Info Risk Today Podcast

The flood of new artificial intelligence tools, including those to help cybersecurity teams, can overwhelm healthcare CISOs and their security staff, fueling "AI fatigue" that in itself can create additional cyber risk, said Drew Henderson and Jon Hilton, practice leaders at consulting firm LBMC.

Smaller and rural hospitals and clinics, as well as federally qualified health centers, are constantly battling cybersecurity resource constraints, and especially serious workforce shortages, said Jennifer Stoll of OCHIN, a nonprofit provider of health IT services and products.

While many of the proposed updates to the HIPAA Security Rule are reasonable expectations, others will be extremely onerous to implement if federal regulators finalize the rule's overhaul as it's written today, said Stephen Goudreault of Gigamon and Samantha Jacques of McLaren Health.

Identity security is still one of the most underinvested areas of cybersecurity across the healthcare sector, regardless of the depth of cyber resources available to many different types and sizes of entities, said Hugo Lai, CISO at Temple University Health System.

While healthcare organizations often know in general what they need to do in case they're faced with a ransomware attack, the devil is in the details of how comprehensive and well-rehearsed that incident preparedness plan is for optimal response, said Rick Doten, vice president and healthplan CISO at Centene Corp.

It's only a matter of time before cybercriminals begin to use artificial intelligence-enabled tools, open-source software and other technologies to launch attacks to exploit sensitive genetic data, said Nicholas Morris, a practice manager at security firm Optiv.

Emerging artificial intelligence and machine learning technologies being applied in the health and wellness space that are not necessarily covered by HIPAA but instead fall under a variety of tough new state privacy laws that are being enacted, said attorney Lily Li of Metaverse Law.

Pharmaceutical companies typically have more mature cyber programs than other healthcare factions, but these firms also face unique risks involving their large attack surfaces, complex manufacturing, supply chains and sensitive intellectual property, said Joshua Mullen of Booz Allen Hamilton.

Although the National Institutes of Health appears to have scaled back plans to build a national registry to track individuals with autism, the agency's research project still poses critical data privacy concerns, said Ariana Aboulafia and Andrew Crawford of the Center for Democracy and Technology.

Network segmentation is among new potential mandates for regulated entities under a proposed update to the HIPAA security rule, but many organizations continue to struggle to implement that as well as other critical best practices, said Candice Moschell of consulting firm Crowe LLP.

Pending health information privacy legislation in New York state, if signed into law, could make the use of patient data by telehealth and remote patient monitoring companies for certain activities much more difficult, said Aaron Maguregui, a partner at law firm Foley and Lardner, who explains why.

With highly sensitive information and disruptions to medical care at stake during cyberattacks on healthcare organizations, it's vital for these entities to carefully consider details of their communications plans well in advance of suffering a serious incident, said Tom Bolitho of FTI Consulting.

Chief Information Officer Meerah Rajavel shares Palo Alto Networks' strategy for enterprise AI: securing models from the outset, combating adversarial use and leveraging increased productivity and automation to cut manual workloads across engineering, support, sales and HR.

The Health Sector Coordinating Council is urging the Trump administration to drop work on a proposed HIPAA security rule update and instead engage in a collaborative dialogue with healthcare sector leaders to create alternative cyber requirements, said Greg Garcia, executive director of HSCC.

NHL CISO David Munroe outlines how the league protects critical infrastructure across public arenas and streaming platforms. He details the league's use of cloud and AI tools, and highlights the importance of cloud governance, AI-powered defenses and user education in mitigating risk.

Palo Alto Networks CTO Nir Zuk predicts Google's security push through its $32 billion buy of Wiz won't succeed, as customers are reluctant to buy multi-cloud tools from cloud vendors. Zuk details how adversaries use LLMs at scale and how Palo Alto is unifying SOC tools under its Cortex platform.

While recent draft guidance from the Food and Drug Administration on artificial intelligence-enabled medical devices is non-binding, the document signals that the agency is intensifying its regulatory scrutiny of these technologies, said Dr. Scott Schell of IT consulting firm Cognizant.

As uncertainty mounts about the range of cyber resources the federal government will continue to offer healthcare and other critical infrastructure sectors during the Trump administration, states will need to step up their support, said Mike Hamilton, field CISO of cybersecurity firm Lumifi Cyber.

Artificial intelligence-based tools are among the most promising advancing technologies for healthcare sector organizations to help to address cybersecurity resource shortages, said Chris Tyberg, CISO of medical device and consumer health product manufacturer Abbott.

The use of artificial intelligence is not only reshaping healthcare delivery in the sector but also healthcare cybersecurity within organizations, said Anahi Santiago, CISO of ChristianaCare, the largest healthcare delivery organization in the state of Delaware.

Legacy apps and medical devices continue to pose persistent and considerable risk to healthcare IT environments, and many organizations are still unaware of their prevalence in their settings, said Keith Fricke, partner and principal consultant at tw-Security, who discusses mitigation steps to take.

State privacy laws, such as Washington State's My Health My Data Act, could throw a curve ball in the use of certain consumer information for artificial intelligence and machine learning endeavors, said regulatory attorney Adam Greene of the law firm Davis Wright Tremaine.

Quantum computing could bring the next technology "revolution" in healthcare, but organizations will face critical cybersecurity issues when quantum becomes a reality, said attorney Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society.

So far, medical devices affected in ransomware attacks have mostly been a casualty of IT networks being taken offline. But the potential nightmare scenario is a targeted device attack in which cybercriminals threaten to kill patients, said Dr. Eric Liederman, CEO of consulting firm CyberSolutionsMD.

As clinicians move to a model of working anywhere - on many types of devices and under a variety of different internet environments - web browser security is a heightened concern, said John Frushour, vice president and CISO at New York-Presbyterian Hospital, and CyberEdBoard member.

The majority of significant attacks hitting the health sector involve unpatched vulnerabilities dating back years, a situation cybercriminals are more easily and swiftly able to exploit using AI-based tools, said Health Information Sharing and Analysis Center President and CEO Denise Anderson.

The Health Sector Coordinating Council is kicking off a health sector mapping initiative aimed at helping the ecosystem avoid massive disruptions in the event of major cyber incidents, said Greg Garcia, executive director for cybersecurity at the Health Sector Coordinating Council.

The adoption of privacy enhancing technologies, including fully homomorphic encryption, can help secure data as it is collected, integrated and shared for detecting and responding to public health emergencies such as bird flu, said Kurt Rohloff, co-founder and CTO of Duality Technologies.

A proposed state privacy law awaiting the signature of New York State's governor promises to make the processing of and sale of health information by a wide array of organizations much more complicated and restrictive, said regulatory attorney Angie Matney, who explains why.

It's critical for healthcare providers that offer telehealth and remote patient monitoring services to incorporate these systems into their organizational risk programs, including how they plan to address issues such as patch management from afar, said attorney Betsy Hodge of the law firm Akerman.

States will increasingly be stepping up to fill gaps in the healthcare sector with new cyber legislation and requirements as the Trump administration promises to roll back regulations, predicts attorney Amy Magnano of the law firm Morgan Lewis' healthcare practice.

While artificial intelligence platforms and tools promise to offer encouraging potential in healthcare, many are unprepared to deal with the risks these emerging technologies pose - similar to the early days of social media, said Keith Fricke, partner and principal of tw-Security.

With the pace of global change so often creating a sense of accelerating chaos, it's easy to view cyber defenders as firefighters constantly on call. But Black Hat conference founder and creator Jeff Moss warned that "things have been on fire for as long as I can remember."

Under the Trump administration, the proposed update to the HIPAA Security Rule - issued in the final weeks of the Biden administration - is likely to get trimmed but not totally cut, predicts regulatory attorney Sharon Klein of the law firm Blank Rome. What else should the health sector expect?

The pace of change including the rise of artificial intelligence and a sense of accelerating chaos can make cybersecurity professionals feel like "things are kind of everything, everywhere, all at once," said Black Hat conference founder Jeff Moss. How should they respond?

Many important efforts by the Cybersecurity Infrastructure and Security Agency to help the healthcare sector and other critical infrastructure sectors bolster their cybersecurity are likely to continue under the incoming Trump administration, predicted CISA Deputy Director Nitin Natarajan.

The first 100 days of the next Trump administration and new Congress will be critical in showing signs of what's potentially in store for the healthcare sector cybersecurity, privacy and related regulatory and legislative issues in the new year, said Chelsea Arnone and Cassie Ballard of CHIME.

As healthcare entities embrace generative AI tools, it's critical they take a holistic approach addressing privacy and security governance, said Dave Perry, digital workspace operations manager, St. Joseph's Healthcare in Ontario, who discusses how his organization is tackling those challenges.

Fully homomorphic encryption can safeguard highly sensitive health data related to rare diseases, underserved populations and clinical trials as it is shared with medical researchers, said Kurt Rohloff, co-founder and CTO of Duality Technologies, who said projects to apply it are underway right now.

Cyber incident details involving non-profit and non-government entities across sectors such as healthcare are not centrally reported and collected, creating gaps for researchers, IT experts and others seeking to analyze trends in their industries, said Stanley Mierzwa of Kean University.

One of the most important lessons emerging in 2024 for the healthcare sector is that entities should diligently prepare contingency plans for potential cyberattacks that seriously disrupt their critical third-party vendors, advises regulatory attorney Betsy Hodge of the law firm Akerman.

Washington and Nevada were among states enacting new data privacy laws in 2024, and that trend among states will likely continue into 2025 as the next presidential administration comes into office promising to reduce federal regulations, said attorney Melissa Crespo of law firm Morrison Foerster.

About 75% of healthcare sector entities that suffered a ransomware attack over the past year were targeted on a weekend or holiday, highlighting the need for organizations to bolster staffing and related strategies during these vulnerable times, said Jeff Wichman of security firm Semperis.

The torrents of public hostility directed at health insurers in the aftermath of UnitedHealthCare CEO Brian Thompson's murder are serious signs of intensifying cyber and physical threats facing the C-suites of healthcare and many other sectors, said Chris Pierson, founder and CEO of BlackCloak.

Hackers can potentially use AI to manipulate data that's generated and shared by some health apps, diminishing the data's accuracy and integrity, said Sina Yazdanmehr and Lucian Ciobotaru of cybersecurity firm Aplite, describing a recent research project involving Google Health Connect.

Third-party access management poses significant cybersecurity risks in healthcare, but continuous identity management and monitoring can help mitigate those risks, said Jim Routh, chief trust officer at Saviynt.

Thousands of unique IP addresses are potentially exposing medical devices, electronic medical records systems and other sensitive healthcare information to the internet, said security researcher Himaja Motheram of security firm Censys, which made the discovery.

It goes without saying: Business ecosystems are increasingly complex, and so are the cybersecurity systems and strategies deployed to protect them. But Marty McDonald of Optiv and Rob Rachwald of Palo Alto Networks share new ideas on how to take some of the complexity out of cybersecurity.

When a large hospital in an urban area is shut down by ransomware, the disruption can be significant, but when a rural hospital faces a similar cyber outage, the impact on patient safety and the community can be extreme, said Nitin Natarajan of the Cybersecurity and Infrastructure Security Agency.

While ransomware attacks against medical devices don't happen often, disruptive cyber incidents that affect the availability of the IT systems that medical devices rely on are a big concern that needs the industry's critical attention, said Jessica Wilkerson of the FDA.