Subscribe to The Podcast by KevinMD. Watch on YouTube. Catch up on old episodes!
Health care executive Cecil Pineda discusses his article, “Under siege: the escalating ransomware crisis in health care,” examining the alarming rise in cyberattacks on hospitals and health systems. Cecil highlights the growing frequency and financial toll of ransomware attacks, with major incidents affecting patient care, disrupting operations, and costing billions. He explores the ethical dilemma of whether to pay ransom demands, the importance of cybersecurity investments, and the role of law enforcement in mitigating risks. Listeners will gain insights into how health care organizations can fortify their systems, develop response plans, and make critical decisions to protect patient data and ensure operational continuity in an era of increasing cyber threats.
Our presenting sponsor is Microsoft Dragon Copilot.
Microsoft Dragon Copilot, your AI assistant for clinical workflow, is transforming how clinicians work. Now you can streamline and customize documentation, surface information right at the point of care, and automate tasks with just a click.
Part of Microsoft Cloud for Healthcare, Dragon Copilot offers an extensible AI workspace and a single, integrated platform to help unlock new levels of efficiency. Plus, it’s backed by a proven track record and decades of clinical expertise—and it’s built on a foundation of trust.
It’s time to ease your administrative burdens and stay focused on what matters most with Dragon Copilot, your AI assistant for clinical workflow.
VISIT SPONSOR → https://aka.ms/kevinmd
SUBSCRIBE TO THE PODCAST → https://www.kevinmd.com/podcast
RECOMMENDED BY KEVINMD → https://www.kevinmd.com/recommended
GET CME FOR THIS EPISODE → https://www.kevinmd.com/cme
I’m partnering with Learner+ to offer clinicians access to an AI-powered reflective portfolio that rewards CME/CE credits from meaningful reflections. Find out more: https://www.kevinmd.com/learnerplus
Transcript
Kevin Pho: Hi, and welcome to the show. Subscribe at KevinMD.com/podcast. Today we welcome Cecil Pineda. He’s a health care executive, and we’re going to talk about the KevinMD article “Under siege, the escalating ransomware crisis in health care.” Cecil, welcome to the show.
Cecil Pineda: Oh, thank you for inviting me, Kevin. I’m very happy to be here.
Kevin Pho: All right, so ransomware—that’s something that has been affecting many, many health care systems over the years, and the threat is only getting worse. Just tell me a little bit about the context before we talk about your article and the danger that it poses to our health care systems. Let’s give us some context.
Cecil Pineda: Yeah, it’s very disruptive. Obviously, if you’ve been reading the news, maybe seven or eight out of ten Americans have been affected in some way in the last decade. And it is one of those things that every cybersecurity guy, every, you know, health care executive is very concerned about right now. This is not something that’s top of mind just today—it’s the hottest topic. We talk about it every day in the boardrooms down to the daily calls. I just came out of my daily call today, and probably the word “ransomware” was mentioned five or six times.
Kevin Pho: All right, so give us a little about your background and your experience with ransomware.
Cecil Pineda: Yeah, I’ve been dealing with it for many years now. I’m currently a CISO of a company called R1 RCM. Not many organizations are very familiar with our company, but we work behind the scenes with many health care organizations and health systems. I lead our cybersecurity team and program. We have a large team of a hundred-plus folks dealing with, you know, cybersecurity threats, particularly ransomware most lately.
My first encounter with ransomware was probably five or six years ago, when I was a CISO of DFW International Airport. The impact back then was very minimal—smaller scale. And probably if you remember five or six years ago, the ransom was like 300 or 400 dollars; now it’s in the millions of dollars. So, I always joke with my peers that we’re going to catch up eventually. It doesn’t look like the bad guys are. A step ahead, for the most part.
Kevin Pho: So, before talking directly about your KevinMD article, just to bring everyone onto the same page, in a health care setting, tell us: What exactly is ransomware?
Cecil Pineda: Ransomware is a type of malware that you get in various ways. It could be as simple as an email phishing link. Most people, when they click a link, think it’s harmless. Folks don’t realize, behind the scenes, it’s doing its damage—it’s trying to take control of your machine or operating system. In many cases—in most cases, actually—it encrypts your data. And today, the latest ransomware actually exfiltrates the data and then encrypts your data. So they take your data, they get your machine or your organization’s servers hostage by saying, “Hey, we got your data. Do you want us to give it back?” or “We’ll publish your sensitive data” in exchange for a ransom payment. As I mentioned earlier, it used to be a few hundred dollars; now they’ve stepped up their game because they’re stealing more data, and they’re asking for millions of dollars.
Kevin Pho: Now, of course, there have been some well-publicized cases in health care, specifically Change Healthcare. What about health care institutions makes them attractive targets?
Cecil Pineda: Probably number one is the volume of data—sensitive information we keep that we don’t want the public to know. And I think the second one, which is really critical, is patient safety. When you deal with patient information, you deal with patient safety, and there’s a component of urgency. Many hospitals and health care organizations need to be operating. When a ransomware situation hits, you are not able to operate. You have to—you know, if you have surgeries that are really critical to your care, you won’t be able to, because you can’t get lab results, you can’t get the patient health history. So, I think patient safety is a critical element there.
Kevin Pho: And in general, who are the groups that are targeting these health care systems for ransomware?
Cecil Pineda: There are a lot, mostly from Eastern Europe, Russia, but they’re really everywhere. The most common ones are from Russia, and you’ve probably heard many of them—BlackCat—and there’s like two or three dozen of these actors that are operating, and some of them are creating affiliates. Some of them are branching out, and they’re everywhere.
Kevin Pho: So tell us more about the KevinMD article. Maybe give us some specific famous health care ransomware cases and what happened with those cases.
Cecil Pineda: Well, there’s—last year, we don’t have a shortage if you really just Google those ransomware attacks. There’s at least 12 or 13 high-profile health care organizations that have lost millions. I think Change updated their announcement from 100 million PHI to 190 million PHI now. In my article, I actually said the cost is 1 billion. Before this session, I actually did a little bit of research. They’ve increased their number to almost 2.5 billion now. And it’s very disruptive. I could share with you—Change is probably the most common one that I can use right now. The moment I got that phone call from Change, it was managed chaos because we had to start disconnecting systems, making sure that we’re not impacted. It’s a matter of—every second counts because once you—we use a term in our industry called indicators of compromise. Once those IOCs cross over to our environment, it’s going to be too late.
So our objective in the first hour is to make sure that we are completely disconnected and there are no indicators of compromise that crossed over to our environment. It is very disruptive. You basically have to stop operating. Organizations start segregating—inside Change, the ones that haven’t been hit yet—segmenting their environment so they can isolate the problem. They start looking at the blast radius every hour, expanding that. Like us at R1, in the first few hours of that incident, we look at the bigger blast radius—even systems not directly connected to Change—we had to make sure we don’t have those threats in our environment.
Kevin Pho: And in the majority of these malware cases, these ransomware cases, is it simply just an employee clicking on a phishing email, clicking on a link? How simple is it to come under threat from ransomware?
Cecil Pineda: Oh, there are so many—probably a hundred ways, Kevin. It could be as simple as—you know, you’re probably a recipient of some weird SMS with a link: “Click on this.” A few days ago, I’ve been getting a lot of, “Hey, you haven’t paid your toll,” and there’s a link. It could be SMS. Sometimes it could be a website that’s taken over by the bad guys. You think you’re clicking something, and you didn’t realize you’re clicking something that initiates the ransomware process behind the scenes. After a few minutes, you’ll know it because it will display a message, or it will basically render the machine useless when you get infected.
Kevin Pho: So if a health care system is under threat from ransomware—one of their employees clicked a phishing link or whatever—and now you mentioned the term “blast radius,” it’s spreading throughout the system. In general, how successful are companies like yours, cybersecurity responders, in terms of containing the ransomware? Is it effective, or do health systems end up paying the ransom?
Cecil Pineda: Well, for the most part, a lot of us are successful because, you know, we see a lot of victims, but you also see a lot of organizations that are surviving. I think the key to that is layers of defenses. We often joke in my team that it should survive the first click—we should survive the first hit. So I think the key for health care cybersecurity executives is creating these layers of defenses. One is not enough in today’s world; you have to have two, three, or even four layers if you can afford it.
Kevin Pho: And give us examples: when you say different layers of defenses, what exactly do we mean by that?
Cecil Pineda: For example, you click a link, potentially malicious, but your email security should be able to—what we call sandboxing—inspect that link before it even gets to you. Most organizations block 99.99 percent of these malicious links or attachments. However, that small percentage we see should be able—your email security should be able—to analyze that. Remember we have a term in cybersecurity called zero days. Zero days are threats that we did not know before, that our tools cannot detect. Those zero days, they will evade all the security tools we have. However, there’s a lot of advanced tools that use AI to look at behavior: it looks at the behavior of that website or that link, and if it leads to a malicious website, it will block it. Now, that’s the first layer.
When you click this link, there should be another tool that detects for malware. You’ve heard of products like SentinelOne, CrowdStrike, Microsoft Defender. Those are what we used to call antivirus, but they’re more than that now. They’re really advanced malware protection tools. If, again, that layer fails—most likely that second layer is very good, by the way—it blocks a lot of them. Then there’s this really, really advanced threat that could evade those two layers. If it’s a website, then you have another tool that watches for malicious websites. Before you even land on this page, it will block it: “Hey, this website is malicious. It may contain malware.” In most organizations, those three layers exist today. In some, you can add a fourth or a fifth layer, but it gets very expensive as you add more.
Kevin Pho: Take me through the thought process whenever a health care organization is thinking about paying the ransom. What goes into that decision-making process in terms of whether to pay the ransom or not? Take us behind the scenes.
Cecil Pineda: Yeah, you know, even before an event, that’s something that should have been decided by—not just the cybersecurity leader, but it’s really more about the business leadership of that organization. The majority of organizations I know made a decision before anything happened not to pay. However, things change when you’re in the situation where patient safety is at stake. And in some cases, your backup data may not be available or is impacted as well. Those three things are really key decision points. If they don’t have sufficient backups, organizations are likely to pay ransom. If the data is being threatened to be published, that’s another critical decision element that business leaders need to consider. And sometimes, you know, the urgency of patient safety—you have patients waiting in ER or in operating rooms that need immediate care.
So those are really, you know—we practice so many incident response tabletops, those exercises. Ninety-nine percent of them go really well. However, in a real incident, you have the element of stress, the time pressure. You don’t have all those in a tabletop. And, you know, the bad guys also give you a time limit: “Hey, if you don’t pay by this time, we will publish the data.” So it’s really difficult. When that time comes, business leaders and cybersecurity leaders need to sit together—including, I think, the most important one, the chief legal officer in an organization. They need to sit down and assess what is the best path forward.
Kevin Pho: Now in general, what percentage of these ransomware attacks are successful? Or in other words, what percentage of these cases actually get paid their ransom?
Cecil Pineda: So far, the majority. I’ve heard colleagues and friends say the majority actually went through. Change was one of the unique ones—they didn’t get what they paid for—but the majority of organizations I’ve heard that paid were able to get the decryption keys, get their data back. However, there’s always that saying, it’s hard to trust the bad guys.
Kevin Pho: So you’re saying the majority paid the ransom and got their data back, or the majority mitigated the threat?
Cecil Pineda: Well, the majority of those who paid got their data back and got the decryption. A lot of organizations today, even though we see a lot of companies fall victim to ransomware, there are also a lot of organizations that actually avoid it—they’re able to, because of those layers of defenses they’ve implemented. We see them every day. Most organizations, Kevin—like the size of R1, like the size of large health systems—they get billions, not millions, billions of attacks in any given week.
Kevin Pho: Now, do you feel, with all this publicity on cybersecurity, health care organizations are properly prepared for the majority of threats, or do you feel like there’s still much more room to improve?
Cecil Pineda: There’s room to improve. We’re kind of—you know, I’m just generalizing the entire health care industry. I’m going to quote a good friend of mine who works at another health system: the majority of the health care industry is quite behind on this proactive control against ransomware. But the last couple of years, especially last year, it’s been a big wake-up call for many of us. This has gotten the attention of executives. It’s no longer a cybersecurity problem; it’s a business problem.
Kevin Pho: What about those private practice physicians who maybe don’t work for a large corporation and don’t have the budget for proactive cybersecurity? What kind of advice do you have for smaller “mom and pop” practices that aren’t part of large organizations?
Cecil Pineda: Yeah, I’ve been asked. One of my neighbors runs a series of dental clinics, and they couldn’t afford the tools we run today. There are some commercial tools available— they’re not the best, but they’re sufficient. But I always tell them the most important thing is, of course, still prevention—making sure that they have at least the basic tools. But I always tell them two things. Number one, you need to have daily backups. If something happens today, at least you have the backups from yesterday. They should be separated from the rest; they should be tested for recovery. You have to test those backups because even if you back up every day but you don’t test how to restore the data, they’re useless.
Second is actually being able to operate when your systems are down. I know it’s going to be hard to use paper and pen or maybe Google Sheets or online file sharing. It’s one of those things—you have to be prepared. When your systems are down, we’re guilty of overreliance on technology, Kevin. Like here at home, when the internet is down, it’s almost like the end of the world, and my kids will complain it’s the end of the world. But for practitioners, for a small practice, I think getting ready by using alternative methods for a few days—you’ll eventually recover, but it’s going to take a day or two for a small practice. For large organizations, it takes weeks. You have to make sure that you’re ready to have a secondary way of doing things without the use of those common systems.
I want to add, Kevin, two months ago, I spoke at another event with an ER doctor. I presented the cyber side, and she presented what’s happening in the ER when systems are not available. I was so happy that I spoke with her because I learned what’s happening on the ER side when systems are down. They have to do all these things manually. However, they’re also limited because, like lab results, they couldn’t get lab results, because systems are down.
Kevin Pho: We’re talking to Cecil Pineda. He’s a health care executive, and his KevinMD article is “Under siege, the escalating ransomware crisis in health care.” Cecil, you’ve been very, very helpful—very insightful. Let’s end with some take-home messages that you want to leave with the KevinMD audience.
Cecil Pineda: Leave something—preparedness. I think we just need to prepare, prepare. I think it’s important for not just the cybersecurity leaders but business leaders too. You know, it’s not a matter of if; it’s a matter of when. So invest in basic security tools and prepare for—make backups, and prepare so that if something happens, you’re ready to tackle it head on.
Kevin Pho: Cecil, thank you so much for sharing your perspective and insight. And thanks again for coming on the show.
Cecil Pineda: Thank you, Kevin.
