
American Hospital Association, Rubrik team to bolster cybersecurity
The AHA has named Rubrik a preferred cybersecurity provider, and the goal is to help hospitals improve protections and recover from attacks more quickly.
John Riggi has always espoused a blunt message when talking about hospitals and cybersecurity.
In the past, he has said it’s a question of when hospitals will be attacked, not if they will be attacked. Now, Riggi, the national advisor for cybersecurity and risk for the American Hospital Association, has modified that message.
“I say now, it’s not if you will be attacked,” Riggi says. “The question is, how well prepared are you when it happens?”
The American Hospital Association is aiming to help hospitals and health systems to bounce back from cyberattacks more quickly. The association has named Rubrik, a cybersecurity firm, as a preferred cybersecurity provider. The association's nearly 5,000 member hospitals now have access to Rubrik’s recovery playbook.
Riggi says the hospital association established the preferred cybersecurity provider program several years ago at the behest of hospitals, who wanted guidance on working with trusted companies to protect their organizations and maintain their ability to care for patients.
Some hospitals struggle to recover from cyberattacks, with some systems needing weeks to resume normal operations. Cyberattacks have prompted some hospitals to
“Part of the challenges they faced is that the bad guys as part of their attack methodology would seek to locate and encrypt the backups to prevent restoration, forcing them to pay ransom,” Riggi says.
“If an organization is attacked, those backups are a lifeline and, quite frankly, the last line of defense for an organization to have the ability to independently recover from ransomware attack and not be forced to pay,” he says.
Josh Howell, Rubrik’s healthcare chief technology officer, says that the goal is to help offer hospitals more tools to restore systems quickly, so that they don’t feel obligated to pay a ransom demand after an attack.
“You know, 60% of organizations who pay a ransom see another attack within six months,” Howell says.
“So the best thing you can do in an environment where these attacks are profit-motivated, they are sucking U.S. taxpayer dollars out of the U.S. health system to fund wars and things that are not in the U.S. interest, the best thing we can do is have a health system say, ‘I'm not paying you. I know what data you can have because my house was in order.’ And it proves that there is no point in attacking them again. They are not the type of organization who pays.”
Beyond any ransom payments, hospitals and health systems face significant financial damage from cyberattacks.
Howell says the company can give hospitals a better understanding of how to protect critical data.
“We can show you in peacetime, where that sensitive data is, so you can go do something about it,” Howell says.
He pointed to the Cybersecurity and Infrastructure Security Agency, which says organizations can’t secure what they can’t see.
“That's really where we want to help organizations get their house in order, know that they are immutable and have a path to a fast recovery,” Howell says.
Hospitals also face the challenge of devoting the resources to improving cybersecurity at a time when many hospitals and health systems are facing greater financial pressures.
Howell stresses that hospitals can make some preparations to improve their security at little or no cost.
For example, hospitals can focus on compiling lists of all their vendors they would need to contact in advance of any incident. Howell says that is “a low-cost thing that you can do that takes a lot of time and confusion out of a recovery.”
Riggi says he sees hospitals and health systems making progress in cybersecurity, and he says that hospital leaders are clearly taking the problem seriously. But he’s hoping to see more systems get to the point where they can resume full operations in a shorter timetable.
“We've got to change the paradigm here,” Riggi says. “Defend where you can. Recover quickly with minimal impact. That's the bottom line. And when we achieve both, when we achieve that recovery capability with minimal impact to patient care and safety, that's when the bad guys will stop coming after us.”
Health systems should also see that shorter recovery timetables are possible, Howell says.
“It doesn't have to be 35 days of downtime,” Howell says. “Those are the painful incidents that grab public attention, and they get a lot of headlines. There are organizations who are quietly conducting much quicker recoveries.”
Riggi also pointed to the hospital association’s other preferred cybersecurity providers.
“We would strongly encourage hospitals and health systems to evaluate our preferred providers, all of them, for the services they provide,” he says.































































