Advancing Health Podcast Summary

Episode: When Cyberattacks Strike: Is Your Board Ready?
Date: July 9, 2025
Host: Sue Ellen Wagner (Vice President, Trustee Engagement and Strategy, AHA)
Guest: Ajay Gupta (Board Chair of Trinity Health Mid Atlantic & Holy Cross Health; Co-founder and CEO, HSR Health)

Main Theme

This episode explores the crucial role of hospital and health system trustees in preparing for and responding to cybersecurity incidents. The conversation serves as a “Cybersecurity 101” for board members, focusing on how these threats impact governance, patient safety, and what practical steps trustees can take to ensure organizational readiness.

Key Discussion Points & Insights

1. The Rising Threat Landscape (00:01 – 01:38)

Cyberattacks on hospitals are increasing, presenting not just technical, but also governance and patient safety concerns.
The board's involvement is vital: educating trustees is the first step towards effective preparation.

Notable Quote:

“Given how much of our care delivery relies on IT systems, should those systems become unavailable... it very quickly becomes a patient safety and governance issue.”
— Ajay Gupta, (01:52)

2. Translating Cybersecurity into Board Oversight (01:38 – 03:15)

Trustees need to oversee the organization’s preparedness—not just defenses, but the ability to keep delivering care during an attack.
Oversight includes understanding IT infrastructure, comparing security benchmarks, and validating that security measures are up-to-date and tested.

Notable Quote:

“The board's role is to provide oversight, and confirm the organization is ready—not just to defend against the cyberattack, but also to operate through one safely.”
— Ajay Gupta, (02:10)

3. Testing Resilience: Incident Response & Clinical Continuity (03:15 – 05:30)

True resilience is proven by functioning during an incident. Since waiting for an actual breach is unacceptable, routine testing, preparation, and practice are essential.
Incident response planning should mirror other emergency plans (like for natural disasters).
Trustees must ask:
- Are critical workflows (medication, labs, surgeries) operational if digital systems fail?
- Can clinicians work without digital information (like lab reports or imaging)?

Notable Quote:

“The only way to know if operations can continue during a breach is to experience continuing during a breach. Of course, we don’t want that, so we have to do the next best thing: testing, preparation, and practice.”
— Ajay Gupta, (04:10)

4. The Board’s Role in a Cyber Incident (05:30 – 07:57)

Cyber breaches are not just IT failures, but system failures that can halt surgeries and cut clinicians off from records, risking patient harm and eroding trust.
The public blames healthcare providers, not hackers: reputation and regulatory risk are major board concerns.
Financial impact is substantial: The average cost of a healthcare breach was nearly $10 million in 2024.
Board responsibilities:
- Strategic oversight (not day-to-day management)
- Ensuring organization is prepared with governance, risk management, preparedness culture
- Readiness to activate technical, legal, and communication experts during an incident

Notable Quotes:

“It’s important for trustees to know and understand that while the fault is not ours... patients don’t see the hackers. They see us.”
— Ajay Gupta, (06:26)

“Any event that can halt care and erode trust and cost millions of dollars has to be of great concern.”
— Ajay Gupta, (08:43)

5. Key Takeaways for Trustees (07:57 – 09:35)

Cybersecurity must be treated as both a patient safety and governance issue.
Trustees' oversight ensures not just technical defenses but also continuity during crises.
Preparation is non-negotiable—just as for hurricanes, hospitals must plan for cyber threats.
Trustees should regularly confirm the existence and practice of cyber incident response plans.

Notable Quote:

“Continuity demands preparation. Again, just like we practice our surge plans, we practice our hurricane plans, we have to develop and practice technical continuity plans from a cyber breach perspective. And trustees must lead.”
— Ajay Gupta, (08:50)

Notable Quotes & Memorable Moments

| Timestamp | Quote | Speaker | |-----------|-------|---------| | 01:52 | "Given how much of our care delivery relies on IT systems, should those systems become unavailable... it very quickly becomes a patient safety and governance issue." | Ajay Gupta | | 02:10 | "The board's role is to provide oversight, and confirm the organization is ready—not just to defend against the cyberattack, but also to operate through one safely." | Ajay Gupta | | 04:10 | "The only way to know if operations can continue during a breach is to experience continuing during a breach. Of course, we don’t want that, so we have to do the next best thing: testing, preparation, and practice." | Ajay Gupta | | 06:26 | “It’s important for trustees to know and understand that while the fault is not ours... patients don’t see the hackers. They see us.” | Ajay Gupta | | 08:43 | “Any event that can halt care and erode trust and cost millions of dollars has to be of great concern.” | Ajay Gupta |

Action Steps & Resources

Boards should verify and routinely update their organization’s cyber incident response plan.
Education and regular communication with IT, legal, and clinical leaders are essential.
Additional board-specific resources are available at trustees.aha.org.

Timestamps for Key Segments

00:01 – 01:38: Introduction & framing the issue
01:38 – 03:15: Board responsibility and oversight in cybersecurity
03:15 – 05:30: Testing preparedness; incident response fundamentals
05:30 – 07:57: Impact of breaches and trustee-specific roles
07:57 – 09:35: Key takeaways and actionable insights for trustees

Tone and Language

The conversation is direct, educational, and empowering—laying out complex cybersecurity issues in terms accessible to non-technical board members while emphasizing tangible oversight actions and the gravity of their governance responsibility.

This episode serves as a foundational resource for trustees seeking to understand and strengthen their role in hospital cybersecurity, emphasizing preparation, practice, and proactive governance.

Advancing Health Podcast Summary

Main Theme

Key Discussion Points & Insights

1. The Rising Threat Landscape (00:01 – 01:38)

Cyberattacks on hospitals are increasing, presenting not just technical, but also governance and patient safety concerns.
The board's involvement is vital: educating trustees is the first step towards effective preparation.

Notable Quote:

“Given how much of our care delivery relies on IT systems, should those systems become unavailable... it very quickly becomes a patient safety and governance issue.”
— Ajay Gupta, (01:52)

2. Translating Cybersecurity into Board Oversight (01:38 – 03:15)

Trustees need to oversee the organization’s preparedness—not just defenses, but the ability to keep delivering care during an attack.
Oversight includes understanding IT infrastructure, comparing security benchmarks, and validating that security measures are up-to-date and tested.

Notable Quote:

“The board's role is to provide oversight, and confirm the organization is ready—not just to defend against the cyberattack, but also to operate through one safely.”
— Ajay Gupta, (02:10)

3. Testing Resilience: Incident Response & Clinical Continuity (03:15 – 05:30)

True resilience is proven by functioning during an incident. Since waiting for an actual breach is unacceptable, routine testing, preparation, and practice are essential.
Incident response planning should mirror other emergency plans (like for natural disasters).
Trustees must ask:
- Are critical workflows (medication, labs, surgeries) operational if digital systems fail?
- Can clinicians work without digital information (like lab reports or imaging)?

Notable Quote:

“The only way to know if operations can continue during a breach is to experience continuing during a breach. Of course, we don’t want that, so we have to do the next best thing: testing, preparation, and practice.”
— Ajay Gupta, (04:10)

4. The Board’s Role in a Cyber Incident (05:30 – 07:57)

Cyber breaches are not just IT failures, but system failures that can halt surgeries and cut clinicians off from records, risking patient harm and eroding trust.
The public blames healthcare providers, not hackers: reputation and regulatory risk are major board concerns.
Financial impact is substantial: The average cost of a healthcare breach was nearly $10 million in 2024.
Board responsibilities:
- Strategic oversight (not day-to-day management)
- Ensuring organization is prepared with governance, risk management, preparedness culture
- Readiness to activate technical, legal, and communication experts during an incident

Notable Quotes:

“It’s important for trustees to know and understand that while the fault is not ours... patients don’t see the hackers. They see us.”
— Ajay Gupta, (06:26)

“Any event that can halt care and erode trust and cost millions of dollars has to be of great concern.”
— Ajay Gupta, (08:43)

5. Key Takeaways for Trustees (07:57 – 09:35)

Cybersecurity must be treated as both a patient safety and governance issue.
Trustees' oversight ensures not just technical defenses but also continuity during crises.
Preparation is non-negotiable—just as for hurricanes, hospitals must plan for cyber threats.
Trustees should regularly confirm the existence and practice of cyber incident response plans.

Notable Quote:

“Continuity demands preparation. Again, just like we practice our surge plans, we practice our hurricane plans, we have to develop and practice technical continuity plans from a cyber breach perspective. And trustees must lead.”
— Ajay Gupta, (08:50)

Notable Quotes & Memorable Moments

Action Steps & Resources

Boards should verify and routinely update their organization’s cyber incident response plan.
Education and regular communication with IT, legal, and clinical leaders are essential.
Additional board-specific resources are available at trustees.aha.org.

Timestamps for Key Segments

00:01 – 01:38: Introduction & framing the issue
01:38 – 03:15: Board responsibility and oversight in cybersecurity
03:15 – 05:30: Testing preparedness; incident response fundamentals
05:30 – 07:57: Impact of breaches and trustee-specific roles
07:57 – 09:35: Key takeaways and actionable insights for trustees

Tone and Language

This episode serves as a foundational resource for trustees seeking to understand and strengthen their role in hospital cybersecurity, emphasizing preparation, practice, and proactive governance.

wavePod

When Cyberattacks Strike: Is Your Board Ready?

Powered by Wave AI

Summary

Advancing Health Podcast Summary

Main Theme

Key Discussion Points & Insights

1. The Rising Threat Landscape (00:01 – 01:38)

2. Translating Cybersecurity into Board Oversight (01:38 – 03:15)

3. Testing Resilience: Incident Response & Clinical Continuity (03:15 – 05:30)

4. The Board’s Role in a Cyber Incident (05:30 – 07:57)

5. Key Takeaways for Trustees (07:57 – 09:35)

Notable Quotes & Memorable Moments

Action Steps & Resources

Timestamps for Key Segments

Tone and Language

Summary

Advancing Health Podcast Summary

Main Theme

Key Discussion Points & Insights

1. The Rising Threat Landscape (00:01 – 01:38)

2. Translating Cybersecurity into Board Oversight (01:38 – 03:15)

3. Testing Resilience: Incident Response & Clinical Continuity (03:15 – 05:30)

4. The Board’s Role in a Cyber Incident (05:30 – 07:57)

5. Key Takeaways for Trustees (07:57 – 09:35)

Notable Quotes & Memorable Moments

Action Steps & Resources

Timestamps for Key Segments

Tone and Language