Editor’s note: John Riggi is the national advisor for cybersecurity and risk at the American Hospital Association. Barbara Pelletreau is a former senior vice president of patient safety for a large healthcare organization. We spoke to them about the risks of cybersecurity to patient safety and how organizations can prepare and respond to cyberattacks.

Sarah Mossburg: Thank you for joining us. Can you please tell us a little bit about yourself and your current role?

John Riggi: I am the national advisor for cybersecurity and risk at the American Hospital Association. I have been in this role for about six years. Prior to that, I was at the Federal Bureau of Investigation for almost 30 years and was most recently a senior executive in the Cyber Division.

Barbara Pelletreau: My background is in patient safety and employee injury prevention. I am a retired registered nurse and have worked for more than 45 years in the healthcare industry. My most recent position was senior vice president of patient safety for a large organization overseeing regulatory medication safety, high reliability, harm-event management, and other related areas to improve patient outcomes.

Sarah Mossburg: Can you tell us about the prevalence of cybersecurity attacks and the most common types of cyberattacks on healthcare institutions? How have these attacks evolved over time?

John Riggi: As we review our data from 2023, it seems that 2023 has shaped up to be our worst year in terms of the number and the impact of cyberattacks, specifically the number of individuals impacted by data-theft attacks and theft of protected health information. There were approximately 550 hacks in 2023. Hacks are external, foreign-based computer intrusions that result in the theft of protected health information; in 2023, they impacted 118,000,000 individuals. That number is more than two and one-half times the number of people who experienced hacks in 2022, when 44 million individuals were impacted.

A majority of these attacks is from third-party providers that service healthcare technology providers in services peripheral to hospitals and health systems. The two major types of attacks are data theft and data extortion. We are seeing an increase in attacks that result not only in the theft of data but in foreign-based criminal organizations then holding data for a ransom and threatening to release sensitive information on the open internet or sell information on the dark web.

The type of attack we are most concerned with is high-impact ransomware attacks, which result in the encryption of data or networks that lead to the disruption and loss of the availability of critical medical technology. These ransomware attacks are not only a risk to the patients within the hospitals, but they also prevent access to electronic health records (EHRs) and disrupt network-connected medical technologies such as diagnostic technology.

Sarah Mossburg: Why is cybersecurity so important for healthcare institutions, and what is its impact on patient safety?

John Riggi: Cybersecurity is integral to patient safety because a lot of our care delivery depends on network-connected and internet-connected technology. During a ransomware attack, we lose the availability of that technology, which becomes highly disruptive to care delivery. We have become very dependent on the availability of technology to deliver care since the use of network and internet-connected technology helps improve patient outcomes and save lives. There is significant risk exposure if we are not prepared to deliver the same level of safe and quality care without the availability of technology under emergency conditions.

Sarah Mossburg: Has there been any evidence of patient harm from the lack of connectivity that results from a cyberattack?

John Riggi: There is a credible, probable risk of harm to a patient from a cyberattack. One report from the Cybersecurity and Infrastructure Security Agency in September 2021 studied mortality rates following high-impact ransomware attacks that resulted in extended outages of medical technology.¹ The data showed a correlation between high-impact ransomware attacks and unexplained excess deaths that surfaced in a region post-ransomware attack. Cyberattacks can result in system disruptions that lead to delays in emergent care, ambulance diversions, delayed cancer treatments, or misdiagnosis. A study by the University of Minnesota also examined data from the Centers for Medicare & Medicaid Services and showed an increase in in-hospital patient mortality rates for patients admitted at the time of the attack.²

Sarah Mossburg: Before a health system is in the middle of a cyberattack, what strategies can be put in place to prevent harm to patients should the system become the target of an attack?

John Riggi: Leadership must understand that cyber risk is not just an information technology issue or only the responsibility of the cybersecurity components within an organization. It is incumbent upon all the administrative and clinical leaders of a hospital to understand the wide-ranging impact that a ransomware attack would have on every function of the organization. Ransomware attacks can impact any component of care delivery and operational functions.

To understand the impact of a ransomware attack, leaders should ask three simple questions: If you lose connection to the internet or your network and cannot access data, what will work? What will not work? What is the plan? Exploring these questions prompts leaders to consider how they diagnose a stroke patient without a computerized tomography scanner or deliver medications without access to the EHR without knowing what the patient’s drug allergies are. In many cases, these outages—the loss of medical technology—after a ransomware attack can last 30 days or longer. Leaders must create a plan for each department on what will work and what will not work.

In many cases, losing access to the network also means losing access to phones and email. Organizations should prepare for the loss of communications as well and understand the protocol for documenting and communication and the downtime procedures for every piece of medical and operational technology.

Barbara Pelletreau: It is very important to plan. Hospitals are required to prepare and practice emergency planning for their accreditation. Hospitals plan for natural disasters such as fires and earthquakes, and similar planning should be completed in the event of a cyberattack. Planning is not solely a one- to two-hour meeting or an afternoon planning session, but rather it is having the framework, as John mentioned, a written plan known to all leaders, practice sessions demonstrating execution of the plan, and finally, self-evaluation of their plan or practice. The good news is it is a team sport. Everybody gets to play. Everybody has a part. There is nobody who knows their department better than the director of radiology or director of emergency services or director of nursing. A health system must include its risk manager, chief operating officer, and chief information officer when developing the plans. An executive team lead needs to bring the whole plan together for ultimate coordination.

John Riggi: That integration of emergency management planning with cyber-incident response planning is absolutely critical. We have seen that in the attacks. Ultimately, you have an attack, and suddenly incident command is triggered. Emergency management takes a very strong leading role. Some of the issues which hamper an efficient response to the attack is the lack of integration and coordination between emergency management, cyber-incident response, business continuity, disaster planning, and clinical continuity. How do we continue to deliver safe and quality care without technology? That is not an IT issue. It is a clinical issue. What are the plans for clinical continuity?

Sarah Mossburg: There are several security frameworks available to healthcare organizations. What are the ones that you have used in the past or recommend?

John Riggi: The are multiple frameworks and many different recommendations. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the adopted overarching framework in general for all industries.³ The Healthcare and Public Health Sector Coordinating Council, which is a creation of legislation going back to 2015, mandated the creation of a sector group to work with the Department of Health and Human Services (HHS) to develop cybersecurity practices and voluntary consensus-based practices that align with NIST. They developed the Healthcare Industry Cybersecurity Practices (HICP) that were just updated last year.⁴ They developed frameworks for different organization types, like small physicians’ practices, small hospitals, and medium and larger organizations.

It is not about picking a winning framework. It is about understanding which frameworks might be most applicable to your organization. We have to look at how are they attacking us. How are they beating us? And irrespective of whatever framework we have, do we have the proper controls in place to help mitigate the current and the evolving threat methodology? Your framework has to be constantly reevaluated. NIST, CSF, and HICP are absolutely great resources. I would suggest starting there and reading the threat bulletins from the government.⁵

Barbara Pelletreau: I'll add that the IT team is preventing cyberattacks like a moat around the castle. The IT team maintains the “firewall” and typically leads the training for the front lines to protect the company. While IT is working to stay ahead of cyberattacks, the front line and leadership must be educated to prevent an invasion. The Joint Commission has provided a framework for clinical operations to prevent an invasion as laid out in their Sentinel Event Alert 67.⁶

A cyberattack somewhat parallels the instant command center that a health system uses in emergencies. The bulletin highlights “make or break” points for harm to patients, like knowing allergies. If you do not know patients’ allergies or medication interactions, you are potentially going to cause harm. It is very important to figure out what these issues are and how you are going to work through them when they occur. Many other clinical operations must be addressed in the cyberattack plan.

Sarah Mossburg: Now that we have talked about planning for a cyberattack, I would like to turn towards the experience during an attack. When a healthcare organization is attacked, what does that usually look like for healthcare workers and patients?

Barbara Pelletreau: Usually what it looks like is that everything you knew yesterday is no longer there today. It is very simple. The work world as you knew it is no longer. All the systems that worked yesterday are no longer available. However, many resources and tools can be developed in advance and ready to use when a cyberattack occurs. For example, sites that use leadership rounding or department safety huddles can use these same processes to connect with the front lines to keep patients safe. If you're already used to doing leadership rounding, you continue to do that during a cyberattack. If you have daily huddles in your units, you can use those to know and address the immediate safety issues. Of course, these processes also promote the necessary communications during these trying events. Teamwork is certainly important to maintain. All the department leaders should have plans in place for how to communicate with other departments and have their written protocols to activate. Daily internal meetings with leadership are critical to communicating between critical leads, such as IT, nursing, safety, communications, risk, and physicians.

Sarah Mossburg: What IT systems are usually impacted, and how do those affect staff and patients?

John Riggi: It's going to be pretty obvious. It’s just like a blackout. It is similar to when individuals and organizations experience an electrical blackout except the lights are on. Mostly your building systems may be on, but ultimately, all the technology that you normally relied on to do your job is no longer available. Sometimes you may see a ransomware note that appears on some of the computer screens that says you have been attacked. There also may be notices that an attacking group has discovered a vulnerability in your system, and for $10 million, they will tell you where the vulnerability is located and provide a decryption tool. They will exfiltrate a large amount of data (data extortion) and hold terabytes of patient data. They will threaten to publish the data on the internet and sell it on the dark web.

During an attack, one of the first things I see is the loss of diagnostic technology—imaging, telemetry, imaging technology, and radiology. The labs may be disrupted, and the EHR will go down. Anything that would depend upon a network or internet connection may be lost. There is a significant impact there. Plus, you have other systems that are down like telephone and email systems. Most phone lines use Voice over Internet Protocols (VoIP), so if there is no longer an internet or an internal network available, then phones do not work. We have also seen very significant disruption to downtime computers. Downtime computers often rely on periodically connecting to the network to update. Staff will need to manually enter information without it ever touching the network. There will be a loss of all this medical technology and operational technology. Other things, like door access controls, may not work, so you may also have a security issue as well. It is a series of cascading effects, and people in every department begin to understand how much they rely on network-connected technology.

There is a regional impact of a cyberattack as well. It is what I call the ransomware blast radius. Hospitals may need to divert ambulances, patients, and radiation oncology patients to the surrounding hospitals, which then begin to feel the strain and impact. Depending on their capacity level, the other organizations may have delays and disruptions as well. When we talk about incident response planning, we also talk about not only preparing internally across all entities within the organization but engaging in regional incident response planning, cyber-incident response planning. They need to consider a cyber incident a regional hazard that needs to be planned for on a regional basis, just like a fire, flood, or mass casualty incident.

Sarah Mossburg: What are ways that health systems can know if patients are experiencing harm during a cyberattack?

Barbara Pelletreau: Part of emergency planning is understanding what is happening, where patients may be at risk for harm, and what adverse-harm events have occurred. The events reporting system should continue to be used for reporting, but if the system is down, there must be a means for manually reporting harmful events. This effort is critical to prevent further harm to other patients and to best manage any harm that has occurred. In many healthcare organizations, the event reporting system is part of the DNA of how operations report near misses and harmful events. The biggest challenge during a cyberattack is if the electronic reporting system is no longer available and manual process must go into play. Reporting during a cyberattack should not be a long process because staff are already doing a lot of extra manual steps. Healthcare organizations need to have a simple way for staff to be able to “raise their hand” to report a harmful event or potentially harmful event.

The second part of event reporting during a cyberattack is to make sure that someone is reviewing these events to learn what problems exist or potential issues that could cause harm. Depending on the size of the organization, an individual or an experienced team should be immediately established to review these events and address the issues with clinical operations. Sharing the learnings at the daily leadership huddle would immediately provide the opportunity for leaders to communicate and implement safety measures. As we know, healthcare is very interrelated with the patient at the center.

Sarah Mossburg: How should health systems implement planned procedures, such as an emergency action plan and a cyber-response plan, to maximize success?

Barbara Pelletreau: A lot of good planning goes into this in advance and is practiced over time. Planning can save a huge amount in terms of safety, operations, financial losses—the list goes on. Healthcare providers are already under so much stress when things are working. When there is a cyberattack and systems are no longer available, the preparation and planning will reap the benefits.

Practice is also very important. Planning is only as good as those who sat around the table and planned it, but practice is the key. Whether it's table talk or an actual walkthrough, practice at all levels is the next important step. The last part and perhaps the most important is to have a basic foundation, a culture, of teamwork and partnership at all levels of the organization prior to the disruptive event. A healthcare organization will definitely find out exactly what kind of culture exists when a cyberattack occurs. A good, strong culture of partnership and working together during stressful times will be important.

John Riggi: I use the 4 Rs to describe how to maximize success: readiness, response, resiliency, and recovery. This should also be done at the regional level to prepare for regional readiness, response, resiliency, and recovery.

Like Barbara said, practice is absolutely critical and has to be realistic. Staff need to understand that outages will not be only on the overnight shift or for one system. Staff may be busy, so they must have focused attention on not only business continuity but clinical continuity. Some organizations have designated an office of clinical continuity because it's going to be very hard for individuals to develop their procedures. It has to be done on a system-wide level because there are continuity procedures for the entire system. Then it should be done at the hospital level and then the department level. Practicing the downtime procedures for each department is important even for executives. The executives are going to have to make a lot of “battlefield decisions” in the face of an adversary without all the information, under time constraints, and under duress, just like a law enforcement or a military operation. This is crisis leadership, and they are going to have to make decisions that the FBI is not going to be able to make for them. Practicing is absolutely critical to full integration between all the departments.

Barbara Pelletreau: One key thing I think that distinguishes an organization from others is if they sit down and debrief. What did they learn? What did they need to do? Leaders in the organization need to ask, “What did we do well? What did we not do so well? What can we learn? And what can we share?” Often when these events occur, staff are told to not talk about them, but at some point, you need to share your learnings so that others can benefit.

John Riggi: An after-action report is critical. Staff have to learn from an incident. In law enforcement, whenever there is an operational issue or crisis, we create an after-action report to identify best practices, lessons learned, and the plan for the future. That is part of the cyber-incident response planning: Learn from the incident and then ingest that for future planning.

Sarah Mossburg: What are some mistakes that organizations might make when it comes to their cybersecurity programs?

John Riggi: One of the first challenges is if the organization does not have a cybersecurity program. In this day and age, we need a cybersecurity program, and we would strongly suggest that there is an identified individual for whom a majority of their time if all their time is devoted to cybersecurity.

I also believe that there is a misperception that cyber risk is purely an IT issue. Leadership not treating it as a serious enterprise risk issue is a mistake because over 140 hospitals were attacked in 2023. Those are 140 large health systems, which had multiple hospitals in multiple states. Leaders and staff have to really understand the enterprise-risk nature of cyber risk. It has to be a leadership imperative, and there has to be responsibility and accountability designated throughout the organization for cybersecurity because of patient safety.

Barbara Pelletreau: Agree. The cybersecurity plan should not just be for IT. Phishing is a huge way that they can gain entry, and all employees should be trained on the basics and reinforcing when things are reported, or there could be a breach in security. It's the same thing in safety. If something doesn't look right and a patient may be harmed, creating that culture of raising your hand and speaking up is key.

Sarah Mossburg: Where would be an important place to start for an organization that is just starting to think about the patient-safety aspects of a cyberattack?

John Riggi: I would start with what plans you have in place right now. Start with what you have. Do you have procedures in place? If you have plans in place, look for the adequacy of plans. Do they truly cover your downtime procedures in clinic? Do you have clinical continuity procedures for every piece of medical technology within the organization? Understand what the impact would be if you lost an internet network internally but also, who else depends upon your organization for services? If you went dark, how many physician practices do you have? How many radiology centers? How many other third parties might depend upon your network availability? What is that cascading disrupting effect if you go dark? Who else would be impacted?

Sarah Mossburg: Is there anything else that we did not discuss that you want to briefly mention?

Barbara Pelletreau: The world has changed, and we have amazing IT folks doing great work to prevent attacks, seal the IT walls, and keep everything fully functional within the network. IT allows the clinical staff to deliver patient care efficiently. But it is a new day with the dramatic increase of cyberattacks. Identifying a clinical point person to partner with the IT lead and pull together a response plan for when there is a cyberattack is critical for operations and prevention of patient harm.

John Riggi: The frequency, severity, and impact of disruptive cyberattacks have increased dramatically over the last several years, especially 2023, and we need to be prepared for that. And ultimately, when hospitals are attacked with ransomware, lives are threatened, and we need to plan accordingly.

Sarah Mossburg: Thank you both so much. We appreciate your time.

References

1. Cybersecurity & Infrastructure Security Agency. Provide Medical Care Is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm. CISA; 2021. Accessed February 11, 2024. https://www.cisa.gov/sites/default/files/publications/CISA_Insight_Provide_Medical_Care_Sep2021.pdf

2. McGlave CC, Neprash H, Nikpay S. Hacked to pieces? The effects of ransomware attacks on hospitals and patients. Accessed February 11, 2024. https://business.depaul.edu/academics/economics/news-and-events/Documents/Ransomware_Manuscript.pdf

3. National Institute of Standards and Technology. Cybersecurity framework. Accessed February 11, 2024. https://www.nist.gov/cyberframework

4. U.S. Department of Health and Human Services HHS 405(d). Health industry cybersecurity practices: managing threats and protecting patients (HICP 2023 Edition). Accessed February 11, 2024. https://405d.hhs.gov/information

5. U.S. Cybersecurity and Infrastructure Security Agency. Cybersecurity Alerts and Advisories. Accessed March 1, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories

6. The Joint Commission. Preserving patient safety after a cyberattack. Sentinel Event Alert. Issue 67. Published August 15, 2023. Accessed February 11, 2024. https://www.jointcommission.org/-/media/tjc/newsletters/sea-67-cybersecurity-7-26-23-final.pdf