The 2026 CISO Report is Here Download Now

Dark teal and black gradient

Webinar

AIHIPAAHITRUST

Proactive Healthcare Cybersecurity for Today’s Threat Landscape

Healthcare cybersecurity is no longer just about compliance—it’s about protecting patient care, safeguarding operations, and maintaining trust in a high-stakes threat environment. With 92% of healthcare organizations experiencing cyberattacks in 2024 and the average breach cost reaching $4.7 million, leaders are under pressure to make every security decision count. In this expert-led webinar, leaders from Stellarus, NextGen, and Tevora share how healthcare organizations can strengthen cyber resilience, navigate shifting regulations, and prioritize the right strategies in an increasingly AI-driven and high-risk landscape. Drawing from real-world experience, our panel will offer actionable insights to help you secure what matters most.

Key Takeaways:

  • Today’s most pressing cyber threats in healthcare—what’s new and what’s escalating
  • The operational, financial, and patient care impacts of modern attacks
  • What recent HIPAA changes mean for your security and compliance roadmap
  • Emerging technologies shaping the future of healthcare cybersecurity
  • What to prioritize on your 2025 healthcare security agenda

Whether you’re leading IT strategy, managing risk, or responsible for compliance, this session will help you focus your efforts and protect your organization against the threats ahead.

Welcome everyone to today’s timely and essential conversation, proactive healthcare, cybersecurity for today’s threat landscape. My name is Spencer Romero, enterprise consulting Director at Tevora, and I’ll be guiding today’s discussion cybersecurity and healthcare isn’t just a back office issue anymore, as many of you know, it’s a frontline issue in 2024 a staggering 92% of healthcare organizations experience cyber-attacks, and the average cost of major incidents hit around 4.7 million as AI tools continue to evolve and threat actors right along with them, many organizations are asking the same critical question, where should we focus our resources to truly stay ahead of the risks? That’s what we’re here to unpack today. I’m really excited because we brought together an outstanding panel of experts, from top healthcare providers to cybersecurity leaders, who will share where the biggest threats are emerging, how policy and HIPAA are shifting and what forward thinking organizations are doing to stay resilient in 2025 and beyond. I’d love to introduce you to our panelists here today. They’ll give brief introductions and Garo, we’ll start with you.

Hello everybody. Thank you for joining. My name is Garo Doudian, and I’m the Chief Information and security officer at Nextgen healthcare. I’ve been with the company for about a little over a year now. It’s been an exciting journey. Spent a lot of time in my career at other software companies. Spent a lot of time in financial services, card issuance, bank holding companies and whatnot. Regulated environments, be they financial, healthcare, a lot of the same things, a lot of similar threats and a lot of challenges that that we all face. Happy to be here. Thank you, partners at Tevora and Eddie from Stellaris for joining the panel, looking forward to the discussion.

Nice to virtually be with you today. My name is Eddie Borrero. I’m the Chief Information Officer for Stellaris. I’ve been a chief information security officer for, I would say, 25 plus years of my career. I’m very dialed into the security landscape, kind of the cutting trends in information security, both on the corporate and on the bad guy side, as I like to say it. Now, I’m focused on developing products and services that are really created to change the overall healthcare industry. We know it’s expensive, so we’re trying to figure out, how do we best lower costs? How do we make healthcare more equitable, leveraging technology and digitizing our industry, and personally, I have a deep passion for security, just in general. So nice to meet everybody.

Spencer, nice to meet everyone today. My name is Jeremiah Sahlberg. I’m one of the principals here at Tevora, which means I’ve got delivery, ownership and responsibility for a number of towers, federal or ISO, SOC, two but to include our healthcare practice, we’re a number of high trust and do a lot of HIPAA work. I’ve been here for a little over going on eight years now. Prior to my time here at Tevora, I was a customer, worked in various industries, and before that, I was a CISO at an organization, so I’ve spent a good chunk of my career as a consultant, and part of the goal of today’s discussion is for me to bring some of my experiences and all the various organizations that I’ve seen, largely within the healthcare space. I’ve had intimate engagements with over 25 different healthcare organizations over my career, visiting over 150 different healthcare facilities over 12 different states. I’ve seen a lot of different things at a lot of different organizations that really span the gamut of what’s working, in many cases, what’s not working. I’m excited to have her be a part of our conversation and share some of the stories that I’ve seen over the years.

Thanks team. As you can see, we’ve just got a wealth of knowledge from the team here to share today. I’m excited to dig into these questions. Garo, we’ll start with you first, and let’s start with the cyber threat landscape from your position as a Cisco in healthcare, what are the top two to three threats keeping you up right now at night?

Great question. The way I see it, obviously, everyone’s familiar with the change healthcare breach made a lot of press, a lot of operational impacts to folks. Got a lot of people reinterested in security, I’d say. By no means was that sort of the first or biggest right, if you look back, even all the way back to anthem, that was back in 2015 but what we are seeing is a trend of more impactful security events. Ransomware probably one of the top issues, and this impacts all sorts of organizations. Not only do you have the data breach potential of data exfiltration and access the data that you know is unauthorized, but you have the real operational impact of systems being down and sort of that blast radius spreading out to other ancillary systems. It starts usually from an end user clicking on a link or opening attachment, downloading a file, but from there, it could easily spread out to your EHR, to your x-ray systems, to your what have you, and then you have really total outage on the network side. Ransomware continues to be a pretty big trend, and of course, a lot of these, you get the fast follower. When you see companies get hit with ransomware, and then, in many cases, pay the ransom, that just emboldens, I always say it’s like the candy pinata. You hit the pinata, candy comes out, you’re going to keep hitting. So, we are seeing this sort of trend. Another big one that’s sort of uptick in, is just related to third party risks and software supply chain, every company out there depends on some other third parties and vendors. Really what we’re seeing is not only obviously your security program and your controls that you have direct control over matter, but in many cases, you are essentially outsourcing functionality. If you look at big industry, things like move it right. This is a traditional supply chain attack. Then it really highlights the need for that third party vendor management, risk management of how do you sort of manage risks that you don’t have direct control over, for remediating, and then sort of, I’d bring it back, credential-based attacking and phishing. It kind of ties in a little bit onto the ransomware vector. We see this all the time, where it could be some third party site that has a data breach, and then very quickly afterwards, you see credential spraying, credential stuffing and sort of that reuse of credentials, and that, in some cases, leads to a domino effect of, if users are reusing their credentials, and if you don’t have the right MFA or other controls in place now, through really no fault of your own, your own systems, your own environments, you could be at risk for a targeted attack. We see this all the time as well, right? Credentials get posted and sold a lot of times. It’s an email and password combo, or obviously things like dictionary attack. It’s these are probably the big ones, but it’s an ever-evolving field. I know we’ll touch on some AI topics, but obviously that you can add in some AI work related to all of that.

Just to jump in right there, because that’s definitely where we were going to go next. How have you seen the threat landscape, specifically over the last year, and with all the conversation and integration, within a lot of our organizations with ai, what are you seeing in regard to that?

Before I dive into that, I’d love to add on to girls’ commentary. You talked about the impacts growing, and you mentioned system outages, I would say it’s even greater than that. We have examples of hospitals and clinics actually going out of business because of ransomware attacks and because of supply chain attacks, where claims and finance are the things that claims, let me rephrase claims not being able to be turned into a payment for those clinics and hospitals leads to financial distress, and then that financial distress leads to a clinic or a hospital shutting down. And so that really means communities are starting to get impacted with their ability to get quality health care. In some cases, your local hospital goes down now you’re driving 50 miles to the next clinic or hospital. In a lot of cases, lower income families don’t have transportation readily available. The health of our nation, may I, lead the witness here is in question, definitely the health and well-being of certain communities. When you think about impacts, it’s not just shutting down a business, which is rare when it comes to cyber-attacks, it’s actually impacting the health of communities. It’s a big deal. When I think about the threat landscape and artificial intelligence. I mean, the simple way to think about it is the barrier to entry is very low. It’s even shrinking. When you think about like natural language programming, and if you got bad intent, and you need very little skill. Tools to be able to create attacks. You can talk to artificial intelligence and have it create whatever you want, infrastructure, software, malware. It’ll educate you around how to approach people with social engineering. It could actually help you target people like if I wanted to attack Garo, I’d use AI to learn everything I need to know about him and have it give me a strategy. And so, the barrier is low. The scale of what can happen is also increasing. Meaning you could create various attacks instantaneously and change them more from grow them. You don’t have to be a hacking whiz. You don’t have to be a developer nowadays, so barrier plus scalability is a nasty combination of threat, for lack of a better term. On the flip side, it’s the same thing though. For us to accelerate our ability to protect an organization, put the right controls in place. I think about AI increasing our responsibilities. Let me rephrase response capabilities right and so think about using artificial intelligence, especially agentic AI and large language models, to automate and accelerate and enhance our ability to respond to attacks. Sky’s the limit. And then you start to think about, in the future, products start to become interesting. You have security products, but what if you can imagine a future where security products are created on the fly to address specific threats and attacks, and it’s no longer us paying for products companies developing controls and capabilities on the fly on their own with their own intelligence. We’ll have to figure out a way in the future to, from my perspective, combine forces and ensure that we are doing the right things to fight the bad guys. Tthe industry, the security industry, is going to change quite drastically, or we’re not no longer going to be dependent on our third party suppliers for security controls. We’ll be building them into our products on the fly, almost like an immune system. Like you catch a virus, our bodies develop antiviruses and anti-abilities. Computers will soon be developed in that way as well.

Yeah, that’s great insight. Eddie, we appreciate that. Carl, anything to add, or Jeremiah, anything to add on the AI and the development of that, and folks using that,

The one thing that I’m seeing a lot of coupling with AI is this concept of, while we’ve adopted a more expected remote work environment, we’re seeing bad actors try to get jobs at organizations. They use a combination of AI to create personas or steal identities. I’ve seen many cases where someone has interviewed for a job. Then on day one, someone has shown up, and the client I was working with, they took a screenshot. They’re like, I don’t think this is the same guy I actually interviewed a couple weeks ago. And it turns out, no, it wasn’t another case. They actually brought a system administrator on board where they hired him. Then they’re like, yeah, he asked us to ship his laptop to another address, his brother. He used an excuse, his brother passed away. Well, we had some security, or they had some security telemetry within their organization and some intel that was saying, anything that’s being shipped over here, that’s actually part of a ring that entity, was found out to be part of a North Korean thing. There’s legitimate attacks that are using a combination of using false identities, using AI to create personas that aren’t the personas there aren’t the resumes that you’re looking for. They’re these other individuals. I think identity management and identity trust is something that’s a big threat that we’re seeing within the environments that we’re going to have to figure out better ways to combat. You wanted to add on to something with that?

Absolutely that the AI the threat. If, sort of, in the pre AI world, if you were to someone were to tell you, there’s a real risk of having your virtual CEO or CFO jump on a video call with you and ask you to transfer money, or something like that, or these malicious IT workers, that’s sort of a new threat. Eddie touched on and sort of the crafting and lowering the barrier of entry absolutely right. So now, if you’re looking at targeting English speaking companies, you really don’t need to know English, and there’s been study after study that actually shows that people end up falling for phishing emails crafted through AI much more frequently than they do, sort of the traditional phishing emails, and a lot of these, within 60 seconds when someone receives a phishing email, they read it, and then about 30 seconds, and in about 30 seconds later, they click on that link, right if they’re going to fall for it. It’s just increasing that attack speed. There’s a lot of theories, you have to see full proof, but it’s coming in terms of vulnerabilities being crafted and written using AI. Patches come out and already is sort of a reverse engineering of Microsoft releases a patch, what is it trying to fix? Now let me write an exploit for it. Well, just imagine AI when you look at all the coding assistance to speed up that cycle. A patch gets released and instantly analyze that patch and figure out what you can write to actually exploit and then deploy something out in the wild. We are seeing some of those timelines sort of shorten between patches. Obviously, things like zero days have been around for quite a while, and then on the defensive side. It usually, in the security world, it’s not hard to log things. You could have logs and logs for days, that signal to noise ratio. This is where AI, Eddie mentioned, product integrations. I think there’s a lot more future into this. There’s been automation and various response capabilities for a while, but leveraging AI to look at that sort of almost unstructured data, or behavioral sort of data, and trying to figure out, what of all these logs that are coming in, of all these user behavior and things like that, what is it that I need to look at? What is it that the team needs to look at? And then using things like the sort of agentic responses, how do I react to and sort of triage immediately, without even human intervention once we get to that point.

I’d like to actually touch on Jeremiah’s point around the people risks, the hiring of false identities. I think about what the catalyst was to get us here. You think COVID was the thing that drove full remote workforces and full hiring of remote workers, and all of a sudden, we started to have an increase in this kind of threat where you’re hiring false people. We’ve always had people trying to, especially engineers, trying to work multiple jobs, right, moonlighting in multiple areas. Now you scale that with I built my own company with people that are supposed to be me, and so they’re collecting paycheck after paycheck. Then you add a malicious hat to that. They’re in companies, and they can do some really dangerous things because they’re engineers with very privileged access. I foresee the return of the workforce to the office more heavily and or at the very least, confirmation of people in person on a regular basis upon hire. In the United States, we have our I nine process that really needs to start to happen in person, in my opinion, where we’ve tried to do virtual I nine registration or understanding who’s who. But in this world of AI and in the world of rapid, kind of deep fakes, both visually, logically, verbally, I know it gets really hard to confirm who’s who. I think there’s going to be a shift in hiring practice and a shift in remote working. There’s going to, there has to be something that that comes about, then to definitely come back there Eddie, I think, maybe not where it was, but somewhere that that hybrid verification process in the AI I nine two stuff, all the assurances that you’re looking at the identities, is something that I know there are a lot of organizations are investing in identity cast. For me, identity matters a lot.

I also foresee a future where it’s like we’re going to probably get to a place where we have one digital identity that follows, follows us around. I’m really futuristic here, but the world of having multiple logins, multiple credentials, multiple versions of who you are digitally as an identity, I think has to go away personally. I think it’s, it’s big. And you see, you’ve seen us try to do this as a country, as a nation, as multiple industries, in various ways, and it hasn’t taken off. When you think about the future of AI and deep fakes, you got to have something that confirms Spencer is Spencer, no matter where he’s at. I think, Kara, you touched on something as well, I think that, and I’ll mention it again, the future of self-healing, where we’re not dependent on a Microsoft for a patch, because we already understand those vulnerabilities, and if it gets announced, we can automatically build controls. That’s the deep system integration, the deep understanding of the products and services you run, even at the OS level, has to change. We can’t have the Pat, whack a mole, is what I call it, approach in the future, because you’ll never be fast enough.

Actually, that kind of leads me to our next question. I think looking towards the future and having vision for what could be. The potential remedies are always super important. I think we’ve done a good job, probably now, of also talking through everyone’s probably, if you weren’t afraid before you came, you might be now. It’s June 25 2025, how do CISOs security teams, security leaders today get better at just communicating these potential risks that we’re discussing, whether it be AI, identity, whatever it might be, and a combination of those things like, what are ways leaders within organizations can get better at communicating to folks who maybe don’t have the same security background. How do we handle this, and how do we get an investment right for the things that we need to solve the problem today

I love the question. I’ve made my career on this. Spencer, by the way, I would say lose the tech speak. You cannot talk technology to business leaders or customers, period. That’s one piece of advice that the real trick is communicating to people in a way that they understand, so learning what our especially our business leaders, care about, and speaking to that, and then speaking to impact in a way that’s not technical. We talked about a little bit in healthcare, if you’re a provider or doctor that’s working in a clinic, that’s making decisions for a hospital, and you talk about a risk to shutting down the hospital, they’ll pay attention, or a risk to patients’ health in general, they’ll pay attention. How do you craft your justification for investment in such a way that touches the hearts and minds of your audience? That’s the way I think about it, and that’s true for any business you start to think about any industry, talk about what they care about, what are the things that will really impact customers and the bottom line of the business, and in healthcare, it’s the life and well-being of members and when you have those types of risks, it’s a Big deal.

I fully agree, Eddie, take out the tech speak. The way I see it, Is security risk, no matter what flavor it happens to be, is just another risk to the organization. It’s always important, and sometimes is a challenge in securities, how do you quantify that risk? Without coming in and sort of Chicken Little about, everything could go down if you don’t do this one thing, and then everything else could go down. Helping quantify that. That goes back to what Eddie was mentioning about prioritizing, sort of efforts. We’re always going to be limited with what capacity folks can work on. Yes, tying that back to a real risk, trying to come up with, in some cases, sort of mitigating controls of, how do you reduce right? Because it’s all about risk reduction. I don’t think anyone in security will ever say we will eliminate risk, because that’s practically impossible or not economically feasible, at least in any company. How do we reduce that risk? How do we target and focus in the areas that really matter? Where is the patient information? What are the systems that, if these go down, have a real world impact to our customers, who are members, who are you know patients, and that’s where, I think the sort of the magic or the art in security is like, how do you focus that and translate it into a manner to get that investment and then focus? A lot of the security things are beyond it is not just the security team that’s implementing security controls right. It’s across the company, whether it’s end user behavior, whether it’s sort of design of systems and third-party vendors we partner with. And then it’s, you know, security lies in everything.

I was trying to jump on what you were saying there. When we talk about risk and being effective communicators to our boards, the committees are, the CFO, the CEO, whoever happens to be. I think, a big part of understanding that is the risk tolerance for the organization. While generally, our job is around helping organizations understand and in many cases, there is such a gap that we’re pushing for risk reduction, I’ve actually seen the opposite be true as well. Where I’ve seen some entities, few and far between, that I would say, are overfunded given their risk appetite at an organization. Because you can’t eliminate all risks, we know that we have to get it down to an acceptable risk model for the organization. I would definitely argue that understanding and get into a common understanding of what is tolerable risk for the organization, certainly when you have R and D functions, maybe you can tie those off with having, a riskier environment, because you don’t care if that get for whatever reason, that that part of the business can have a different risk posture than the primary function of an organization. I echo exactly what both you’re saying. You have to keep it in business terms, but I think that there’s an essence that’s needed around understanding and quantifying what the risk appetite of an organization. We’ll talk enterprise risk. I say top line enterprise risk, we talk about cyber enterprise risk sometimes, but there’s top line enterprise risk, which I think is an important conversation to have with, either board, the audit committees, those that you know really understand business.

I’d also say that CISOs have an opportunity right now to become better business leaders. If I break it down, you have an operating budget that’s to your point. Jeremiah, could be excessive, and most likely is excessive, if you think about how the world’s shifting to agentic model, AI generative, AI capabilities, all the things we’ve been talking about, can really build efficiencies across your security controls, your personnel, your security budget in general, so you can self-fund a lot of work, if you’re really good at, I would say, simplifying your toolkit, simplifying your processes, leveraging generative AI to do a lot of work. It’s very different than automating work. It’s really an opportunity to hit that administrative budget in a way that can ignite the security program. Additionally, I coach every CISO that will listen that we need to create a standing investment budget, and many organizations will adopt this if you can justify the fact that the security landscape changes all the time, we need to have funding that allows us to react in real time to the threat landscape and not have a bureaucratic process that requires a lot of justification, a lot of risk quantification to do what I think is core to what we do is addressing threats in real time and in a quick pace. We got to invest, just think about the fact that every partner that we have in the industry is up taking their pricing by double digits nowadays. You can’t continuously have to go back to the well to ask for money. You need a stream of money. You got your operational budget, you got a little bit of money, no matter what that is that you get the organization to agree on that’s in the control of the CISO. And if you can do that, now you have some flexibility, and you can operate effectively. You have strategic dollars that you’re going to need capital investments to make a difference, to invest in areas that you’re immature in from a control standpoint, and all the things Jeremiah and Garo just talked about are really relevant in that space. If you’re doing your job as a business leader, you’re going to set up an operational budget that allows you flexibility, especially if you leverage artificial intelligence. You can get some sort of contingency funding for your program that’s under the direct control of the CISO. You got to show make good decisions there. And then for those big things, you need some capital dollars, and that requires, risk quantification, and it requires risk discussions in the communication or in the language of the hearts and minds of the people that approve that budget. For whatever it’s worth, that’s my top secret trick.

I think great answers all around the board there. Jeremiah, I want to come back to you real quick, and maybe practically, there’s probably a lot of folks, or we know there are, where HIPAA is very relevant to what they’re doing. I wanted to ask you, as a leader in that space, we do HIPAA and HITRUST stuff together. Jeremiah, what are some of the key changes in the proposed HIPAA modifications that you believe security leaders need to start preparing for right now? What are some of those top-of-mind things.

Late last year, early beginning of this year, there was some proposed changes to the HIPAA Security Rule, which was first. I think it was implemented in April 2005 maybe, so over 20 years ago. People talk about HIPAA shouldn’t be hard. That’s great. You have 22-year-old expectations of controls. They have proposed some changes. They’ve had a comment period that’s out there, and these things are likely to go into effect. I stopped trying to speak intelligently on when legislation will ever pass. That’s just a fool’s game, in my opinion. But we should be. if your organization is not already addressing these capabilities, then you’re probably behind anyway, and you’re suffering from, a deficiency in a cybersecurity capabilities perspective, however, so but what are to actually give a discrete list here, I’ll try to answer Spencer’s question. For those that deal with HIPAA day in day out, there’s this concept of required controls and addressable controls. Addressable weren’t like optional controls, but there are ways that you didn’t, may not be applicable to my organization, or from a risk reduction perspective, you didn’t have to deal with it. They’ve gotten rid of all that these things are, there’s no more addressable controls. They’re all required. The next big change, there is probably something that is so critical to organizations, is really one of my foundational things, is having proper asset inventories, obviously knowing your data flow diagrams and where your data goes. I treat your asset inventory, and no organization gets it great. I’ll tell you that right now, organizations will sometimes get it good, but it’s your denominator. When you’re looking at your tools, where your assets are, you’re always want to know, how many assets do I have in my endpoint management? How many things have been scanned? Those are your numerators, but always need to be compared against your denominators, which is your asset inventory. That’s your baseline. Knowing where your assets are, that’s now a requirement is to have that asset inventory, make sure it’s being updated and well documented. A couple other things that they put in place is some more stringent requirements, having formal Incident Response Plans, being able to test those plans, talking with a CISO at another health organization about and they’ve suffered ransomware issues. You’ve got your clinical continuity plans. You get your business continuity plans that you need to test and be able to address for these updated regulations here are mandating that those Incident Response Plans are well defined. MFA is something that I really hope most organizations have implemented that will help combat identity management to some degree. That’s certainly one, and I know we’ve talked about this before, but that supply chain risk, there’s certainly an enhanced requirement around supply chain risk and making sure that you’re vetting, not only on an onboarding basis those vendors, but also on a continuous basis, That’s where we tend to see some of those compromises happen is, I tested them once when we first brought them on board. You’re only strong as your weakest link, and your weakest link could very well be when your suppliers. I wanted to piggyback on one of the other topics. I think it was you, Eddie or Gauo, said earlier about where I’ve seen one of these big risk areas in the past, and it goes back to that asset inventory. It’s a really interesting story. There’s two of them I want to bring up. One is in shared infrastructure with universities. Healthcare providers will often be tied to universities and then you start to run this really interesting area where a university may have the same shared infrastructure as a healthcare provider, and that becomes an attack vector that these ransomware attacks it can impact your organization. Understanding what is your inventory that you’re managing, where your inventory of connection and interconnection points are is so critical. And then the second, real interesting story that I was out in, and I won’t say the region, because that might give it away, a big conglomerate health group had sold off a hospital to a different entity. There were multiple facilities, and there’s M and A activity that happens within healthcare organizations. They sold off that hospital, and they were several years later. They’re like, this is our asset. I’m seeing traffic for this other network. No, that was the old stuff on this old hospital that we’re no longer a part of. The answer was no, they were very much still connected to a legacy entity that had no ownership of them, but had technical access and control, and they were affected by the fact that something that happens at something that they have no business relationship with anymore directs network under connectivity into this entity. Having this idea of knowing where your assets are, where your networks are, where your data flow is, that, for me, is a hyper critical thing, and rightfully so, one of the new requirements of HIPAA proposed changes for the HIPAA Security Rule.

Jeremiah is the expert. He actually just did it. I would say, if you’re banking on building your program to just meet HIPAA, you’re thinking wrong. I would say you got to think, how do you surpass the regulators? The regulators are typically behind when it comes to protecting against threats and managing actual risk, and sometimes not all the time. Some of the compliance work, especially around HIPAA, may not make sense anymore. I would say, it’s important to pay attention, to follow the letter of the law, but it’s equally important to be ahead of it, be a thought leader in your space.

To pivot on that, let’s talk a little bit about innovation. Garo, what emerging technologies or approaches, i.e. Euro, trust, behavior-based threat detection, are showing the most promise in the healthcare, cybersecurity space. Like, what are you seeing out there?

Sure, and some of these, obviously, we can certainly talk about AI, but I see a lot of this move, and sort of Jeremiah touched on it with the sort of asset inventory of connectivity. One of the easiest ways in terms of sort of reducing your risk, whether it’s a compliance scope or just sort of blast radius, is to really isolate your environments. That’s what the zero trust, it’s not a new concept, per se, but I think in the recent years it’s, I’ve seen a lot of acceleration in just the way systems and applications are designed. No longer the old adage of, I’m an external user, so I’m untrusted, or I’m in an internal corporate network, and now I’m inherently trusted. I think the whole move with COVID and remote work and that obviously pivoting over to the cloud, it sort of blurred that line where there is no internal network and in many ways zero trust. Is that personification of my device is untrusted regardless of where it is and depending on what application I’m using and connecting to, I may have different controls and different controls and different requirements to get there. There is no more of this implicit trust related now, it has knock on effects, certainly from the compliance side. If you have a system that has no phi and is not touching and is in any way connected, well that helps you from your compliance scope. Like Eddie said, compliance is not security, not always. There’s the Venn diagram slightly overlaps, but in many cases, there’s a lot more you could do, but even from a security standpoint now, if I have a non, phi environment that has or suffers a security incident, I’m not at risk anymore of that sort of crossover and sort of continuing that, that sort of model and architecture and identity. I think there’s a lot of move MFA sort of table stakes now, but I think there’s a lot more in sort of that, whether it’s device or behavior score or usual patterns building a larger profile of what a typical user is, beyond just did they put their code in and they sort of went from there.

I want to double down on one thing you just said, is around compliance versus security, one of the common, one of the phrases I use all the time, I get to give credit to Mike Higgins on this one, is compliance is the lowest common denominator for expectations for a population of something, and so it absolutely is not what is needs. Be done by a lot of organizations. All it is a lowest common denominator so but as far as innovations, I would certainly say that there’s capabilities with these cloud environments to have instant to instantly know where your inventory is. You’ve got these cloud capabilities and Dockers and containers within that you can automatically apply security concepts on anything that gets built out into those environments. There is a secure by design innovation that is happening. The problem is, that’s for cloud enabled stuff, and a lot of patient care happens on prem in person with some of these, Legacy connected devices that haven’t been patched. I think I was talking to one healthcare entity that they said their MRI machine had a Windows, something or other, that some technician had logged in to go check their personal email on and then that got infected. And so, because they didn’t have the endpoint software running on it. There’s a limitation sometimes, on being able to have a validated system that’s doing patient care, that can’t have the agents and the technology on them, so we have to kind of move away, sometimes, on the device based concept, and how do we get it from a compensating control with network layer controls and some other stuff. Without getting into the technical details here, I think there is a rethink of, how do we address some of those challenges that we face? You can’t just go throughout all your work in tech because of a security vulnerability. You still have to provide patient care, and that equipment’s really expensive. On the innovation front, I do want to bring up one other point here. I’m sorry if I keep you guys. I’ll keep talking all day. Is one of the CISOs for this other healthcare organization. They were being told by their HR team that they are not able to attract the greatest physician talents in doctors to come work at their organizations unless they are deploying AI technology for the doctors to be able to use within how they do procedures. There is this concept of, how does an Health Organization embrace technology, embrace AI, use that as a differentiator to create and capture the talent so that they’ll have better patient numbers, better revenue cycle management. At the end of the day, these are businesses, so they have to attract the top talent to be able to run their business. I think it’s kind of interesting to see that AI is from a perspective of the attackers, perspective of what we’re doing from cyber defense, but it’s also AI is very much in they need it for the business to be able to attract the top talent.

I think, just on the topic of innovation, The way I run it is innovation has to be part of everybody’s job. You start to slice people’s time, 10-20% of your time as a cybersecurity professional should be spent in innovation, understanding it, leading it. I also have this guiding principle around we should be first. I think of us as, like the Seabees. The Seabees are the people that get shipped into enemy territory and build out landing strips and cut down trees and take the beach and if we’re ahead of the curve as security practitioners in regard to business innovation, leading the way to cloud, leading the way to new products and services, are being part of that strategy. I think we’re in the right space. One of my peers called me the Chief Marketing Officer once, because I was always talking about business innovation and business strategy, but how to get there securely is the main thing. Making innovation part of what we do day to day. It’s really important, Jeremiah, you just said something that triggered me when I think about artificial intelligence at the doctor level. Eeverybody in the world has a primary care physician, or should, but you’ve seen a doctor, at the very least, and you’ve seen their degree on the wall. I went to school. That doesn’t mean that they’re smart and they’re really good at what they do. It means that they’re dedicated and smart enough to pass medical school. No insult on that, and hopefully someone doesn’t take that the wrong way. But as a patient, if I see 10 doctors, I don’t know like where they ranked in their studies, or how good they are in their profession, or if they’re an expert or not. If you talk to someone in the hospital, they’ll tell you, go to this person and not that person. AI has an ability to level the playing field, making all doctors better, raises all the tide raises all boats. AI will raise all physicians. I think that’s true in many careers in industries. When you think about innovation, how do we leverage AI to get smarter, to help us innovate, not just to do the work, but to be a thought partner. I often tell people to think of it as not a tool, but as a expert worker that’s there on your behalf. I use it constantly, and I tell it like I need you to be like the smartest cybersecurity professional in the world before you answer my question, giving it some context, so innovate, and the world of innovation is just going to grow rapidly because now we have a level of intelligence that raises everybody up.

We’ve got about 10 minutes left, and this is going to be an all play, and I’m going to kind of phrase it and maybe two ways, because I know we’ve got different, spectrums of organization, either listening now or later to this conversation, which has been very insightful. Thank you guys. But I want to talk maybe real quick, the smaller organization, clinic, or whatever it might be, what would your guys recommendations? You know, they’re there. They don’t have a huge infrastructure. They haven’t built a security program. They maybe don’t even have a security practitioner, that’s working full time for the organization. What would be, just like two or three recommendations for them on building their security program. Where do you start? What does it look like? Then on the flip I for maybe larger organizations, what are two to three things you think they should focus on? To the end of this year, like, if you’re not doing these two to three things right now, you should really focus on these two to three security principles to the end of 2025 but first, just to kind of speak to that, that smaller firm organization.

I always start with an assessment. You start in many different places, but you got to have data to figure out where you invest your time and resources. Money, so resources being people in cash, so you’ll never invest the capital, capital dollars on something that you don’t understand and that you’re picking and choosing. It’s got to have a return so that that assessment will help you focus and prioritize what you need to do number one. To your second question, I would say there’s a couple things that I say everybody should really be focused on. The first is resiliency. And resiliency is a different model nowadays, with attacks on supply chain and ransomware. It’s how do you operate your business when technology fails? If you’re in a ransomware event like technology shut down. You can think about, not shutting down or shutting down part of your company or part of your systems, but plan for the very worst-case scenario, what do you do to keep your business running if technology fails. The other side of that is, what do you do if one of your critical third parties fail? That’s also happening. If your supply chain goes down, what’s the plan? Resiliency, I think, is something people aren’t paying enough attention to that they really should. I would also think about AI governance, like, how do you get artificial intelligence under control, or at least being innovated within an organization in such a way that isn’t scaling the risk exponentially? I see those are my top two.

I’ll sort of touch on that the resiliency part. I think one of the just in conversations we’ve had with various clients of different sizes, it’s that yes plan but test right after a ransomware incident is not when anyone wants to find out that their recovery procedures, whether it’s the point of data or just speed the recovery, or, as Eddie mentioned, sort of reliance on maybe third parties, like having that actually tested and vetted out, whether it’s tabletops or actual walkthroughs of recovery, absolutely critical, right? If you get hit with ransomware and you realize you can’t really back up, either building from scratch, or you’re paying the ransom right at that point, your kind of stuck. To Eddie’s point, AI, that is one that I’m guessing we’re going to see more and more of these sort of the data, and this is more trained AIS or AIs that have access to. Sort of sensitive data, right? The traditional mentality of, hey, I’m in HR, so I have access to the HR folder that has the HR documents, and I’m in this opera. This full like that concept has been around for years, and people sort of understand it. You have role-based access controls. The risk is depending on what AI partners you bring in and how they’re vetted, or how what the controls are in place. Now you have these AI models that are trained off this data. Rather than me going and accessing HR folder directly because I don’t have access, there are risks of, could I ask the AI to give me a compensation plan or some sort of prompt engineering, as it’s termed. What could I get out of that AI model that breaks traditional role-based access and authorization, and just extrapolate that out right as AI permeates, it’s absolutely critical. Everyone out there says, we have AI. We use AI. Many cases it’s rebranded automation, or some other capabilities that is branded as AI, but that is that sort of I see is a big risk of this AI adoption, not saying don’t adopt it, but there’s you want to make sure you understand the potential risks. What is that AI? What’s the scope and balance of that AI capability? If it’s an agentic AI, what sort of option, what’s it going to be doing? What data does it have access to? And how do users or clients or customers interact with that AI model

Garo an interesting concept that with the adoption of AI, it’s interesting how this next generation is so familiar with this and starting to adopt it in new and different ways. I’m going to tie back to that in a second. Is that Spencer, you asked, what’s the first thing you do? Eddie, I completely agree that you jump in there with an assessment to do a diagnostic, but before you even do that, you have knowledge to know what the heck you’re assessing. So either you acquire the knowledge, you partner with someone to get the knowledge, you talk to a peer in the industry, but getting the appropriate knowledge that’s important having a trusted partner or yourself to be able to get the right diagnostic in the organization, my son’s girlfriend was practicing for an interview, and she was using AI to ask her questions to be able to prepare for the interview, which I thought was ingenious. I hadn’t seen that before, and just how this next generation is using it to, it taught me to think about this kind of question and answer it this way. I was like, so the ability for AI to help as a learning tool, an interactive learning tool. I thought that was really interesting to answer your question. There is Spencer around, what are the two or three priorities? I know this is going to sound obvious, but funding, having an understanding your funding processes. How do you sustain your budget? What is your budget? Being able to declare what’s responsibilities that can put into a budget? Because without money, you’re not going to be able to implement programs. You have to have some sort of funding source. If I was to pick, I think all your ability to do instant response, all that stuff’s really important, I’m going to double down here on resiliency of identity, identity management. I think identity is really key in health organizations. There’s lots of reports of people trying to call into health centers and get their passwords changed and, get other devices added to MFA accounts. What is your identity? Management, identity resilience. Everyone’s tied into Okta weapons. If Okta goes down, what do I do? We’ve worked so hard to get single sign on, and now it’s that a challenge for organization. I think that identity is for me. Then a close second is, I’ll double down on what I said before, asset management, just knowing where your stuff is. If you don’t know where your stuff is, all bets are off.

I like that. Jeremiah, you’re sparking another reaction to me. The other would be, I think data security is really important. The question is, do you know what assets you have? The real question is, do you know where your data is? I can almost guarantee most people will say no, if they’re honest. It is flowing everywhere. How do you invest in capabilities to understand where your data is, how it’s moving from different, non-prod environments, through production, through people’s systems. Identity is important to control that access. But if you don’t know where your data is, it’s a problem. I think what I’m seeing industry wise, large push on understanding and controlling data, large push. Push on identity, large push on resiliency, and a large push on AI risk management, let’s just call it that. I have four areas. Data governance, isn’t that, like the heart of everything around, where you’re going to use it with AI, where data governance with privacy, all the HIPAA Privacy stuff, or the CCPA or CCRA, GDPR, it’s all around data governance of this thing, it’s the same story. It’s just now of a different requirement,

I think it’s moving from policy and governance to tactics. Do you really understand it? How is really important. Because you can have great data governance around where data goes. But in the development world, how do you know? How do you know you know synthetic data is being used? How do you know developers? Because they all have deep access to systems and information. I think I want to confirm that my data governance is in play. You get some big companies that are up and coming now around data posture management, and where is it at? It’s a rising part of our industry for a big reason.

Well, we are just about like that, fellas, at the hour, I want to thank each of you for your insight and time. We really appreciate it. I know the audience may have quite a few questions. What we’ll do is we’d love to take your questions offline, you can reach out with those, and we’ll do our best to get back to you. Then I think a recording of this will also go out if you attended today. But again, we thank you. Any parting words, guys before we head out of here?

No, I would say, a lot of people are afraid of AI taking their jobs. I would say, AI is going to create a lot of jobs, and if you’re not paying attention to it, you’re not learning it, you’re not doing it. May take your job, but use it as a force for good.

Partner with peers in the industry. You’re not alone going through these challenges. Find good working groups. ISACs, whatever it happens to be, local interest groups that you can lean on. Sometimes, you know, just being able to talk through your challenges. As a former CISO, I’ve got scars, and I know just being able to talk to other CISOs is instrumental in coming up with the next good idea,

A lot of these challenges everyone’s facing, even outside healthcare industries. They just and they’re new. If you told me five years ago that North Korean IT workers, joining your company as an employee was going to be a risk, I would have said, but no, that doesn’t make sense. But here we are.

At Tevora, we’d love to help. We’re an advisory consulting firm. If you have further questions, feel free to reach out to us, and we’ll, we’ll handle those best we can. And thank you guys, thank you guys again. Thank you all for joining.

Back to Resource Center

Explore More In-Depth HiTrust & HIPAA Resources

View Our Resources