Advancing Health — "The Ransomware Ripple: The Texas Model for Cyber Resilience in Health Care"

Podcast: Advancing Health (American Hospital Association)
Episode Date: October 1, 2025
Host: John Rige (AHA National Advisor for Cybersecurity and Risk)
Guest: Fernando Martinez (Chief Digital Officer, Texas Hospital Association)

Overview

This episode explores the profound regional impacts of ransomware attacks on the health care system, particularly through the lens of the Texas Hospital Association’s approach to cyber resilience. Host John Rige and guest Fernando Martinez discuss how Texas is developing advanced state-level coordination, regional tabletop drills, and information-sharing practices to boost hospital and community readiness, drawing lessons that can serve as a model for the entire country.

Key Discussion Points & Insights

The Regional "Blast Radius" of Ransomware Attacks

Concept Introduced:
- Ransomware in one hospital often creates ripple effects, overwhelming nearby facilities.
- This is known as the "regional blast radius."
- Regional cyber incident response is just as critical as individual hospital readiness.
- Many smaller hospitals rely on large trauma centers; if those shut down, the entire community’s safety is endangered.
- Quote:
  - "Much of what we're doing to help our member hospitals prepare is really focused on individual hospital performance...but really not something looking at the true operational impact of hospitals that would result as a result of a cyber incident" — Fernando Martinez [02:27]

Texas’ Approach to Cyber Resilience

The State’s Unique Challenges:
- "White space": Large areas with only one Level 1 or 2 trauma center for hundreds of miles.
- Smaller hospitals are heavily dependent on these few major centers.
Cascading Effects Observed:
- When a major center is hit, ambulances and patients inundate neighboring hospitals, straining system capacity and care continuity.
- Example: Some Texas trauma centers are 400 miles apart; one incident is a state-level emergency.

The Creation and Role of the Texas Cyber Command

New State Legislation (House Bill 150):
- Centralizes cyber threat intelligence, incident response, and preparedness at the state level.
- $135M appropriation consolidates resources from several state agencies.
- The new Cyber Command supports not only state government but also education and critical infrastructure.
- Empowers the Command chief (appointed by the governor) with rulemaking.
Quote:
- "Very forward thinking governance architecture...although it's initially...limited to state government, it does incorporate services that can be used in public sector education ‒ higher ed in particular...and other public sector organizations like municipalities, city governments, down to and extending to critical infrastructure..." — Fernando Martinez [06:36]

Regional Tabletop Exercises: Preparing for Real-World Crises

How They Work:
- Gather executives (not just IT staff) from major hospitals and smaller dependent hospitals.
- Simulate a significant outage at a trauma center and work out regional response strategies: patient transport, care redistribution, resource leveraging.
- Focus on operational, clinical, and emergency preparedness perspectives.
- Realism: In one exercise, an actual upstream ransomware attack occurred two days before, impacting the host hospital.
Quote:
- "Bringing those individuals from all the different hospitals together, they have an opportunity to flesh out the circumstances that they might have to confront...They have been very effective in bringing those individuals together to talk about how it is that they would work together, what are the alternatives? How would they address incident response, how would they leverage each other's resources?" — Fernando Martinez [09:00]

Lessons Learned: Trust, Communication, and Coordination

Key Takeaway: Communication
- Hospitals are often reluctant to share incident details due to legal risks.
- Contrast with other emergencies (e.g., mass casualty, natural disasters) where open notification is standard.
- Sharing minimal but timely cyber threat information can help nearby hospitals defend themselves.
- Adversaries are already sharing information; defenders must too.
- Legal groundwork and education can dispel fears about regulatory risk.
Quote:
- "One of the big takeaways was hospitals need to develop these communication pathways that will allow them to share a small amount of information, just sufficient information...so that the adjacent hospitals have the opportunity to prepare, to look for and potentially avoid being victims. I can assure you that the bad guys are sharing information." — Fernando Martinez [12:37]
Building Relationships:
- Pre-existing agreements are vital to allow rapid and safe information exchange.
- Exercises both reveal vulnerabilities and build the trust needed for future real-world cooperation.

Memorable Moments & Notable Quotes

On White Space and Community Risk:
- "You'll have one level 2 or level 1 trauma hospital and 10, 12, 15 smaller hospitals dependent on it." — Fernando Martinez [03:15]
On the Uniqueness of Texas’ Situation:
- "The next nearest level one trauma center is 400 miles from here...really placing not only just the patients but entire communities at risk." — John Rige [04:45]
Reality Intrudes on Simulation:
- "The exercise we did last year was remarkable. In as much as there actually was two days before the exercise, there actually was a level one trauma center hospital upstream that went down..." — Fernando Martinez [10:30]
On Criminal Collaboration vs. Hospital Communication:
- "I can assure you that the bad guys are sharing information. The moment that they exploit one organization, then they know regionally that they can go to other organizations with similar success." — Fernando Martinez [13:15]

Timestamps for Important Segments

[00:01] Introduction to the regional impact of ransomware ("blast radius")
[02:23] Defining and discussing "regional blast radius"
[05:46] Introduction and explanation of the newly-formed Texas Cyber Command
[08:37] Details on the format and importance of regional tabletop exercises
[11:09] Real-world incidents aligning with tabletop exercises; realism and urgency
[11:49] Lessons learned: communication barriers and takeaways from exercises
[13:42] The importance of developing trust/sharing protocols and legal considerations

Conclusion

Texas’ holistic, community-based, and regional approach to cyber resilience is a pioneering model in U.S. health care. By integrating state governance, legislative support, robust exercises, and a focus on information sharing, Texas has built stronger networks against the ripple effects of cyberattacks—emphasizing that cyber risk is, ultimately, a threat to patient care and community well-being.

Advancing Health — "The Ransomware Ripple: The Texas Model for Cyber Resilience in Health Care"

Overview

Key Discussion Points & Insights

The Regional "Blast Radius" of Ransomware Attacks

Concept Introduced:
- Ransomware in one hospital often creates ripple effects, overwhelming nearby facilities.
- This is known as the "regional blast radius."
- Regional cyber incident response is just as critical as individual hospital readiness.
- Many smaller hospitals rely on large trauma centers; if those shut down, the entire community’s safety is endangered.
- Quote:
  - "Much of what we're doing to help our member hospitals prepare is really focused on individual hospital performance...but really not something looking at the true operational impact of hospitals that would result as a result of a cyber incident" — Fernando Martinez [02:27]

Texas’ Approach to Cyber Resilience

The State’s Unique Challenges:
- "White space": Large areas with only one Level 1 or 2 trauma center for hundreds of miles.
- Smaller hospitals are heavily dependent on these few major centers.
Cascading Effects Observed:
- When a major center is hit, ambulances and patients inundate neighboring hospitals, straining system capacity and care continuity.
- Example: Some Texas trauma centers are 400 miles apart; one incident is a state-level emergency.

The Creation and Role of the Texas Cyber Command

New State Legislation (House Bill 150):
- Centralizes cyber threat intelligence, incident response, and preparedness at the state level.
- $135M appropriation consolidates resources from several state agencies.
- The new Cyber Command supports not only state government but also education and critical infrastructure.
- Empowers the Command chief (appointed by the governor) with rulemaking.
Quote:
- "Very forward thinking governance architecture...although it's initially...limited to state government, it does incorporate services that can be used in public sector education ‒ higher ed in particular...and other public sector organizations like municipalities, city governments, down to and extending to critical infrastructure..." — Fernando Martinez [06:36]

Regional Tabletop Exercises: Preparing for Real-World Crises

How They Work:
- Gather executives (not just IT staff) from major hospitals and smaller dependent hospitals.
- Simulate a significant outage at a trauma center and work out regional response strategies: patient transport, care redistribution, resource leveraging.
- Focus on operational, clinical, and emergency preparedness perspectives.
- Realism: In one exercise, an actual upstream ransomware attack occurred two days before, impacting the host hospital.
Quote:
- "Bringing those individuals from all the different hospitals together, they have an opportunity to flesh out the circumstances that they might have to confront...They have been very effective in bringing those individuals together to talk about how it is that they would work together, what are the alternatives? How would they address incident response, how would they leverage each other's resources?" — Fernando Martinez [09:00]

Lessons Learned: Trust, Communication, and Coordination

Key Takeaway: Communication
- Hospitals are often reluctant to share incident details due to legal risks.
- Contrast with other emergencies (e.g., mass casualty, natural disasters) where open notification is standard.
- Sharing minimal but timely cyber threat information can help nearby hospitals defend themselves.
- Adversaries are already sharing information; defenders must too.
- Legal groundwork and education can dispel fears about regulatory risk.
Quote:
- "One of the big takeaways was hospitals need to develop these communication pathways that will allow them to share a small amount of information, just sufficient information...so that the adjacent hospitals have the opportunity to prepare, to look for and potentially avoid being victims. I can assure you that the bad guys are sharing information." — Fernando Martinez [12:37]
Building Relationships:
- Pre-existing agreements are vital to allow rapid and safe information exchange.
- Exercises both reveal vulnerabilities and build the trust needed for future real-world cooperation.

Memorable Moments & Notable Quotes

On White Space and Community Risk:
- "You'll have one level 2 or level 1 trauma hospital and 10, 12, 15 smaller hospitals dependent on it." — Fernando Martinez [03:15]
On the Uniqueness of Texas’ Situation:
- "The next nearest level one trauma center is 400 miles from here...really placing not only just the patients but entire communities at risk." — John Rige [04:45]
Reality Intrudes on Simulation:
- "The exercise we did last year was remarkable. In as much as there actually was two days before the exercise, there actually was a level one trauma center hospital upstream that went down..." — Fernando Martinez [10:30]
On Criminal Collaboration vs. Hospital Communication:
- "I can assure you that the bad guys are sharing information. The moment that they exploit one organization, then they know regionally that they can go to other organizations with similar success." — Fernando Martinez [13:15]

Timestamps for Important Segments

[00:01] Introduction to the regional impact of ransomware ("blast radius")
[02:23] Defining and discussing "regional blast radius"
[05:46] Introduction and explanation of the newly-formed Texas Cyber Command
[08:37] Details on the format and importance of regional tabletop exercises
[11:09] Real-world incidents aligning with tabletop exercises; realism and urgency
[11:49] Lessons learned: communication barriers and takeaways from exercises
[13:42] The importance of developing trust/sharing protocols and legal considerations

wavePod

The Ransomware Ripple: The Texas Model for Cyber Resilience in Health Care

Powered by Wave AI

Summary

Advancing Health — "The Ransomware Ripple: The Texas Model for Cyber Resilience in Health Care"

Overview

Key Discussion Points & Insights

The Regional "Blast Radius" of Ransomware Attacks

Texas’ Approach to Cyber Resilience

The Creation and Role of the Texas Cyber Command

Regional Tabletop Exercises: Preparing for Real-World Crises

Lessons Learned: Trust, Communication, and Coordination

Memorable Moments & Notable Quotes

Timestamps for Important Segments

Conclusion

Summary

Advancing Health — "The Ransomware Ripple: The Texas Model for Cyber Resilience in Health Care"

Overview

Key Discussion Points & Insights

The Regional "Blast Radius" of Ransomware Attacks

Texas’ Approach to Cyber Resilience

The Creation and Role of the Texas Cyber Command

Regional Tabletop Exercises: Preparing for Real-World Crises

Lessons Learned: Trust, Communication, and Coordination

Memorable Moments & Notable Quotes

Timestamps for Important Segments

Conclusion