Podcast Summary: Advancing Health
Episode: Cybersecurity on the Health Care Front Lines Against AI and Ransomware
Date: January 21, 2026
Host: American Hospital Association (John Rige)
Guest: Larry Pierce, Director of Cybersecurity & Information Security Officer, Atlantic Health
Overview
This episode explores the intertwined challenges of cybersecurity and physical security in healthcare, with a deep dive into the evolving nature of cyber threats—especially those involving AI and ransomware. John Rige and Larry Pierce highlight the increasing sophistication of attacks, the criticality of third-party risk management, the double-edged sword of widespread AI adoption, and the need for coordinated governance and vigilance.
Key Discussion Points & Insights
1. The Intersection of Physical and Cyber Threats
- Rise in Physical Attacks: There's a growing frequency of physical violence and threats against healthcare facilities.
- Physical Security as Cybersecurity: Unsecured hardware (e.g., laptops or server rooms) can open critical cyber vulnerabilities if stolen or tampered with.
- “Security 101 is ensuring that your mobile devices that are within the organization are always encrypted.”
— Larry Pierce [01:56]
- “Security 101 is ensuring that your mobile devices that are within the organization are always encrypted.”
- Reliance on Physical Security Tech: Surveillance (security cameras) and collaboration with emergency management and law enforcement—local and federal—are crucial for incident response.
- “Operational technology is something we take very seriously… up to, including the FBI, homeland security, prosecutor's offices, local law enforcement.”
— Larry Pierce [03:15]
- “Operational technology is something we take very seriously… up to, including the FBI, homeland security, prosecutor's offices, local law enforcement.”
2. Ransomware as a Violent Crime
- Patient Safety at Stake: Ransomware is not just a financial risk but a direct threat to patient well-being; thus, John Rige argues for its classification as a "violent crime."
- “We tell the federal government all the time, if you do something that puts people in physical harm... that’s a violent crime.”
— John Rige [03:43]
- “We tell the federal government all the time, if you do something that puts people in physical harm... that’s a violent crime.”
3. AI in Healthcare: Promise and Peril
- AI Is Here to Stay: Both hosts stress that AI is now integral to healthcare operations, from protective technologies to improving patient outcomes.
- “AI… is here to stay, depending on how you use it… But in using AI in an ethical manner, we need to ensure that we are taking a very cautious approach.”
— Larry Pierce [04:49]
- “AI… is here to stay, depending on how you use it… But in using AI in an ethical manner, we need to ensure that we are taking a very cautious approach.”
- Cautious Adoption: Strict governance and risk assessment frameworks are vital for both incumbent and new AI systems, including financial considerations and cybersecurity reviews.
- “It all starts with the governance process... full architecture and design, a cyber secure, comprehensive cybersecurity review. It all comes down to risk.”
— Larry Pierce [06:44]
- “It all starts with the governance process... full architecture and design, a cyber secure, comprehensive cybersecurity review. It all comes down to risk.”
- Ethics and Data Privacy: The misuse of AI tools (e.g., OpenAI’s ChatGPT) with sensitive information could result in data breaches. Strict monitoring and content filtering protect against accidental PHI leaks.
- “We don’t want to put [proprietary data] into their learning module because… they could use this information almost indefinitely... It’s going to cause a breach situation for us that we don’t want.”
— Larry Pierce [08:19]
- “We don’t want to put [proprietary data] into their learning module because… they could use this information almost indefinitely... It’s going to cause a breach situation for us that we don’t want.”
- AI Expanding in Existing Tools: AI isn’t only in new products, but being steadily integrated into existing platforms (e.g., Microsoft, Google) without fanfare.
- “That governance council… is extremely important not only to assess new AI technology… but to identify instances where it has now been added to existing software.”
— John Rige [09:06]
- “That governance council… is extremely important not only to assess new AI technology… but to identify instances where it has now been added to existing software.”
- Malicious Use of AI by Threat Actors: AI enables highly sophisticated phishing, spear-phishing (targeted), smishing (SMS), vishing (voice), and quishing (QR-based) attacks.
- “The telltale signs of a phishing email... it’s not there anymore. Look at the deepfakes that are coming out right now that AI is doing. They are very, very realistic.”
— Larry Pierce [10:12]
- “The telltale signs of a phishing email... it’s not there anymore. Look at the deepfakes that are coming out right now that AI is doing. They are very, very realistic.”
4. Third-Party Risk: The Expanding Attack Surface
- Third-Party Is the Top Cyber Risk: Most cyber risks stem from third-party vendors and technology providers—AI dramatically amplifies this concern.
- “Third party risk is the major source of cyber risk that we are exposed to.”
— John Rige [11:50]
- “Third party risk is the major source of cyber risk that we are exposed to.”
- Vetting and Governance: Atlantic Health has a rigorous onboarding and vetting process for all third parties, which includes comprehensive questionnaires and security posture assessments.
- “It starts with governance… We do a full architecture and design for everything, a full security review… an RFI process… about 150 questions.”
— Larry Pierce [12:36]
- “It starts with governance… We do a full architecture and design for everything, a full security review… an RFI process… about 150 questions.”
- From On-Prem to Cloud: Migration to the cloud yields efficiency gains but increases reliance on vendors’ security practices—posing new risks to PHI.
- “We are now relying on the security posture of that third party that we are entrusting with... our crown jewels.”
— Larry Pierce [13:41]
- “We are now relying on the security posture of that third party that we are entrusting with... our crown jewels.”
5. Future Trends and Call to Vigilance
- Evolving Threat Landscape: Phishing and related attacks will continue to become more sophisticated; the “arms race” with cybercriminals will accelerate.
- “We are trying to stay one step ahead of our adversaries, and it just seems like, unfortunately, it’s the other way around...They’re staying one step ahead of us in many cases.”
— Larry Pierce [15:01]
- “We are trying to stay one step ahead of our adversaries, and it just seems like, unfortunately, it’s the other way around...They’re staying one step ahead of us in many cases.”
- Need for Continuous Vigilance: Success depends on constant education, tech safeguards, and strong partnerships (internal and external).
- Hope for Increased Legal Consequences: Stronger legislative actions and enforcement are needed to hold threat actors accountable internationally.
- “I’m hoping that there is work done by the federal government… to make it more difficult for these threat actors to do what they do... greater consequences for them.”
— Larry Pierce [15:56]
- “I’m hoping that there is work done by the federal government… to make it more difficult for these threat actors to do what they do... greater consequences for them.”
Notable Quotes & Memorable Moments
-
On Physical Security Basics:
“Security 101 is ensuring that your mobile devices that are within the organization are always encrypted.”
— Larry Pierce [01:56] -
Linking Ransomware to Violence:
“Ransomware attack in itself could be viewed as a violent crime.”
— John Rige [03:35] -
On AI and Human Judgment:
“I don’t think AI was ever built… to take the place of a human in every case… Is it going to limit some jobs? Absolutely.”
— Larry Pierce [05:38] -
AI, Data Privacy, and Patient Information:
“If [AI learning modules] information is to be compromised… it’s going to cause a breach situation for us that we don’t want.”
— Larry Pierce [08:31] -
Evolving Phishing and Deepfakes:
“Look at the deepfakes that are coming out right now that AI is doing. They are very, very realistic.”
— Larry Pierce [10:12] -
Outpacing the Adversaries:
“We are trying to stay one step ahead of our adversaries… it’s the other way around.”
— Larry Pierce [15:01]
Important Segment Timestamps
- 00:17: Introductions and episode framing
- 01:48: Physical security’s role in cybersecurity
- 03:35: Ransomware as a violent crime
- 04:41: AI’s role and risk in healthcare
- 06:44: Governance and risk assessment in AI adoption
- 09:58: AI-powered attacks and threat actor sophistication
- 12:22: Third-party risk management
- 14:47: Future trends and the ongoing cyber “arms race”
- 16:41: Final thoughts and call to vigilance
Tone and Style
- The conversation is candid, expert-driven, and pragmatic, reflecting the urgency and real-world challenges faced by healthcare cybersecurity leaders.
- Both speakers balance optimism about tech progress with realism—and in some areas, caution—about the growing scale and sophistication of cyber threats.
- The emphasis is on teamwork (‘governance councils’, partnerships with law enforcement), vigilance, and ethical responsibility to patients and communities.
Summary Takeaways
- Physical and digital security are inseparable in today’s healthcare environment.
- AI brings enormous benefits but also unprecedented risks, both as a tool and as an attack vector.
- Ransomware’s impact should be viewed through the lens of patient safety and potential harm.
- Third-party risk management, comprehensive governance, and ongoing vigilance are non-negotiable.
- The pace and complexity of threats require technical, organizational, and regulatory advances—and constant readiness to adapt.