The American Hospital Association has named a longtime FBI official to a newly created role focusing on cybersecurity in healthcare.
John Riggi, who served in various roles at the FBI over a 28-year career, will join AHA as a senior advisor for cybersecurity and risk, the association announced. During his time at the Cyber Division of the FBI, Riggi led a national program to foster industry partnerships and helped investigate cyberattacks against healthcare organizations.
The cybersecurity post was created after discussions with member hospitals and state associations revealed hospitals needed more support and resources to prevent and respond to a growing number of cyberattacks, Doug Shaw, chief operating and development officer for AHA's Health Forum told FierceHealthcare.
"There was a growing recognition that more was needed and more could be done," he says.
For the last two years, Riggi has led BDO’s Cybersecurity and Financial Crimes Practice where he worked with AHA to build industry awareness. He will continue those efforts at AHA by sharing his expertise with member hospitals.
John Riggi, a nationally recognized expert in health care cybersecurity who spent nearly 30 years with the #FBI, has joined the AHA as senior adviser for #cybersecurity and risk https://t.co/elHXxIUqJ1 #AHAtoday pic.twitter.com/VOC4DDGhhC— American Hospital Association (@ahahospitals) February 20, 2018
“Cybersecurity is on the top of every health leader’s mind,” AHA President and CEO Rick Pollack said in the announcement. “And John is nationally recognized as one of the best experts out there on healthcare cybersecurity. His strong credentials and expertise will go a long way in helping the field strengthen their defenses against rampant cyber and physical threats.”
The new position is a notable step for the nation’s foremost hospital association that has advocated for tailored threat sharing from the federal government. In a statement (PDF) submitted to the House Subcommittee on Oversight and Investigations last year, AHA said hospitals have improved their cybersecurity posture with encryption, threat assessments and tabletop exercises. The association also said victims of cyberattacks “should be given assistance, not blame."
Riggi's previous experience working with AHA, his relationship with federal agencies and his wealth of investigative knowledge made him the ideal candidate for the job, Shaw says. The leadership role will revolve primarily around education and best practices, but he will also be available to provide individual briefings to member hospitals and create tailored programs for regional associations.
AHA also plans to focus on filling threat-sharing gaps where necessary.
Hospitals continue to face attacks that pose serious consequences to patient care. Last month, Hancock Regional Hospital paid a $55,000 ransom to hackers in order to regain control of IT systems. Last year’s report by the Department of Health and Human Services’ (HHS) Cybersecurity Task noted that the agency is facing a “severe” cybersecurity workforce shortage that has a particular impact on small, rural facilities.
But even large systems aren’t immune. Last year, HHS reported that two large health systems were still dealing with the aftermath of WannaCry nearly a month after the global attack. At the same time, AHA has asked the Food and Drug Administration to hold medical device manufacturers accountable for minimizing security risks, highlighting it as a particularly vulnerable area for hospitals and health systems that have a growing number of connected devices.