans were stolen during that attack. But what we're really concerned about is the disruption that occurs and goes along with these attacks. So foreign-based criminal groups, foreign-based nation-states, developing these type of attacks, data theft and disruptive attacks.
John Furrier
>> The sophistication, this isn't a kiddie scripter, this is well-organized mafias. These are well-organized groups. You mentioned nation-states, their hand's in it. There's ways to get around that. I know there's ways to put the finger on them, but the money-making involved is significant. It's its own economy. Can you explain that? I think most people don't understand in mainstream America that, hey, I got my PC bricked, can I buy a Bitcoin and give it back? That's happening at scale. That is hard to fathom. So scope the problem relative to the individual who might experience a friend who maybe had their PC bricked or ransomware to the threat that actually opposes. Because this is targeted, it's engineered, it's orchestrated, it's an economy, fully funded operating. Explain that concept because I think most people don't understand that this has actually been going on for quite some time.
John Riggi
>> It has. And so, again, once the bad guys figured out, they could make so much money off this ... And one of the ways reasons that they are able to make such money off this is because targeting mission-critical, life-critical-type organizations that provide mission-critical and life-critical services like hospitals. So if the hospital is not fully prepared to defend against and recover independently, sometimes, unfortunately, they're forced to pay the ransom. And now we have these groups that are known as ransomware as a service. So we have the developer of the ransomware that kind of franchises it out. They have a really interesting business model, and they enable less skilled hackers to conduct these really sophisticated attacks. And-
John Furrier
>> It's like a sales channel.
John Riggi
>> It is. It's a sales channel.
John Furrier
>> It's a sales channel.
Scott Gee
>> Marketing vertical. Yeah.
John Riggi
>> They're sharing the proceeds and it's really become big business. This isn't that script kitty sitting in the basement of his parents' homes.
John Furrier
>> Not a port scan, the old-school days. This is basically taking the scalable service and using their create maybe spear-phishing capabilities to go in and get root access somewhere.
Scott Gee
>> Exactly. Phishing and social engineering attacks are one of the primary attack vectors for this. Absolutely.
John Furrier
>> Okay. Talk about the consequences of the hospital, because this is, again, this is something that affects every person in this country and around the world, but in America it's been targeted. Most people don't understand that the hospital they go to might have some brittle systems, might have some old code, an HVAC system or some Windows machine that wasn't upgraded or patched or Linux box. There's always probably an area maybe and they're focused on caring for people. The consequences of the hospital crashing or being taken offline, or even disrupted where they have to go to manual process, will reduce the care. So that puts lives in.
John Riggi
>> That's right.
John Furrier
>> That's really the key. Explain that piece of it and some data around that if you have any.
John Riggi
>> So one of the things that I think we've helped change the conversation in the field about is that helping hospital leaders, and hopefully the country, and we certainly help the government understand, when you attack a hospital, conduct a cyber attack against the hospital that results in any delay or disruption of healthcare delivery, those aren't data theft crimes, those are threat to life crimes. Because what happens is then we have situations, if all the technology's disabled, victims of stroke, heart attack, trauma, radiation oncology, they're being diverted to other hospitals. So whenever you have a delay in urgent treatment, that creates increased risk to the patient. So when we say that these attacks are not just on the organization, they're on the patients inside the hospital and really they're attacks on the entire community that depends on the availability of the nearest hospital. John, I've used this phrase in the past in the public, see these aren't just hacking incidents, ransomware attacks, they really are the equivalent of cyber terrorism because they put at risk entire communities.
John Furrier
>> I agree with you and I would concur. And I would amplify that because again, I've been screaming at the top of my lungs for over a decade on this point, and I say to someone, imagine if the North Koreans floated a helicopter and dropped people in Battery Park coming down the ropes, fully weaponed up, go to Mount Sinai and start disrupting all the systems, what do you think would happen? One, we'd mobilize the military, there'd be a counter-strike. It's American soil. But yet the digital penetration has been going on and on for over a decade. Now it's at a level where it's well known. It's not even a public secret. So I always ask the question, why does the private sector have to build their own militia? Because that's what's basically happening? Essentially they're vertically integrating their own military, AKA cybersecurity. So I don't get it. Why isn't Washington on this? Is it lack of education? I'm a simple person, but if you drop people on our shore, that's the red line there. Is there a red line ... I guess where's the red line in digital?
Scott Gee
>> Well, John, you have to look at it sort of historically. The systems we're running on, even if you're running the latest Windows 11, whatever the latest system is, it's built on legacy technology. And quite often security was bolted onto that legacy technology rather than built in. So what we encourage hospitals to think about now is secure by design, CISA initiative. That's really how we solve this problem going forward.
John Furrier
>> Yeah.
Scott Gee
>> You're absolutely right, it is a foreign entity interfering with critical infrastructure in this country. So-
John Furrier
>> Is it lineage? Is it more traceability? Is it more just the red line has not been set? Kevin, Mandy, and I have had many conversations about this, and there's a lot of brave Americans who are advocating for awareness. Not necessarily pounding their fist on the table, but kind of in the way. But there's no doctrine yet, or is there?
John Riggi
>> So one of the things I've publicly advocated for over the years on behalf of the AHA and the members is that, look, when it comes to cybersecurity for US critical infrastructure, defense alone is not enough. I've publicly encouraged the federal government, regardless of administration, to be more proactive and conduct more offensive cyber operations. The US government understands that now, and I'm really pleased to report, especially in the last several months, we've seen an increased tempo of enforcement operations and disruptions directed against the foreign adversary. We're hospitals. Our job is defense, not offense. And there's only so much we can do.
John Furrier
>> There's almost so much cash. I will say that in the past two years, some of these syndicates have not just been broken up but actually charged. Because when they break them up, they just reconstitute.
Scott Gee
>> That's right.
John Furrier
>> So okay, that's a sign. On the hospital side, more clarification on my side, is that considered critical infrastructure in the eyes of the government?
Scott Gee
>> Yes.
John Furrier
>> It is? Okay.
Scott Gee
>> That is one of the sectors of critical infrastructure.
John Furrier
>> Okay. I did not know that. All right, so cool. Hospitals, you got the grid. DNS probably. Servers, GPS. Okay. So where are we now in the Hospital Association as you guys look at this? What's the state of the community? How are they feeling? Obviously there's still a lot of threats coming in. What's the state of the art? What's the current situation?
John Riggi
>> So currently there's good news and bad news. The good news is hospitals and the leadership are really acutely aware of the elevated risk posed by cyber threat actors, foreign actors. The bad news, part of the bad news is that the reason we know this is we've been attacked so much. To your earlier point, John, we average almost 200 attacks a year against healthcare organizations and hospitals. Imagine if there were 200 terrorist attacks a year, physical attacks in the US. As you said, there would be a massive .
John Furrier
>> Are there any kind of stats on impact on life? I know there are use cases where people do, quote, "Some deaths." Do people keep track of that? I'm just curious.
John Riggi
>> So the issue is that whenever there's a delay in healthcare delivery, especially in urgent situations like heart attacks and trauma-
John Furrier
>> Yeah, it's hard to pinpoint....
John Riggi
>> you always have an elevated risk of negative outcome. Everyone agrees with that. Sometimes it's hard. Let's say the patient-
John Furrier
>> To pin it down.
John Riggi
>> Right. It's a 30 minute delay in the ambulance, but that patient dies seven months later or five months later because they didn't get immediate care. It's hard. But we know that there are some-
John Furrier
>> They say in a stroke the first-
John Riggi
>> Hour and a half....
John Furrier
>> hour and a half is mission-critical on saving ... Literally full recovery.
John Riggi
>> Right. That's right. So it's hard to pinpoint, but we do know there are some data out there, some conducted by academic institution that does show an increase in mortality rate during ransomware attacks for inpatients, for patients that are in the hospital. So we know, look, it's common sense. If you divert an ambulance carrying a stroke or heart attack patient further away-
John Furrier
>> All right, so now on the offense, I'm glad there is movement there. On a more practical basis, what's some of the modernization things going on around resilience? Because obviously you assume, hope for the best, plan for the worst.
John Riggi
>> Right.
John Furrier
>> Okay. What is some of the things that they're doing now, now that they have enough case data, enough working data to know? The techniques change for sure with the time. Obviously technology gets better, the adversaries get just as much advantage with AI. My spear-phishing messages are getting much better. The grammar is tightened up. I'm sure their success rate's higher.
John Riggi
>> And you use video and audio fakes.
John Furrier
>> Fakes coming into play now. Yeah, I'm old enough to know that a URL that says Bank of America, that doesn't say BankofAmerica.com is not Bank of America. So not everyone sees that though because app's going to mask out these URLs. So it's always coming. What's the best practice? It's got to have a recovery piece.
John Riggi
>> So I'll just open it up and then turn it over to Scott here for a minute. So what we've helped educate the hospitals based on all this battle experience, we've been attacked probably more than any other sector with real world impacts to patient safety. And we talk about developing plans not just for business continuity but clinical continuity. How will we care for the patient without the benefit of technology for up to 30 days, which is the duration of these attacks, Scott.
John Furrier
>> So you mean like go to paper or go to process. Go to plan B basically.
John Riggi
>> Right. How do we do it without technology?
Scott Gee
>> And it requires an awful lot of advanced planning. You can't just say every hospital, every treatment floor, there's a downtime form, there's a box of forms. When computers go down, this is how you document care. That's a tool, that's not a process. So we work with hospitals to encourage them to think in detail. How do you perform critical services to deliver medical care in the absence of technology?
John Furrier
>> It's almost like a military theater because the young Gen Zs, they don't have the book, manual skills. They're used to prompting the LLM.
Scott Gee
>> Unfortunately.
John Furrier
>> If that goes down, you almost have to have a shadow network ready to go. I'm making this up, but my mind's like, how are you going to train my 24-year-old daughter who is using tools to go to the old school manual that the more seasoned pros might have?
Scott Gee
>> That's right. And those more seasoned pros are retiring every day.
John Furrier
>> Yeah, so that's a cultural people. People, process, technology.
John Riggi
>> Training and education issues.
John Furrier
>> So there's a plan B then? You guys see that developing?
John Riggi
>> There is. And then but what we're encouraging hospitals to do is really flesh out and go deep on those plans. So not beyond the paper form. How will we actually get an image transferred from a CT scanner to the operating room without the what's called the PACS system in the middle, Picture Archiving Communication System, in the middle. And develop plans, like how will we dispense medications without that cabinet that's internet connected automatically doing it for us? Young clinicians have to figure out how do we calculate drug dosages, watch for drug interactions, allergies, and all of this. They have to start thinking about how we would do this without the benefit of technology.
John Furrier
>> How many hospitals are in the association, you guys?
John Riggi
>> We have over 5,000 plus. We have about 85% of all the hospitals in the country.
John Furrier
>> Is there a gold standard? You don't have to name names without alienating the others, but could you describe what like a gold standard ... Or I'm going to say stablecoin standard just to be more crypto friendly. What is the state of the art? If you could look at, okay, that's the right way to go. This is the cutting edge. They're pushing the envelope. Got compliance, they got operation continuity plans. Is there a playbook?
Scott Gee
>> We have a lot of hospitals that are making great strides. They are thinking through the process and documenting what it would take to actually perform critical functions without technology. Some hospitals aren't quite there, to be honest, but everybody's aware of it. We're getting the word out and folks are thinking in the right direction.
John Furrier
>> I have to ask this question for you guys because it's more of an observation on my side. There's a lot of young people I interview, and also have interfaced with, there's so much passion around healthcare these days. A lot of people want a better system. You ask anyone, can healthcare be improved? Is there a way for someone to get involved with your mission? Is there a organization? How do people get involved? And if directly or indirectly, what could people do to either get the word out to help understand what are the challenges, the constraints, the workflows? AI has got entrepreneurial opportunity too. There's a lot of private sector activity, and I saw an entrepreneur in the finance side come out of Goldman. Now he's got a whole credit thing, got a supernova. He says, "I know credit from working at Goldman Sachs." So I think there's going to be a lot of entrepreneurial activity
John Riggi
>> A lot of opportunity in this area as well. So we can't rely on the government to bring us solutions. One, the government doesn't have the money to fund a lot of what's needed in healthcare. We see cuts coming forward for Medicaid cuts, expiration of ACA subsidies. All that will impact the budgets available for hospitals to devote to cybersecurity. So not only are they facing this foreign adversary threat, but we face a domestic financial threat as well that hinders our ability. So get folks involved by understanding, if you're in healthcare, that technology's part of your job, and wherever there's technology, you have to think about cybersecurity and really understanding that cyber hygiene is as important as medical hygiene to protect the patients. So get involved. Think about cyber right from the beginning.
John Furrier
>> Well, I really appreciate what you guys are doing. I love the mission. Personal question to wrap up the segment. 28 years, 23 years. Great service to our country.
John Riggi
>> Thank you.
John Furrier
>> If you had a magic wand, each have to answer this question. If you had a magic wand and can just be like, "Okay, solve the problem," I mean within attainability, what would the ideal solution be to fix this mess we're in? The cyber threat and preservation of institutional healthcare as critical infrastructure. Steady state, things are moving great. What would be-
Scott Gee
>> It's easy. All is possible with money and manpower. That's all we need. More money, more people. No, things we've talked about already. The secure by design, like software that is more secure, better secure, easier to maintain. And then John's already touched on the offensive cyber. We have to make it undesirable to attack America's hospitals.
John Riggi
>> And ultimately, look, my magic wand is I'm not going to ask for a complete cure, but if we can reduce the risk, reduce it pretty significantly. Partnerships, private sector partnership with the government, with healthcare, leverage our collective expertise for the common good and the common defense. And we're already doing that. We have certain projects going on already with the government.
John Furrier
>> So more harmony amongst the stakeholders that have the most domain expertise.
John Riggi
>> Exactly. Let's leverage the expertise that we have. We were able to work with Microsoft, for example, to develop and deliver free and heavily discounted cybersecurity services from Microsoft for rural hospitals, or hospitals that are in most need, at no expense to the taxpayer. And all that took is get the right people in the room from us, the private sector, and the government.
John Furrier
>> With all the AI productivity coming down the pike and margin, there could be a nice opportunity to see some private sector contribution, participation, collaboration. I'm still bullish on opportunity recognition for an entrepreneur because there's use cases now, you can keep your cost structures really low and still make money-
John Riggi
>> That's right....
John Furrier
>> at the levels well below they're having now.
John Riggi
>> Exactly.
John Furrier
>> So gentlemen, I really appreciate it again. Thanks for coming on theCUBE. This is a really important segment. I think getting the word out that it is not as rosy out there and it's hard on the hospitals and that they're trying to be there for us and it's critical infrastructure.
John Riggi
>> Thank you, John. Thanks for the opportunity.
Scott Gee
>> Thank you, John.
John Furrier
>> I'm John Furrier, host of theCUBE, bringing you all the action. Cyber resilience, it's a holistic picture. It's an operating system, it's a network effect. It's about secure software and about using technology for the better good to protect and serve our people in the country. And this is an important mission that we're going to see more and more of. Ransomware is just the tip of the iceberg. It's a signal to what could happen at much greater scale. Again, we're watching it. We've got pros on it. Thanks for watching.
John Furrier