A

Welcome to Advancing Health. Cyber attacks directed against hospitals continue to increase and many cyber threats quickly escalate into a governance and patient safety issue. In today's podcast, we learn about how board members can educate themselves and prepare to help their organizations face these threats.

B

I am Sue Ellen Wagner, Vice President of Trustee Engagement and Strategy at the American Hospital Association. I am delighted to be with Ajay Gupta today. He is the Board Chair of Trinity Health, Mid Atlantic and Holy Cross Health, and he's also the co founder and CEO of HSR Health. It's nice to have you with us, Ajay, today to talk about cybersecurity and what trustees need to know. I am hoping this podcast will be a nice 101 for board members to educate them about their role is in cybersecurity and what they should know to prepare for a cyber incident should one occur at their hospital or health system. Ajay, you have both business experience in the cyber industry and you're also a board member, so your insight will be very valuable to our members and our listeners. Cybersecurity vulnerabilities and intrusions really do pose significant risks to hospitals and health systems, and the threats continue to increase each year. It's important for trustees to be ready should an incident happen at their hospital or health system. So, Ajay, can you tell us what trustees should know to be prepared should an incident occur?

C

Thank you, Sue Ellen. It's great to be here with you today and thank you for this question. It's a great overall question for a 101. I wish there could be a short answer. Right. You only need to know a couple of things for cybersecurity. It's unfortunately not quite like that. I think the first place to start is to recognize that cybersecurity is a technical issue and has always really been thought of as something that it would handle. But today we need to know that given how much of our care delivery relies on IT systems, should those systems become unavailable, whether due to a cyber attack or any cause, it very quickly becomes a patient safety and governance issue. As such, trustees need to ensure hospitals are prepared and for cyber preparation means can our clinical teams continue to provide care if systems go offline? The board's role is to provide oversight and confirm the organization is ready, not just to defend against the cyber attack, but also to operate through one safely. But this starts by understanding what the nature of our IT infrastructure is and how stable is it, how secure is it? Are we comparing ourselves against benchmarks? What measures are we taking to ensure its security? And are those Measures tested. Are our IT and cybersecurity departments aware of the trends, the security of the industry is facing overall from a cyber threat landscape? Because that will depend and will influence what kinds of measures we take in the defense and in the resilience during the middle of an incident. I hope that's a good starting point for the discussion.

B

It's a great starting point. And cybersecurity is very complicated. You had mentioned, you know, patient safety and quality, which are very important. How do trustees know if their hospital or health system is secure to continue to operate and provide that clinical care that's safe should a breach really occur?

C

Well, if a breach has occurred, Sue Ellen, by definition, the system is not secure at that moment, unfortunately. But to more broadly respond to your question, trustees need to ask about the resilience of their IT systems in the face of a possible cyber attack. That's really the question that we need to say. Unfortunately, we are operating in an environment where some level of cyber attack, whether an overt attack from a bad actor or even just the system's combination of users across the spectrum and anything else, causes an IT issue that brings systems down. We need to know how resilient we are in any and all of those systems. And the only way to know if operations can continue during a breach is to experience continuing during a breach. Of course, we don't want that, so we have to do the next best thing, testing, preparation, and practice. All of that is more and more important. That means having an incident response plan in place, which is not terribly unlike plans we may have, we likely have in place for a natural disaster or if there is an expected surge in trauma. We have plans in place for surge, and we need to have a cyber plan in place as well. This is a plan that lets everyone know what to do exactly during a cyber event without any confusion or momentary disarray, because we know that can cause patient harm. Are critical care workflows like medication administration, lab orders, surgical schedules operational without digital systems? Do clinicians know how to access key information when digital systems go down? And do clinicians remember how to treat patients when they don't have access to all of the digital sources of information, like lab reports or film that they may they do typically use in the course of patient care? That's a big, big issue as well.

B

Relying on the digital world that we live in today is something that we're all used to. You had mentioned that, you know, most trustees won't have an idea of what a cyber security incident is until it actually happens. To them. So preparing is really difficult, and I think that's something none of us want as board members. Can you explain to trustees the impact that that breach will have and what their role specifically should be? Because management leadership has one role, the board has another. So can you just kind of describe that?

C

It's important to remember that a breach is more than a tech failure. It is a system failure. It's a failure of our system and ability to deliver care. As such, trustees will have a specific role. A breach can paralyze care delivery, right? Shutting down systems, delaying surgeries, leaving clinicians without access to medical records. This means patients may not receive the care they need, the care they trust us to provide. It's important for trustees to know and understand that while the fault is not ours, the fault resides entirely with cyber criminals who perform the attack. But patients don't see the hackers. They see us. And so they see us as unable to provide the care they need when they need it. And this is a stain on our reputation. That is a critical thing for the board's and trustees to recognize. Breaches trigger reputational damage as well as regulatory damage and a financial fallout. For instance, health systems may face fines according to the breach. The average cost of a cyber breach was reported at just under 10 million in 2024, as reported by IBM, which was less than 2023 when it was reported at 11 million. However, I don't think that we can plan for that trend to continue. Trustees have to lead from the front by ensuring the organization is prepared with strong cyber governance, risk management practices, and a culture of preparedness in place. Our role is to ask strategic questions and ensure readiness and that we are able to continue serving patients and to recover swiftly, regardless of the situation. We need to make sure that we have the experts ready to act on our behalf in a cyber attack. Technical experts who can respond to the technical, technical details and dimensions of the attack, as well as legal and communication experts that can help us communicate and handle some of the regulatory and legal fallout that may follow a cyber attack.

B

So I hope our listeners never have to deal with a cyber incident. We obviously can't control whether that'll happen or not. So I'm hoping that this is really helpful for folks. I think if they listen to it, they can actually start asking their leadership if they don't have a plan to develop a plan or the board should know what the plan is and what their role is. So, Ajay, you know, the last question. Can you highlight some of the key takeaways for our listeners some nuggets of information that they should just, you know, take away from this podcast to prepare themselves.

C

Absolutely. One thing I want to mention, what you just said is that we can't control. That's true. We can't. We can't control the weather. Yet. Hospitals and health systems in a hurricane prone region certainly know the prepare for a hurricane, right? In that same sense, hospitals have to be prepared for this. Cybersecurity is a patient safety issue because as I said, we use technology in everything we do in a hospital today almost. Or it seems if it's a patient safety issue, it's a governance issue. And the trustees have to be involved. The impact is very real. Any event that can halt care and erode trust and cost millions of dollars has to be of great concern. Continuity demands preparation. Again, just like we practice our surge plans, we practice our hurricane plans, we have to develop and practice technical continuity plans from a cyber breach perspective. And trustees must lead. Our role is oversight, which means we have to ensure management has thought through all aspects from defense against attack, resilience in the face of attack, and addressing the potential fallout and after the attack.

B

So thank you, Ajay. In addition to this podcast, AHA Trustee Services does have a few resources to help boards prepare should a cyber incident occur. So Trustees should visit trustees.aha.org to access the resources. Ajay, I want to thank you so much for sharing your expertise with us.

C

Thank you, Sue Ellen. It was great to be here. Thank you.

A

Thanks for listening to Advancing Health. Please subscribe and rate us 5 stars on Apple Podcasts, Spotify or wherever you get your podcasts.