Protecting Healthcare: Tackling Cyber Threats to Hospitals and Patients

In this interview, Scott Gee, Deputy National Advisor for Cybersecurity and Risk at the American Hospital Association (AHA), discusses his role in helping hospitals address the growing threat of cyberattacks. He highlights the healthcare sector’s vulnerability due to sensitive data and interconnected systems, emphasizing the potentially life-threatening consequences of cyber incidents. Gee also praises AHA’s proactive efforts in cybersecurity advocacy and preparation, expressing his commitment to the mission-driven work of protecting healthcare systems and patients.

Explain your overall responsibilities as AHA’s deputy national advisor for cybersecurity and risk

In my role, I support the National Advisor, John Riggi, in helping hospitals understand the complex and rapidly changing cyber threat landscape.  We provide hospitals with updates on the cyber threat, we host table-top exercises, and advocate on behalf of hospitals in terms of cybersecurity policy and regulation. 

Why did AHA make the decision to bring on a senior level advisor in cybersecurity?

There is a critical need for cybersecurity across the hospital sector. We have seen the crippling impact of cyber attacks on hospitals, even when the hospital itself was not directly attacked.  Attacks like the one involving Change Healthcare have cascading effects on hospitals.  We focus on helping hospitals prepare for those incidents and understand the clinical impact when you lose connected systems.  John has built a fantastic program here at AHA, and adding me will expand our reach, allowing us to support more hospitals. The AHA has been a leading voice for hospitals and patients on cybersecurity issues helping the sector, policy makers, and legislators understand the strategic nature of cyber risk.  We have also successfully advocated to the federal government that ransomware attacks which disrupt and delay healthcare delivery are not data crimes, they are threat to life crimes.  

How does an association make the decision to create a cybersecurity position?

The decision to create this role was based on the sheer volume of work to be done in the healthcare cybersecurity sphere, as evidenced by the exponential growth of cyberattacks targeting hospitals and health systems. The AHA sought to increase our capacity and broaden our impact cybersecurity awareness and advocacy within the healthcare sector, and adding to the existing team was the first step in that effort. 

What industries are at greatest risk for cyber threats?

In terms of overall impact to communities and lives, we would argue that the healthcare sector is among the most at-risk sectors. Hospitals and healthcare providers handle highly sensitive information on nearly every American, as well as payment information and other data prized by cybercriminals.  

The other thing that makes healthcare such a high risk is the potential to interrupt healthcare delivery through cyber attacks.  When a hospital is taken offline by a cyber attack and is unable to provide critical care to patients, the impact is obvious.  What is perhaps less obvious is the cascading impacts to other hospitals in the area who now must absorb the patient load from the hospital that is experiencing the attack. Those hospitals were likely already operating at or near their capacity before having to treat additional patients.  When this happens, the quality of care is impacted for everyone involved.  

Third party risk is also a significant concern in the healthcare sector.  One has to look no further than the attack on Change Healthcare to see the sector-wide impact that a cyber attack can have.  With the adoption of electronic medical records and the increasing demand for telehealth services, the cyberattack surface for healthcare is only expanding. 

What do you love about your job?

I am a very mission-driven person.  I enjoy having problems to address and working with others in pursuit of that goal.  In cybersecurity, and particularly in healthcare cybersecurity, the mission is clear, and the need is critical.  Cyber crime targeting the healthcare sector is truly a threat to life crime.  I have spent most of my adult life chasing bad guys of one sort or another, and it’s great to be back in that fight. This is a role where I truly feel like I can have an impact. Our efforts to help hospitals prepare are having a direct, meaningful impact on healthcare delivery.  That is meaningful to me. There is much more to be done, and I am looking forward to the opportunity to help in any way I can.