Q&A with American Hospital Association National Adviser for Cybersecurity & Risk John Riggi

For those in IT, saying cybersecurity represents a massive enterprise-level risk is not breaking any news, but it is incumbent on those IT folks to make sure that message is clearly communicated to the business leaders in the C-suite. Conversely, it’s also incumbent on business leaders to demand that their IT counterparts translate IT risk into language they can understand. Only then can risk-based decisions be made and preparations to deal with outages be addressed appropriately. It’s an approach that American Hospital Association National Adviser for Cybersecurity & Risk John Riggi advises, along with embracing as much transparency as possible if an attack is suffered. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Riggi covers a host of issues around keeping hospitals as safe as possible from a cyber attack.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

What I’m proffering, suggesting here, is that we leverage the work we’ve already done and the resources that have already been allocated for emergency preparedness, and we combine that with our cyber incident response planning and our downtime procedures, so that a cyber incident is considered a hazard, just like a fire or flood or hurricane, that’s incorporated into our emergency management planning.

Just think about it, if your house in on fire and it’s raging, you don’t want to have a discussion with the lawyer, “Should we call 911 now or not? What are the risks of calling 911 versus the rewards?” That has to be baked in so there’s no hesitancy to contact the government …

I would encourage the leadership of all hospitals and health systems to really look at cyber risk as not just an IT issue, to really understand it and demand that it be translated to them in such a way that they understand the enterprise nature of the risk, to understand that it is a risk to all functions, and primarily a risk to patient care and patient safety.

Anthony: Welcome to healthsystemCIO’s interview with John Riggi, National Adviser for Cybersecurity and Risk with the American Hospital Association. I’m Anthony Guerra, Founder and Editor-in-Chief. John, thanks for joining me.

John: Thanks. Great to be here, Anthony.

Anthony: All right, John, looking forward to a nice chat. Why don’t you start off by telling me a little bit about your organization and your role.

John: The American Hospital Association is the primary advocacy organization for the nation’s hospitals and health systems. We represent over 5,000 hospitals and health systems of all types and sizes, from very small rural hospitals, all the way up to multi-state systems and we’ve been in business since 1898, 125 years which is actually longer than my previous 3-letter organization, the FBI.

Anthony: Yes, very good. Very good. So you like to work for places that have been around a while.

John: That’s right. In organizations where I can remember the name easily, 3 initials. That’s it.

Anthony: Love it. Love it. So interesting, your title has risk in it. I interview a lot of CISOs and one told me recently it’s all about risk. If you’re focusing on vulnerabilities, you’re going down the wrong path. You have risk in your title. I don’t know if anybody had this position before you or if you’re the first one to hold this position, if you had some input into deciding what it would be called, but it’s just interesting that you have the word risk in there.

John: Very astute observation, Anthony.