Hospital cybersecurity remains a top story as ransomware attacks continue to escalate. Because digital disruption from cybersecurity failures raises patient risk, the sector is being forced to treat cyber readiness as a public safety issue.

Attacks surged during the pandemic, turning hospitals into prime targets, according to John Riggi (pictured, left), national advisor for cybersecurity and risk at the American Hospital Association. Notably, much of this activity is driven by foreign-based criminal and nation-state actors seeking to steal sensitive health data.

“One of the reasons that they are able to make such money off this is because they’re targeting mission-critical, life-critical-type organizations that provide mission-critical and life-critical services like hospitals,” Riggi said. “If the hospital is not fully prepared to defend against and recover independently, sometimes, unfortunately, they’re forced to pay the ransom.”

Riggi and Scott Gee (right), deputy national advisor for cybersecurity and risk at the American Hospital Association, spoke with theCUBE’s John Furrier for theCUBE + NYSE Wired: MedTech Unplugged: The Future of AI in Healthcare & Life Sciences interview series, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the rising threat of ransomware and cyberattacks against hospitals, and the growing imperative to treat cyber resilience as a patient priority.

Hospital cybersecurity in focus

Cyberattacks that disrupt hospital operations are not just data theft incidents but direct threats to human life, as delays in care can endanger patients. That shift in perspective on risk is pushing healthcare leaders and policymakers to treat cyber resilience as a patient safety issue, according to Riggi.

“These attacks are not just on the organization; they’re on the patients inside the hospital, and really they’re attacks on the entire community that depends on the availability of the nearest hospital,” Riggi said. “I’ve used this phrase in the past in the public: These aren’t just hacking incidents. Ransomware attacks are the equivalent of cyber terrorism because they put at risk entire communities.”

Many modern systems, even the newest versions, are built on layers of legacy technology that were never designed with security in mind. As a result, protections were often added after the fact rather than embedded by design, according to Gee.

“What we encourage hospitals to think about now is Secure by Design,” Gee said. “That’s really how we solve this problem going forward.”

Secure by Design is an initiative promoted by the Cybersecurity and Infrastructure Security Agency that aims to see organizations prioritize security as a core business requirement. But defending critical U.S. infrastructure from cyber threats requires more than just defensive measures — and more than just the effort of individual hospitals, according to Riggi.

“I’ve publicly encouraged the federal government, regardless of administration, to be more proactive and conduct more offensive cyber operations,” Riggi said. “The U.S. government understands that now … especially in the last several months, we’ve seen an increased tempo of enforcement operations and disruptions directed against the foreign adversary. We’re hospitals. Our job is defense, not offense. And there’s only so much we can do.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of theCUBE + NYSE Wired: MedTech Unplugged: The Future of AI in Healthcare & Life Sciences interview series:

Photo: SiliconANGLE