Episode Overview

Title: Balancing Innovation and Protection: The Future of Healthcare Cybersecurity
Podcast: Becker’s Healthcare Podcast
Date: November 20, 2025
Host: Brian Zimmerman
Guests:

• Anthony Locasio, Chief Technology Officer, Hospital Patient Monitoring at Philips
• Benjamin Millman, Lead Clinical Informaticist, Design and Optimization at M Health Fairview

Main Theme:
The episode explores the escalating challenges of cybersecurity in the healthcare sector as technology advances. Brian Zimmerman moderates a conversation between two leaders—one on the vendor side, one on the clinical operations side—about how health systems must evolve their security cultures, build resilience, and foster close collaboration in an era where breaches are nearly certain and both innovation and risk grow in tandem.

Key Discussion Points and Insights

Introductions & Backgrounds

• Benjamin Millman (00:37):

  • Lead Clinical Informaticist at M Health Fairview, nurse by background.
  • Acts as a "middleman or translator" between clinical operations and IT as the organization standardizes systems and technologies.

• Anthony Locasio (01:11):

  • CTO, Patient Monitoring at Philips.
  • With Philips for over 22 years, focused on engineering and bleeding-edge healthcare technologies.

The New Reality: Breaches Are No Longer “If,” But “When”

• Mindset Shift in Clinical Operations (02:04):
  Ben:

  • Clinicians often equate security with phishing emails; their understanding of device and network risks is limited.

  • Every device is now connected, exponentially expanding the attack surface.

  • The focus must shift from mere security to resilience:

    “Not if we can prevent an attack, but let’s assume it’s going to happen at some point. How can we be best prepared for that?” (02:42)

  • Down-time planning has mainly focused on EHRs; there’s an urgent need for comprehensive downtime plans for every tech-dependent function (e.g., badge-controlled doors, medication access).

  • Simulates clinical emergencies (“code blue”) routinely, but never practiced “code black” (total tech outage) preparedness.

• Duration Matters (04:01):
  Ben:

  • Planned downtimes are thought of in hours; breaches could last days or weeks, requiring clinical staff to maintain care levels regardless of access to critical systems.

  “Even if we delay surgeries, even if we shut down electives, you still have patients within your four walls that you need to provide that same level of care to.” (04:33)

Security Culture: Mindset and Operational Change

• Anthony’s Perspective on Shift Needed (05:44):

  • Medical devices must be treated as any other IT or IoT device regarding security controls.
  • Hospital culture needs to evolve from siloed device management to full integration with enterprise IT models.

  “Medical devices need to be looked at as any other IoT device might be in their network.” (05:47)

  • Only recently (last 12 months) have hospitals started to treat patching medical devices as a regular practice—this needs to become standard.

• Partnering with Vendors (07:25):
  Anthony:

  • Philips and similar vendors should not operate in silos; their solutions must fit into the enterprise IT ecosystem.
  • Vendors should be included in disaster recovery, tabletop exercises, and security planning:

    “We need to be brought in and utilized to the fullest of our capabilities and not just kept at arm’s length because we’re a vendor.” (07:51)

Embedding Security Across Roles and Teams

• Making Security Everyone’s Responsibility (08:52):
  Ben:

  • The major culture shift comes from embedding cyber hygiene into daily clinician workflows.
  • Security cannot be a separate “department” concern; ongoing involvement is needed from security teams even after products are approved and implemented.
  • Tension exists between security protocols (e.g., long passwords, MFA) and clinicians’ need for efficiency—compromise and interdisciplinary dialogue are key.

  “There has to be that compromise. It’s not one or the other, it’s how do we build the best system looking at cybersecurity principles as well as the clinician efficiencies and the need to do their job… We need to pull both parties to the table.” (11:22)

  • Establishes interdisciplinary governance groups to “weigh pros and cons, look at downstream effects, and help make kind of holistic, ideal decisions.”
  • Vendors should be active, ongoing partners post-purchase, not just at sale.

Balancing Rapid Innovation with Security

• Navigating the Tension (13:50):
  Ben:

  • Healthcare wants to be innovative to improve care and remain competitive but operates on tight margins and limited resources.
  • Emphasizes strong governance and pilot testing of new technologies within each unique ecosystem before broad rollout:

    “No one organization is exactly the same… we haven’t put it into our unique ecosystem with our own intersections, integrations, infrastructure, and really understanding how it works within our environment before rolling in mass.” (15:34)

• Measured Adoption & Avoiding “Shadow IT” (15:45):
  Anthony:

  • Cautions against chasing every “shiny object”—adopt innovation “measuredly.”
  • Always thoroughly “test in a live environment” since “if you’ve been to one hospital, you’ve been to one hospital.”
  • Ensure tech fits clinical workflows to avoid staff bypassing or working around systems, which can lead to “shadow IT.”

Final Thoughts & Recommendations

• Anthony: (16:52)

  • Urges health systems to form robust, ongoing partnerships with their vendors:

    “This is no longer a case where we can just drop equipment off and walk away… Bring those vendors close… utilize them to the full extent that you possibly can.” (17:12)

• Ben: (17:26)

  • Echoes the value of vendor partnerships and advocates for increased peer-to-peer collaboration among health systems:

    “Find community partners… learn from them… I think there’s a huge opportunity here to not recreate the wheel as an individual organization, but to learn from others and grow the larger healthcare environment to really ultimately improve care for the patient.” (17:34)

Notable Quotes & Memorable Moments

• Ben Millman (02:42):

  “Not if we can prevent an attack, but let’s assume it’s going to happen at some point. How can we be best prepared for that?”

• Anthony Locasio (05:47):

  “Medical devices need to be looked at as any other IoT device might be in their network.”

• Anthony Locasio (07:51):

  “We need to be brought in and utilized to the fullest of our capabilities and not just kept at arm’s length because we’re a vendor.”

• Ben Millman (11:22):

  “It’s not one or the other, it’s how do we build the best system looking at cybersecurity principles as well as clinician efficiencies and the need to do their job.”

• Anthony Locasio (15:45):

  “Just because you have innovation doesn’t mean you need to adopt innovation. It’s very easy to go after the shiny objects and that’s not always necessary.”

• Ben Millman (17:34):

  “There’s a huge opportunity here to not recreate the wheel as an individual organization, but to learn from others and grow the larger healthcare environment to really ultimately improve care for the patient.”

Key Timestamps

• 00:37–01:29 – Introductions and professional backgrounds
• 02:04–04:33 – Why “resilience” is as vital as “security”; the importance of downtime planning for all tech, not just EHRs
• 05:44–06:42 – Treating medical devices with the same IT rigor as any other endpoint/IoT device
• 07:25–08:39 – The evolving vendor-health system partnership model in security and disaster preparedness
• 08:52–12:28 – Strategies for instilling cyber hygiene among clinicians; balancing efficiency and security
• 13:50–16:33 – Balancing innovation and security; pilot testing and avoiding “shadow IT”
• 16:52–18:02 – Final thoughts: Deep partnerships, peer-to-peer healthcare collaboration

Summary Wrap-Up

This episode underscores that cybersecurity in healthcare is everyone’s responsibility and must grow beyond basic IT confines. As medical devices, cloud technology, and AI proliferate, attack surfaces balloon and downtime is no longer a brief inconvenience—it can severely impact core clinical operations. Both guests argue that health systems must relentlessly practice resilience, deeply involve clinical and vendor voices in governance, carefully pilot innovations in their own environments, and forge stronger inter-organizational and vendor partnerships. True safety and progress will only come from breaking silos and working together at every level, every day.