Summary6 min read

Podcast Summary: Advancing Health

Episode: Cybersecurity on the Health Care Front Lines Against AI and Ransomware

Date: January 21, 2026
Host: American Hospital Association (John Rige)
Guest: Larry Pierce, Director of Cybersecurity & Information Security Officer, Atlantic Health

Overview

This episode explores the intertwined challenges of cybersecurity and physical security in healthcare, with a deep dive into the evolving nature of cyber threats—especially those involving AI and ransomware. John Rige and Larry Pierce highlight the increasing sophistication of attacks, the criticality of third-party risk management, the double-edged sword of widespread AI adoption, and the need for coordinated governance and vigilance.

Key Discussion Points & Insights

1. The Intersection of Physical and Cyber Threats

Rise in Physical Attacks: There's a growing frequency of physical violence and threats against healthcare facilities.
Physical Security as Cybersecurity: Unsecured hardware (e.g., laptops or server rooms) can open critical cyber vulnerabilities if stolen or tampered with.
- “Security 101 is ensuring that your mobile devices that are within the organization are always encrypted.”
  — Larry Pierce [01:56]
Reliance on Physical Security Tech: Surveillance (security cameras) and collaboration with emergency management and law enforcement—local and federal—are crucial for incident response.
- “Operational technology is something we take very seriously… up to, including the FBI, homeland security, prosecutor's offices, local law enforcement.”
  — Larry Pierce [03:15]

2. Ransomware as a Violent Crime

Patient Safety at Stake: Ransomware is not just a financial risk but a direct threat to patient well-being; thus, John Rige argues for its classification as a "violent crime."
- “We tell the federal government all the time, if you do something that puts people in physical harm... that’s a violent crime.”
  — John Rige [03:43]

3. AI in Healthcare: Promise and Peril

AI Is Here to Stay: Both hosts stress that AI is now integral to healthcare operations, from protective technologies to improving patient outcomes.
- “AI… is here to stay, depending on how you use it… But in using AI in an ethical manner, we need to ensure that we are taking a very cautious approach.”
  — Larry Pierce [04:49]
Cautious Adoption: Strict governance and risk assessment frameworks are vital for both incumbent and new AI systems, including financial considerations and cybersecurity reviews.
- “It all starts with the governance process... full architecture and design, a cyber secure, comprehensive cybersecurity review. It all comes down to risk.”
  — Larry Pierce [06:44]
Ethics and Data Privacy: The misuse of AI tools (e.g., OpenAI’s ChatGPT) with sensitive information could result in data breaches. Strict monitoring and content filtering protect against accidental PHI leaks.
- “We don’t want to put [proprietary data] into their learning module because… they could use this information almost indefinitely... It’s going to cause a breach situation for us that we don’t want.”
  — Larry Pierce [08:19]
AI Expanding in Existing Tools: AI isn’t only in new products, but being steadily integrated into existing platforms (e.g., Microsoft, Google) without fanfare.
- “That governance council… is extremely important not only to assess new AI technology… but to identify instances where it has now been added to existing software.”
  — John Rige [09:06]
Malicious Use of AI by Threat Actors: AI enables highly sophisticated phishing, spear-phishing (targeted), smishing (SMS), vishing (voice), and quishing (QR-based) attacks.
- “The telltale signs of a phishing email... it’s not there anymore. Look at the deepfakes that are coming out right now that AI is doing. They are very, very realistic.”
  — Larry Pierce [10:12]

4. Third-Party Risk: The Expanding Attack Surface

Third-Party Is the Top Cyber Risk: Most cyber risks stem from third-party vendors and technology providers—AI dramatically amplifies this concern.
- “Third party risk is the major source of cyber risk that we are exposed to.”
  — John Rige [11:50]
Vetting and Governance: Atlantic Health has a rigorous onboarding and vetting process for all third parties, which includes comprehensive questionnaires and security posture assessments.
- “It starts with governance… We do a full architecture and design for everything, a full security review… an RFI process… about 150 questions.”
  — Larry Pierce [12:36]
From On-Prem to Cloud: Migration to the cloud yields efficiency gains but increases reliance on vendors’ security practices—posing new risks to PHI.
- “We are now relying on the security posture of that third party that we are entrusting with... our crown jewels.”
  — Larry Pierce [13:41]

5. Future Trends and Call to Vigilance

Evolving Threat Landscape: Phishing and related attacks will continue to become more sophisticated; the “arms race” with cybercriminals will accelerate.
- “We are trying to stay one step ahead of our adversaries, and it just seems like, unfortunately, it’s the other way around...They’re staying one step ahead of us in many cases.”
  — Larry Pierce [15:01]
Need for Continuous Vigilance: Success depends on constant education, tech safeguards, and strong partnerships (internal and external).
Hope for Increased Legal Consequences: Stronger legislative actions and enforcement are needed to hold threat actors accountable internationally.
- “I’m hoping that there is work done by the federal government… to make it more difficult for these threat actors to do what they do... greater consequences for them.”
  — Larry Pierce [15:56]

Notable Quotes & Memorable Moments

On Physical Security Basics:
“Security 101 is ensuring that your mobile devices that are within the organization are always encrypted.”
— Larry Pierce [01:56]
Linking Ransomware to Violence:
“Ransomware attack in itself could be viewed as a violent crime.”
— John Rige [03:35]
On AI and Human Judgment:
“I don’t think AI was ever built… to take the place of a human in every case… Is it going to limit some jobs? Absolutely.”
— Larry Pierce [05:38]
AI, Data Privacy, and Patient Information:
“If [AI learning modules] information is to be compromised… it’s going to cause a breach situation for us that we don’t want.”
— Larry Pierce [08:31]
Evolving Phishing and Deepfakes:
“Look at the deepfakes that are coming out right now that AI is doing. They are very, very realistic.”
— Larry Pierce [10:12]
Outpacing the Adversaries:
“We are trying to stay one step ahead of our adversaries… it’s the other way around.”
— Larry Pierce [15:01]

Important Segment Timestamps

00:17: Introductions and episode framing
01:48: Physical security’s role in cybersecurity
03:35: Ransomware as a violent crime
04:41: AI’s role and risk in healthcare
06:44: Governance and risk assessment in AI adoption
09:58: AI-powered attacks and threat actor sophistication
12:22: Third-party risk management
14:47: Future trends and the ongoing cyber “arms race”
16:41: Final thoughts and call to vigilance

Tone and Style

The conversation is candid, expert-driven, and pragmatic, reflecting the urgency and real-world challenges faced by healthcare cybersecurity leaders.
Both speakers balance optimism about tech progress with realism—and in some areas, caution—about the growing scale and sophistication of cyber threats.
The emphasis is on teamwork (‘governance councils’, partnerships with law enforcement), vigilance, and ethical responsibility to patients and communities.

Summary Takeaways

Physical and digital security are inseparable in today’s healthcare environment.
AI brings enormous benefits but also unprecedented risks, both as a tool and as an attack vector.
Ransomware’s impact should be viewed through the lens of patient safety and potential harm.
Third-party risk management, comprehensive governance, and ongoing vigilance are non-negotiable.
The pace and complexity of threats require technical, organizational, and regulatory advances—and constant readiness to adapt.

Loading summary

Transcript15 lines

[00:00]
A
Welcome to Advancing Health. Today we learn from the experts how physical security is a necessary component of cybersecurity and why they have added the misuse of AI by bad actors to the list of cyber threats facing healthcare providers.
[00:17]
B
Hello everybody, my name is John Rige. I'm national advisor for cybersecurity and risk at the American Hospital Association. So pleased to be joined by my good friend today, Larry Pierce, who is the director of cybersecurity, information security officer for Atlantic Health. And folks, believe it or not, Larry has been at the same organization, Atlantic health, for almost 40 years in various forms of information technology and cybersecurity really as the field of all. So Larry, so good to have you here today. Especially as cyber threats of all types are increasing dramatically, third party risk is a major issue that we're facing. In fact, quite frankly, it is the most prominent source of all cyber risk that we face in healthcare. AI is everywhere and on everything. So we'll talk a little bit about that as well. Unfortunately, the risk that we as hospitals and health systems face and our patients face are not just the virtual threats. Unfortunately, there's been a dramatic rise in physical threats and attacks and violence against hospitals and health systems. And there is a nexus, a connection between the physical threats and the cyber threats. From your perspective, Larry, having dealing with a very busy organization, busy emergency department, how do you feel that the physical threats and the cyber threats intersect?
[01:48]
C
I think in many cases, you know, with the exception of when you're dealing with nation state threat actors who, you know, like to stay thousands and thousands and thousands of miles away from you, there are a lot of things to your point that we need to be concerned about. It seems like there's an uptick in physical violence within healthcare organizations. You know, when you talk about physical security, we're looking at things that, you know, the intersection with cybersecurity would be an unsecured laptop, right. That may not be encrypted for one reason or another. That's really Security 101 is ensuring that your mobile devices that are within the organization are always encrypted. So in the event that they walk out of the org or they're stolen, that they really turn into a brick. But there are some vendor supplied systems that we have out there that may not employ the same technology. So data centers and server environments within the main hospital, we don't have a lot of data centers that are in the hospital anymore, but your server rooms and network closets, there could be a lot of damage caused in those areas if Somebody happened to go in there with nefarious purpose. They weren't meant to be in there. That could cause us a lot of hardship. We rely on the security cameras that we have throughout the hospital system right now and physical security monitoring those. In the event that something happened, we can always go back to those and look and see what's happening. So operational technology is something we take very seriously here. It's something that we work closely with our partners in emergency management, physical security, and even law enforcement at the local, county, state and federal level. So up to, including the FBI, homeland security, prosecutor's offices, local law enforcement.
[03:35]
B
You know, when I think about this, the intersection of physical threats and cybersecurity, you know, we always talk about ransomware attacks as being a threat to patient safety and really a threat to life crime. And I, I would venture and proffer that ransomware attack in itself could be viewed as a violent crime. We tell the federal government all the time, if you do something that puts people in physical harm, risk of physical harm, then that's a violent crime. So that's one of the, one of the things we're pushing the government to understand as well. And they do, they do, quite frankly, as you know, with the FBI. So let's, let's talk back about here on the healthcare landscape and a little bit about what everybody else is talking about. AI, right? So talking about cyber, we've talked about physical threats, AI, everything. So as AI is evolving and widespread implementation, we have in healthcare happening quickly, really quickly, this has a lot of risks and rewards as we know. What do you see from your perspective, the emerging risks of this widespread and perhaps overly optimistic adoption of AI in healthcare?
[04:41]
C
AI is obviously not going to become, it has become a game changer for healthcare and many other industries. Contrary to what some people that aren't in the technology field that I speak with on a regular basis outside of work or even inside of work. And they asked me, you know, is this AI thing that's going on right now, is it here to stay? Is it just a fad that's going to kind of come and go? My answer's been very, very consistent with that. The AI is it is here to stay, depending on how you use it, whether we're leveraging it internally for protective technologies or whether we're using it to better patient outcomes, those are some of the things that we are doing internally. But I think in using AI in an ethical manner, we need to ensure that we are taking a very cautious approach with that AI. I don't think has demonstrated quite yet that it can take the place of a human to make a medical diagnosis, for example. We're not that far along. I'm not saying we may not get there at some point, but I don't think AI was ever built and I would argue this point unless I'm convinced otherwise years from now. Not necessarily made to take the place of a human in every case. Is it going to limit some jobs? Absolutely. But in the health care space we are seeing more and more platforms that are coming in and I'm not just talking about security technologies. These are third party systems that we're employing that are either incumbent systems that we've had here for a while or that are starting to adopt more AI technology and companies that are AI centric and completely involved with AI and we're bringing them on board as well. So for us, again, very cautious approach and we have a very rigid onboarding process for these AI technologies. So it all starts with the governance process and is there a need for it? Do we have the dollars? Because healthcare is getting squeezed quite a bit right now from a monetary perspective. We're not getting the same reimbursements that we had once before. We're spending a lot more money than we ever had to before. These fancy AI technologies and everything else, they come with a price tag. So in adopting these, we need to make sure that we're doing ethically responsibly. So we have an AI committee that partners with and it's not just the most important thing, it just fits in with everything else very nicely. So we do a full architecture and design, we do an assessment, we do a cyber secure, complete comprehensive cybersecurity review. It all comes down to risk. And I'm not the final say when it comes to that. There are, you know, executive leaders within the org that will either accept risk or not accept the risk, but they are certainly informed when that, when that comes along. We also have our team members or employees that are using AI right now. AI is being, you know, beyond just the medical side of the house, AI is being used to craft more business friendly emails, it's being used to develop algorithms associated with a better presentation. So we don't want, you know, an AI platform such as OpenAI, ChatGPT, Gemini, it should be able to have the ability to ingest spreadsheets that are our proprietary information, may contain, you know, many, many elements of Phi Pii. We don't want to put that into their learning module because they all give you the caveat if you look at their privacy statements and policies. They could use this information almost indefinitely to train their models. Well, if their information is to be compromised, and We've got over 500 records in there that were put in to come up with something, it's going to cause a breach situation for us that we don't want. We've employed, you know, our content filtering, our DLP technologies are all trained at this point to significantly restrict what people can do with AI to prevent them from getting themselves in trouble or more importantly, from landing Atlantic Health in the news because of something that was an unintended consequence.
[08:59]
B
So again, AI is here to stay. It's in almost everything we use.
[09:03]
C
It's.
[09:03]
B
It's not necessarily new technology coming into the organization. There are a lot of existing programs, of course, like Microsoft and Google, that add AI features. So that governance council that you spoke about is extremely important not only to assess new AI technology coming into the organization, but to identify instances where it has now been added to existing software and technology within organizations. Just saw another report this week that corrupted data and PDFs and emails which are already in networks are then consumed by AI, legitimately looking for responses or answers to questions, queries submitted to it. But it unwittingly sucks in malicious data and perhaps malware that's already present in, within the environment and produces it as part of its response. So really lots of complications in dealing with AI as we go forward.
[09:58]
C
Threat actors are leveraging AI right now, which is something that we continue to try keeping up with. There's a lot of security technologies that are evolving that are coming up with protections for that, which is great. But one of the things I'll bring up, and it's pretty common, I think a lot of people have heard of it. What are, you know, what is your biggest concern with AI? More sophisticated and realistic. Phishing emails that are coming in. The telltale signs of a phishing email coming in. And there's a lot of email securities out there and other cyber technologies that do a very good job at looking at, you know, we equate to millions or tens of millions of emails every month to come in. And we have to block the most malicious emails that come in or all the malicious emails to come into the organization. They're using these emails to come up with verbiage that we would normally point to as this is a yellow flag or a red flag. It's not there anymore. Look at the deepfakes that are coming out right now that AI is doing. They are very, very realistic. The other isshings that AI is being used for. So it used to be just. It started out as general phishing emails that went to an audience of a thousand or more people and just like if one or two people click on it, it was worthwhile for the threat actor. Then it evolved to spear phishing. Very targeted, going to one person. Now you've got smishing, you've got vishing, you've got quishing. We're seeing all of that internally here. And there's a lot of technologies that really aren't, from an educational perspective or a detective perspective, able to really latch onto these and be able to prevent them from getting to the people that may get hooked.
[11:38]
B
On all great points about the ubiquitous use of AI in hospitals and health systems, I totally agree. It's only going to accelerate and again lots of good will come from it. But we also have to think of AI representing a type of third party risk. We know in health care, third party risk is the major source of cyber risk that we are exposed to. The data holds that change healthcare are increasing reliance on outside third party technology, service providers and supply chain. So AI again is a major third party risk included in all the other third party risk. So as a growing concern, how does Atlantic Health approach third party risk management?
[12:22]
C
So third party risk is. It's near and dear to me because if I look at our application portfolio and understand that we have 750 or so applications that are currently in use at Atlantic, whenever we're going to onboard a new technology or review an incumbent vendor that's been here for a while, we have that same rigid process in place. So it starts with governance and is there truly a need for it financially? Do we have the money for this? Is it budgeted? Is there going to be a return on investment or not? I mean why do we need the product is what it comes down to. Then we need to go to the nuts and bolts of what does the assessment look like for this we do a full architecture and design for everything, a full security review. As I believe I mentioned before, we have an RFI process that we send to the third party. It's about 150 questions that they have to answer in there that allows our teams to be able to determine whether this is something that meets our minimum baseline security controls. So as we look at a lot of these products that we're evaluating now let me rewind. 10 or 15 years ago we had a lot of on prem data centers. So whether it was within one of your own facilities, it was a colocation. Everything was Basically on prem to a certain extent. So we had physical control of all the security associated with that. That was on us. As we evolve and migrate to third parties, which is, you know, that is the trend. It's moving in that direction. It has been moving there. A lot of companies are already 80, 90% of the way there at this point. We are, I would say, shedding some of that responsibility. But with that comes the fact that we are now relying on the security posture of that third party that we are entrusting with what may be our crown jewels. And for us in the healthcare world, that is our phi, the protected health information of our patients, which is centric to what we do as a business.
[14:26]
B
This mass migration to the cloud has been very good economically and for business processes, but it's created a different type of risk. We've talked a lot about AI and cyber threats and physical threats, operational technology. What do you see in the next year, couple years, the trends in cybersecurity and health care and potential threats?
[14:47]
C
I think a lot of the same threats that you see today, they're going to remain. You know, the phishing emails, the other ISS that we talked about, I think they're going to continue to evolve. They're going to be more sophisticated, more believable. The nefarious threat actors that we all deal with, unfortunately, too often are going to build their capabilities on these. They're going to be tougher for technology companies. And that's what it's always been. You know, we are trying to stay one step ahead of our adversaries, and it just seems like, unfortunately, it's the other way around. They're staying one step ahead of us in many cases. There needs to be a level of vigilance within your organization. You need to continue to be mindful and ensure that your third parties and your own people continue to watch the shop. When I started my career, PCs weren't even part of the landscape here at Atlantic. So you look at how far we've evolved, I think we'll be having an entirely different conversation five years from now. We'll be talking about things that weren't. I would, I wouldn't even say top of mind, things that weren't even in our minds today that they're going to change. I'm hoping that security technologies will continue to evolve, that they're going to get better, more comprehensive, and I'm hoping that there is work done by the federal government and other areas of the world to make it more difficult for these threat actors to do what they do to, you know, there are greater consequences for them. Most of these people right now, we can't go after them, unfortunately, when they cause us millions and millions of dollars of heartache because of something. So I hope that can get better. With legislation and some of the strong work that you're doing, you know, with your counterparts, we're going to become more and more reliant on technology, and I'm just hoping we have the right technical safeguards in place to prevent some of the attacks.
[16:41]
B
Thank you, Larry. Very well said. And thank you for your service in helping defend healthcare networks, your patients, and the communities that you serve. I also want to thank all our viewers for what you do every day to defend networks, care for patients and serve your communities. This has been John Riege from the American Hospital Association, National Advisor for Cyber and Risk. If you'd like to learn more about cybersecurity and risk, please visit our website@aha.org.
[17:08]
A
Cybersecurity thanks for listening to Advancing Health. Please subscribe and rate us 5 stars on Apple Podcasts, Spotify or wherever you get your podcasts.