Summary5 min read

Advancing Health — "The Ransomware Ripple: The Texas Model for Cyber Resilience in Health Care"

Podcast: Advancing Health (American Hospital Association)
Episode Date: October 1, 2025
Host: John Rige (AHA National Advisor for Cybersecurity and Risk)
Guest: Fernando Martinez (Chief Digital Officer, Texas Hospital Association)

Overview

This episode explores the profound regional impacts of ransomware attacks on the health care system, particularly through the lens of the Texas Hospital Association’s approach to cyber resilience. Host John Rige and guest Fernando Martinez discuss how Texas is developing advanced state-level coordination, regional tabletop drills, and information-sharing practices to boost hospital and community readiness, drawing lessons that can serve as a model for the entire country.

Key Discussion Points & Insights

The Regional "Blast Radius" of Ransomware Attacks

Concept Introduced:
- Ransomware in one hospital often creates ripple effects, overwhelming nearby facilities.
- This is known as the "regional blast radius."
- Regional cyber incident response is just as critical as individual hospital readiness.
- Many smaller hospitals rely on large trauma centers; if those shut down, the entire community’s safety is endangered.
- Quote:
  - "Much of what we're doing to help our member hospitals prepare is really focused on individual hospital performance...but really not something looking at the true operational impact of hospitals that would result as a result of a cyber incident" — Fernando Martinez [02:27]

Texas’ Approach to Cyber Resilience

The State’s Unique Challenges:
- "White space": Large areas with only one Level 1 or 2 trauma center for hundreds of miles.
- Smaller hospitals are heavily dependent on these few major centers.
Cascading Effects Observed:
- When a major center is hit, ambulances and patients inundate neighboring hospitals, straining system capacity and care continuity.
- Example: Some Texas trauma centers are 400 miles apart; one incident is a state-level emergency.

The Creation and Role of the Texas Cyber Command

New State Legislation (House Bill 150):
- Centralizes cyber threat intelligence, incident response, and preparedness at the state level.
- $135M appropriation consolidates resources from several state agencies.
- The new Cyber Command supports not only state government but also education and critical infrastructure.
- Empowers the Command chief (appointed by the governor) with rulemaking.
Quote:
- "Very forward thinking governance architecture...although it's initially...limited to state government, it does incorporate services that can be used in public sector education ‒ higher ed in particular...and other public sector organizations like municipalities, city governments, down to and extending to critical infrastructure..." — Fernando Martinez [06:36]

Regional Tabletop Exercises: Preparing for Real-World Crises

How They Work:
- Gather executives (not just IT staff) from major hospitals and smaller dependent hospitals.
- Simulate a significant outage at a trauma center and work out regional response strategies: patient transport, care redistribution, resource leveraging.
- Focus on operational, clinical, and emergency preparedness perspectives.
- Realism: In one exercise, an actual upstream ransomware attack occurred two days before, impacting the host hospital.
Quote:
- "Bringing those individuals from all the different hospitals together, they have an opportunity to flesh out the circumstances that they might have to confront...They have been very effective in bringing those individuals together to talk about how it is that they would work together, what are the alternatives? How would they address incident response, how would they leverage each other's resources?" — Fernando Martinez [09:00]

Lessons Learned: Trust, Communication, and Coordination

Key Takeaway: Communication
- Hospitals are often reluctant to share incident details due to legal risks.
- Contrast with other emergencies (e.g., mass casualty, natural disasters) where open notification is standard.
- Sharing minimal but timely cyber threat information can help nearby hospitals defend themselves.
- Adversaries are already sharing information; defenders must too.
- Legal groundwork and education can dispel fears about regulatory risk.
Quote:
- "One of the big takeaways was hospitals need to develop these communication pathways that will allow them to share a small amount of information, just sufficient information...so that the adjacent hospitals have the opportunity to prepare, to look for and potentially avoid being victims. I can assure you that the bad guys are sharing information." — Fernando Martinez [12:37]
Building Relationships:
- Pre-existing agreements are vital to allow rapid and safe information exchange.
- Exercises both reveal vulnerabilities and build the trust needed for future real-world cooperation.

Memorable Moments & Notable Quotes

On White Space and Community Risk:
- "You'll have one level 2 or level 1 trauma hospital and 10, 12, 15 smaller hospitals dependent on it." — Fernando Martinez [03:15]
On the Uniqueness of Texas’ Situation:
- "The next nearest level one trauma center is 400 miles from here...really placing not only just the patients but entire communities at risk." — John Rige [04:45]
Reality Intrudes on Simulation:
- "The exercise we did last year was remarkable. In as much as there actually was two days before the exercise, there actually was a level one trauma center hospital upstream that went down..." — Fernando Martinez [10:30]
On Criminal Collaboration vs. Hospital Communication:
- "I can assure you that the bad guys are sharing information. The moment that they exploit one organization, then they know regionally that they can go to other organizations with similar success." — Fernando Martinez [13:15]

Timestamps for Important Segments

[00:01] Introduction to the regional impact of ransomware ("blast radius")
[02:23] Defining and discussing "regional blast radius"
[05:46] Introduction and explanation of the newly-formed Texas Cyber Command
[08:37] Details on the format and importance of regional tabletop exercises
[11:09] Real-world incidents aligning with tabletop exercises; realism and urgency
[11:49] Lessons learned: communication barriers and takeaways from exercises
[13:42] The importance of developing trust/sharing protocols and legal considerations

Conclusion

Texas’ holistic, community-based, and regional approach to cyber resilience is a pioneering model in U.S. health care. By integrating state governance, legislative support, robust exercises, and a focus on information sharing, Texas has built stronger networks against the ripple effects of cyberattacks—emphasizing that cyber risk is, ultimately, a threat to patient care and community well-being.

Loading summary

Transcript13 lines

[00:01]
A
Welcome to Advancing Health. An effective cyber attack against a large hospital, especially a ransomware attack, often has a cascading effect on nearby hospitals as well, who may depend on the operational readiness of their bigger brethren. Experts call it a regional blast radius. And in this podcast we learn how the Texas Hospital association has stepped up with its members to meet that challenge.
[00:29]
B
Hello everyone. Welcome to Advancing Health. This is John Rige, your National advisor for Cybersecurity and Risk at the American Hospital Association. I am so pleased and privileged to be here with my good friend and colleague, Fernando Martinez. Fernando is the Texas Hospital Association's Chief Digital Officer. Fernando is also a former hospital CIO and Chief Information Security Officer. He's a certified IT security professional and a professional educator who has worked with some of the largest healthcare systems in the country. Fernando has been with the Texas Hospital association for over 11 years and he's been an adjunct professor at Florida International University College of business for over 15 years. Fernando, as I mentioned, so great to have you here. Be on this podcast with me and talk about our great partnership.
[01:20]
C
Thank you, John. My pleasure.
[01:21]
B
We've worked so closely with the Texas Hospital association over the years with doing workshops, regional tabletop exercises and other educational events. And as we often discuss, and as you've heard me say many, many times, cyber risk is an enterprise risk issue, but first and foremost, it is a risk to patient care and patient safety. We emphasize that hospitals should prepare for clinical continuity to mitigate the impact of a cyber outage and but also to understand what the regional impact would be to care delivery and the disruption to care delivery if a particular hospital is struck with a ransomware attack. So our joint events focused on regional cyber incident response scenarios, just as we would all prepare for a regional physical disaster. From your perspective, how does this partnership enhance hospital resilience and patient safety across Texas?
[02:24]
C
Well, I have to tell you, I recall the first time that I heard you use the phrase regional blast radius, I think is the way you refer to it. And I thought to myself, well, you know, much of what we're doing to help our member hospitals prepare is really focused on individual hospital performance and intra hospital performance, but really not something looking at the true operational impact of hospitals that would result as a result of a cyber incident, and it's such an appropriate way to look at it. Even more importantly than an individual hospital being prepared for incident response, it's really important to consider the impact that a hospital would have to endure should they be the ones that are impacted or should any of the adjacent or in the Same catchment area of patient care hospitals be affected the same way. So they could be the source of the disruption and they could be the downstream recipients of the disruption. So the whole approach is quite brilliant and I'm glad that we've been able to take that model to our hospitals in Texas. This is especially true because Texas has a lot of areas that are generally referred to as white space. You'll have one level 2 or level 1 trauma hospital and 10, 12, 15 smaller hospitals dependent on it.
[03:58]
B
Appreciate that, Fernando. And yes, as unfortunately we have learned from the hundreds, hundreds of cyber attacks, but particularly the ransomware attacks which cause victim organizations to disconnect from the Internet and shut down their networks, ultimately resulting in, yes, as you indicated, this what we call ransomware blast radius. Victim is hit. But then there are cascading shockwaves throughout the entire region as patients and ambulances are diverted to surrounding hospitals. And again, some of the surrounding hospitals, as you said, depend on the availability of the technology, whether it's the electronic medical record or linear accelerators that deliver radiation oncology of that victim organization. And with your help, we came to understand that, you know, we don't really need to develop a whole new series and set of rules and structure to develop cyber incident response plans on a regional basis. They already exist to a certain extent. And Fernando, your example of that white space. Unfortunately, we've had a couple of major ransomware attacks against level one trauma centers in Texas within the past year. And I recall speaking to the CEOs and saying they were very concerned, saying, John, the next nearest level one trauma center is 400 miles from here. So really placing not only just the patients but entire communities at risk, really becoming a state issue as well in Texas. Again, very forward leaning on a lot of cyber issues and best practices. I understand Texas has established a cyber command. What does that entail and how does it support hospitals?
[05:47]
C
The Cyber Command was established in Texas. Very forward looking position that the state of Texas government took, which is to build a consolidated, at a state level, a consolidated threat intelligence cyber readiness incident response organization that would support all of the government activities of the state of Texas. Texas has always had a cyber response organization, but it's been part of the larger Texas Department of Information Resources Organization. What this piece of legislation, which was signed into law by the governor in June of this year as a result of the legislative session, House Bill 150, what they did is they appropriated, and this is all public domain information, they appropriated $135 million and took the cyber resources that are spread across several organizations including Texas Dir consolidated them into one cyber command for the state of Texas. And so the idea here is to provide a baseline for cyber preparedness for cyber threat analysis and threat intelligence and incident response and then in doing so establish policy standards. That body is actually empowered with rulemaking. The chief is appointed by the governor. So it's a very forward thinking governance architecture and structure around cyber. Although it's initially the scope of command is limited to state government, it does incorporate services that can be used in public sector education, higher ed in particular, but also public sector education and other public sector organizations like municipalities, city governments, down to and extending to critical infrastructure vertical departments that might be water power, a number of other sectors. So very forward leaning, forward thinking steps being taken to approach this at a state level.
[08:10]
B
Really a model for all states. And again Texas being leader in this area. So Texas and through the Texas Hospital association is leading in other ways. And with our work at the American Hospital association, we have joined forces with you to develop these regional tabletop exercises. Fernando, from your perspective, could you tell us what these regional tabletop exercises look like?
[08:37]
C
Sure. So the idea that you take a regional hospital, a level 2, level 1 trauma hospital that has a community relationship with 10, 12, 15 smaller critical access or rural hospitals, we converge them, we bring them together into a day long activity where the primary dependency being the Level 2 or the Level 1 trauma center suffers an incident, a cyber incident of some sort that interrupts the service that these downstream hospitals need that are required for life, safety, care to patients in their communities. And these are primarily non IT executives that are brought together, operational clinical operations, hospital operations, emergency preparedness. By bringing those individuals from all the different hospitals together, they have an opportunity to flesh out the circumstances that they might have to confront. You mentioned earlier the fact that If a level 2 or a level 1 trauma center goes down, now you're talking about potentially transporting patients instead of transporting them 45 minutes, 30 minutes or an hour away. Now you're looking at two or three hours, which in many cases that would have catastrophic consequences in terms of patient outcomes and clinical care and clinical safety. They have been very effective in bringing those individuals together. To talk about how it is that they would work together, what are the alternatives? How would they address incident response, how would they leverage each other's resources? As simple as how would they communicate with each other. That's proven to be very effective. The exercise we did last year was remarkable. In as much as there actually was two days before the exercise, there actually was a level one trauma center hospital upstream that went down and affected the actual host hospital that was in fact upstream from the small hospital. So we know that. That the threat is real and we know that this is a very effective way to bring many hospital executives together to consider obstacles that they would not necessarily contend with during their traditional standalone emergency preparedness exercises. Brilliant approach on the part of. Aha.
[11:10]
B
Thank you for that, Fernando. Truly a great partnership with tha. And you know, when we did that exercise, many thought that the exercise and the news of the ransomware attack upstream was all somehow connected. Very unfortunate coincidence that it happened at that time. But talk about a sense of realism to really conduct an exercise during the heat of battle, in a sense. What do you think, Fernando? Again, having been there now for several of these exercises, helping me moderate these. What do you think some of the key lessons learned are from these exercises, and how do you think these exercises build trust and coordination across the attendees?
[11:49]
C
Well, first of all, communication was the key takeaway. A lot of the hospital executives, from a risk averse point of view, a lot of the hospital executives look at cyber incidents as something that they don't want to communicate to anyone else for a variety of reasons. Many of them prompted by being legally discreet and not disclosing information that might jeopardize the organization. Unfortunately, when you look at emergency preparedness, other types of emergency response circumstances, whether it's mass casualty or acts of nature, the communication protocols are all there so that organizations can notify each other. But where cyber incidents are concerned, something as simple as just communicating indicators of compromise, right Techniques and tactics, those are bits of information that would help downstream organizations potentially identify if there was a threat that was being directed at them so that they would avoid the same set of circumstances. And that's not there. So one of the big takeaways was hospitals need to develop these communication pathways that will allow them to share a small amount of information, just sufficient information, without disclosing more detail than they need disclosing the fact that there is an incident underway, that there are some of the indicators of compromise are X, Y, Z. So that the adjacent hospitals have the opportunity to prepare, to look for and potentially avoid being victims. I can assure you that the bad guys are sharing information. The moment that they exploit one organization, then they know regionally that they can go to other organizations with similar success.
[13:43]
B
Communication within the organization, with their peer organizations in the region, with the federal government, with the state, really crucial during these exercises. Although there is this tension between trying to preserve confidentiality, risk of civil liability, and potential regulatory liability. All these factors tend to shape an organization's outlook, but with education they understand they can mitigate all those risks and develop these trusted relationships which will not expose them to legal and regulatory risk again if they have these pre existing relationships and agreements in place. Fernando, I view the work being done at the Texas Hospital association, quite frankly, as a model for other states. And I just want to let you know I value your partnership and your capabilities, all that you do, not only for all the hospitals in the state of Texas, how you've been contributing on the national level as well, helping me, helping the AHA do our job for national benefit. So thank you again, Fernando, your partnership, your friendship and all that you do. And thanks to all our listeners for all that you do every day to defend networks, care for patients and serve your communities. This has been John Rige, your National Advisor for Cybersecurity and Risk.
[15:04]
A
Thanks for listening to Advancing Health. Please subscribe and rate us 5 stars on Apple Podcasts, Spotify or wherever you get your podcasts.