Balancing Innovation and Protection: The Future of Healthcare Cybersecurity - Becker’s Healthcare Podcast

Summary6 min read

Episode Overview

Title: Balancing Innovation and Protection: The Future of Healthcare Cybersecurity
Podcast: Becker’s Healthcare Podcast
Date: November 20, 2025
Host: Brian Zimmerman
Guests:

Anthony Locasio, Chief Technology Officer, Hospital Patient Monitoring at Philips
Benjamin Millman, Lead Clinical Informaticist, Design and Optimization at M Health Fairview

Main Theme:
The episode explores the escalating challenges of cybersecurity in the healthcare sector as technology advances. Brian Zimmerman moderates a conversation between two leaders—one on the vendor side, one on the clinical operations side—about how health systems must evolve their security cultures, build resilience, and foster close collaboration in an era where breaches are nearly certain and both innovation and risk grow in tandem.

Key Discussion Points and Insights

Introductions & Backgrounds

Benjamin Millman (00:37):
- Lead Clinical Informaticist at M Health Fairview, nurse by background.
- Acts as a "middleman or translator" between clinical operations and IT as the organization standardizes systems and technologies.
Anthony Locasio (01:11):
- CTO, Patient Monitoring at Philips.
- With Philips for over 22 years, focused on engineering and bleeding-edge healthcare technologies.

The New Reality: Breaches Are No Longer “If,” But “When”

Mindset Shift in Clinical Operations (02:04):
Ben:
- Clinicians often equate security with phishing emails; their understanding of device and network risks is limited.
- Every device is now connected, exponentially expanding the attack surface.
- The focus must shift from mere security to resilience:
  
  “Not if we can prevent an attack, but let’s assume it’s going to happen at some point. How can we be best prepared for that?” (02:42)
- Down-time planning has mainly focused on EHRs; there’s an urgent need for comprehensive downtime plans for every tech-dependent function (e.g., badge-controlled doors, medication access).
- Simulates clinical emergencies (“code blue”) routinely, but never practiced “code black” (total tech outage) preparedness.
Duration Matters (04:01):
Ben:
- Planned downtimes are thought of in hours; breaches could last days or weeks, requiring clinical staff to maintain care levels regardless of access to critical systems.
“Even if we delay surgeries, even if we shut down electives, you still have patients within your four walls that you need to provide that same level of care to.” (04:33)

Security Culture: Mindset and Operational Change

Anthony’s Perspective on Shift Needed (05:44):
- Medical devices must be treated as any other IT or IoT device regarding security controls.
- Hospital culture needs to evolve from siloed device management to full integration with enterprise IT models.
“Medical devices need to be looked at as any other IoT device might be in their network.” (05:47)
- Only recently (last 12 months) have hospitals started to treat patching medical devices as a regular practice—this needs to become standard.
Partnering with Vendors (07:25):
Anthony:
- Philips and similar vendors should not operate in silos; their solutions must fit into the enterprise IT ecosystem.
- Vendors should be included in disaster recovery, tabletop exercises, and security planning:
  
  “We need to be brought in and utilized to the fullest of our capabilities and not just kept at arm’s length because we’re a vendor.” (07:51)

Embedding Security Across Roles and Teams

Making Security Everyone’s Responsibility (08:52):
Ben:
- The major culture shift comes from embedding cyber hygiene into daily clinician workflows.
- Security cannot be a separate “department” concern; ongoing involvement is needed from security teams even after products are approved and implemented.
- Tension exists between security protocols (e.g., long passwords, MFA) and clinicians’ need for efficiency—compromise and interdisciplinary dialogue are key.
“There has to be that compromise. It’s not one or the other, it’s how do we build the best system looking at cybersecurity principles as well as the clinician efficiencies and the need to do their job… We need to pull both parties to the table.” (11:22)
- Establishes interdisciplinary governance groups to “weigh pros and cons, look at downstream effects, and help make kind of holistic, ideal decisions.”
- Vendors should be active, ongoing partners post-purchase, not just at sale.

Balancing Rapid Innovation with Security

Navigating the Tension (13:50):
Ben:
- Healthcare wants to be innovative to improve care and remain competitive but operates on tight margins and limited resources.
- Emphasizes strong governance and pilot testing of new technologies within each unique ecosystem before broad rollout:
  
  “No one organization is exactly the same… we haven’t put it into our unique ecosystem with our own intersections, integrations, infrastructure, and really understanding how it works within our environment before rolling in mass.” (15:34)
Measured Adoption & Avoiding “Shadow IT” (15:45):
Anthony:
- Cautions against chasing every “shiny object”—adopt innovation “measuredly.”
- Always thoroughly “test in a live environment” since “if you’ve been to one hospital, you’ve been to one hospital.”
- Ensure tech fits clinical workflows to avoid staff bypassing or working around systems, which can lead to “shadow IT.”

Final Thoughts & Recommendations

Anthony: (16:52)
- Urges health systems to form robust, ongoing partnerships with their vendors:
  
  “This is no longer a case where we can just drop equipment off and walk away… Bring those vendors close… utilize them to the full extent that you possibly can.” (17:12)
Ben: (17:26)
- Echoes the value of vendor partnerships and advocates for increased peer-to-peer collaboration among health systems:
  
  “Find community partners… learn from them… I think there’s a huge opportunity here to not recreate the wheel as an individual organization, but to learn from others and grow the larger healthcare environment to really ultimately improve care for the patient.” (17:34)

Notable Quotes & Memorable Moments

Ben Millman (02:42):

“Not if we can prevent an attack, but let’s assume it’s going to happen at some point. How can we be best prepared for that?”
Anthony Locasio (05:47):

“Medical devices need to be looked at as any other IoT device might be in their network.”
Anthony Locasio (07:51):

“We need to be brought in and utilized to the fullest of our capabilities and not just kept at arm’s length because we’re a vendor.”
Ben Millman (11:22):

“It’s not one or the other, it’s how do we build the best system looking at cybersecurity principles as well as clinician efficiencies and the need to do their job.”
Anthony Locasio (15:45):

“Just because you have innovation doesn’t mean you need to adopt innovation. It’s very easy to go after the shiny objects and that’s not always necessary.”
Ben Millman (17:34):

“There’s a huge opportunity here to not recreate the wheel as an individual organization, but to learn from others and grow the larger healthcare environment to really ultimately improve care for the patient.”

Key Timestamps

00:37–01:29 – Introductions and professional backgrounds
02:04–04:33 – Why “resilience” is as vital as “security”; the importance of downtime planning for all tech, not just EHRs
05:44–06:42 – Treating medical devices with the same IT rigor as any other endpoint/IoT device
07:25–08:39 – The evolving vendor-health system partnership model in security and disaster preparedness
08:52–12:28 – Strategies for instilling cyber hygiene among clinicians; balancing efficiency and security
13:50–16:33 – Balancing innovation and security; pilot testing and avoiding “shadow IT”
16:52–18:02 – Final thoughts: Deep partnerships, peer-to-peer healthcare collaboration

Summary Wrap-Up

This episode underscores that cybersecurity in healthcare is everyone’s responsibility and must grow beyond basic IT confines. As medical devices, cloud technology, and AI proliferate, attack surfaces balloon and downtime is no longer a brief inconvenience—it can severely impact core clinical operations. Both guests argue that health systems must relentlessly practice resilience, deeply involve clinical and vendor voices in governance, carefully pilot innovations in their own environments, and forge stronger inter-organizational and vendor partnerships. True safety and progress will only come from breaking silos and working together at every level, every day.

Loading summary

Transcript33 lines

[00:00]
A
Hi everyone, this is Brian Zimmerman with Beckers Healthcare. Thank you so much for tuning into the Beckers Healthcare podcast. Today we're going to talk about the future of healthcare cybersecurity. Joining me for this conversation is Anthony Locasio, Chief Technology Officer, Hospital Patient Monitoring at Philips, and Benjamin Millman, Lead clinical informaticist, design and optimization at mhealth Fairview. Anthony. Ben, thank you so much for being here today.
[00:25]
B
Thank you.
[00:27]
A
So, to get started here, Ben and Anthony, can you please just share a bit more about yourselves? Your work in healthcare, your professional background, a few pertinent details. Ben, let's begin with you.
[00:38]
B
Sure. So, as you said, I'm a lead clinical informaticist within our clinical technologies department here at M Health Fairview. I'm a nurse by background and really in this role we have a unique opportunity to help bridge clinical and operational wants and needs with our IT and project side as we roll system technologies and system standardization efforts across our organization. So we often say we're kind of the middleman or the translator, helping bridge both sides of that equation.
[01:05]
A
Excellent. Well, I appreciate you coming here and looking forward to drawing on that perspective during our conversation today. Anthony, go ahead.
[01:12]
C
Yeah, so I'm the Chief Technology Officer for Philips Patient Monitoring. I've been with Phillips for about 22 years now. I was an engineer by background and have developed new services, new roles within Philips. I've really been focused on some of the bleeding edge technology as I've worked here for the last 20 years.
[01:30]
A
Excellent. And looking forward to hearing more about that technology as well and the work you're doing. But Benjamin, let's start with you here as we dive into our conversation. A few weeks ago, during a session at Becker's Health it, Digital Health and RCM meeting in Chicago, you both shared with healthcare leaders that cybersecurity breaches are no longer an if, but when. And I think that's becoming more broadly understood across the industry. But Ben, from your vantage point at Fairview, how does this reality play out in the day to day clinical operations knowing that some kind of breach at some point in time is almost certainty?
[02:04]
B
Yeah, Brian, great question. And I think one that we're just starting to unravel from the clinical lens. When we talk about security to a clinical user, very often that simply means phishing attacks, phishing emails. Right. They don't really have a broader understanding a lot of times about what that means and the robustness of that, particularly when we talk about medical devices or connected devices, you know that that surface area is just exponentially exploding. Right now, every product that we bring into our health system is connected in some way. It's talking to another system, it's sending data somewhere. And so that surface area really just ups our risk and increases the chances that there's a break in there, there's a inappropriate access and really has prompted a shift in dynamics now for how we interact. I think the other really big challenge here is that historically we haven't focused on downtime as much as we focused on security. Right. So this shift in the mental model from security to now, resilience, right, not if we can prevent an attack, but let's assume it's going to happen at some point. How can we be best prepared for that is something that we haven't fully jumped to. We practice downTimes for our EHRs on a regular basis and they still go down. Right. We have very robust downtime forms, we have downtime computers, we have protocols for that, policies for that. But all of those other connected devices, those medical devices, we don't really have a plan for that. You know, I've done, as I said at Becker's, mock codes for code blue hundreds of times as a clinician.
[03:29]
C
Right.
[03:29]
B
We practice that and practice that so we can be reinforced when that event actually comes and we can be prepared. We have never, as a clinician done a, you know, code Black or a code Dark where we prepare for what is your process, not just the ehr, but to all of your other systems. How do you communicate, how do you get medications, how do you even get into doors that might be using technology to control badge access. Right. So making sure that we really have a solid downtime process and not only on paper, but that the staff that have to live through that for days, weeks, even months potentially are fully prepared and fully vetted for that.
[04:02]
A
Yeah, that, that time horizon is super important too, Right. Because you kind of don't know how long a breach could last and you've got to be prepared to kind of go the distance if you've got to. Right, Ben?
[04:12]
B
Absolutely. Yeah. I think traditionally, you know, because those have been planned down times, we think of those in terms of minutes, if not hours. But the reality here is as a healthcare organization, we still have to provide care and we still have to meet those same quality and safety expectations of that care. Even in the times when we have no on call schedule, we have no access to staffing resources.
[04:33]
C
Right.
[04:34]
B
We have no access to paging communication. So I think that's a critical shift in the market here that we need to Be better prepared, not just to prevent these strategies. Right. Not just practicing for phishing, you know, attempts and, and making sure staff identify risk, risky behavior. But really, let's assume that we do go down at some point and for an extended period of time, as you said, how do we really make sure that we've got the workflows and the kinks worked out to provide fluid and consistent care? Even if we delay surgeries, even if we shut down electives, you still have patients within your four walls that you need to provide that same level of care to.
[05:07]
A
Yeah, yeah. Ben, some, some, some great points to get us going here. Anthony, I want to come to you now from your perspective at Philips, I think Ben, what Ben described is really exciting, right, in terms of the technology, the scope of technology, the interconnectedness. But with that comes this heightened risk. And of course, as technology is advancing on the health care side, you know, cybercriminals are getting more sophisticated as well. So from your opinion, sitting in the seat you do at Philips, what mindset shift in terms of security, culture, security practices do health systems need to embrace in this current environment?
[05:45]
C
Yeah, I've been around long enough to remember when it was very hands off with medical devices altogether, and they can no longer be or have that mind shift anymore. Medical devices need to be looked at as any other Iot device might be in their network. So they need to be looking at how do they segment that, how do they protect it from a network perspective? How do they look at endpoint protection? How do they look at patching? I pointed out when we were together a few weeks back that Even up until 12 months ago, hospitals weren't paying attention to patching medical devices. It was just not on their radar. And now they're starting to pay attention to that. And OS patching has become commonplace now, but now they're looking at vendors like Philips and saying, all right, well, how often are you patching your application? And so they need to be looking at the medical devices in the same way that they've been looking at all the rest of their IT devices and assets that are out on their networks as well.
[06:43]
A
Yeah. And of course, something else we're hearing too. It's not just the health IT being involved in medical devices as well. It's. This is a, this is now everybody's responsibility in terms of security more, more broadly. Everyone's got to be cued in that this, this is a challenge. So, Anthony, when you, when you think about that, what does it look like, I guess practically speaking, in patient monitoring programs across a multi hospital system when cybersecurity is embraced as everyone's responsibility. And what role do partners like Philips play in helping organizations really sort of embed that security first mindset across, you know, people, processes, technology, everything that this touches. What role does does a partner like Philips play in this work?
[07:25]
C
Yeah, I think there's two places that we play here. One of them is that we need to be putting together solutions that can be embedded within the enterprise IT models that we have. It's no longer acceptable for us to have our own independent networks and operate in silos that are away from what's going on with it. We need to be utilizing the enterprise technology that IT has because it's going to be vastly superior than anything that I could provide just from a vendor perspective. But the other thing is that we need to be brought in when we're having discussions around disaster recovery or tabletop exercises are occurring. We need to be looked at as partners and we have expertise that can help and minimize downtime and to make sure that they have the assets they need when something like Ben is talking about does occur. And so we need to be brought in and utilized to the fullest of our capabilities as well and not just kept at arm's link because we're a vendor.
[08:22]
A
Yeah, really. And that's, I'm sure there's some education component on your end of things to help people understand what they can lean on you for. You know, am I reading that correctly? You would have to help your partner? Sort of. This is something we can offer you, you know, as your partner.
[08:39]
C
Yeah, you're absolutely right. You can either lean on us as a partner proactively or you're inevitably going to lean on us when something goes wrong and you need us to help remediate. So. So obviously one is preferable to the other.
[08:52]
A
Yeah, Ben, coming to you now and similar question, but from the clinician perspective specifically, how do you help clinicians and care teams really view cybersecurity as a part of their jobs? But I imagine a lot of that work is helping them understand like this is a patient safety issue. And can you share any, I guess, specific examples or best practices that have been effective that listeners might benefit from hearing?
[09:18]
B
Yeah, obviously as we said before, I think there's a huge culture shift here that we need to further embed this into the day to day work of our clinicians. I think at the surface the clinicians have not really been pulled in, educated and communicated to the robustness of kind of what Anthony has talked through. What best practice cyber hygiene is, right. And how you take that not just to your EHR or not just in certain clinical workflows, but across every portfolio, every product that we have. I think probably, you know, the biggest strategies that we've put in or are working to put in just further tie into this. Right. So one is not taking security as a separate department within it, and then, you know, they've reviewed a product, it's coming to our organization and then we never hear from them or see from them again, but internally, really pulling them in not just to evaluate a new product or a new vendor, but from a security stance. But once we've cut that PO and once we've got that quote and we've got that product in our doors, also making sure that they're part of the design and the architecture of that system, I think that's where we have, historically, at least within my own organization here, really kind of failed that. We've done a great job of pulling them in early and vetting products prior to getting them in. But once they're in and approved, we deploy them really at the clinicians and operational leaders desire. Right. Without necessarily that strategy of cybersecurity or security at the forefront. And as Anthony alluded to, I think the challenge there is that they're kind of opposing viewpoints, right? Security wants to restrict, they want to segment, they want to make longer passwords, multi factor authentication, they want to put those security measures in place. But as a clinician, those are often viewed as barriers, Right. I want to make sure that those things are not limiting my workflow or making it too hard to do my work. And so there has to be that compromise. It's not one or the other, it's how do we build the best system looking at cybersecurity principles as well as the clinician efficiencies and the need to do their job on a day to day basis. And we need to pull both parties to the table and even a step further, as Anthony said, not just own that as an organization and have to recreate the wheel at every health system across America, but pull in the vendor who already is that product expert, right. And has that, that leverage of expertise that we can use and not viewing this as a purchase and then a deployment that we run internally, but really as an ongoing partnership, as we said. Right. I'm not buying a product and ending that relationship. We're going to buy that product and then continue to evolve it, improve it, make sure it's being optimized as much as Possible, not just from a security standpoint, but in all facets. So I think that's a really big piece of it. The other one is because you have those decision points across a multitude of groups. It's it. It's your. Your clinical engineering teams, it's your clinical. It's your operational stakeholders having some sort of governance set up to help facilitate those conversations. The challenge here is this product is not owned by one group anymore. Right. It's too connected. It's too intersected with so many other technologies. Having an interdisciplinary team that can help weigh those pros and cons, look at the. The downstream effects, and help make kind of holistic, ideal decisions is really helpful. And it's something we've stood up and has been paying big dividends for us.
[12:28]
A
You got to bring a bunch of different people around the table, and folks have to understand where everyone else is coming from. Like, this is why I'm concerned with X. Right. And they've all got to get aligned on what that is. Correct?
[12:40]
B
Correct.
[12:40]
A
You got it. Yeah. And, Ben, I think I will come to you with this one first. But I want to hear from. Anthony, I want to hear from you as well on this, which is like coming back to. As we've discussed, this is increasingly like, innovative. So much transformation with technology is happening in healthcare right now. You've got cloud tools, remote monitoring, connected devices. We haven't mentioned AI, but you got that going on too, in many different ways. So there's so much excitement here. But of course, amid all this, threats are shifting. As we mentioned, cyber attacks are becoming more sophisticated. So we'd love to hear from both of you, how can health systems really do both, which is pursuing innovation, pursuing transformation, while also minimizing risk, making security a priority. And I guess, what steps can vendors and health systems take together in the next few months to really strike the right balance here between prioritizing innovation, but not at the detriment of security, not adding unnecessary risk. Ben, let's hear from you. And then, Anthony, I'd love to hear your take as well.
[13:51]
B
Yeah, it's a great question, one that we continuously struggle with as a healthcare organization. You know, we want to be innovative. We want to be cutting edge, not just for the patient safety and the patient improvements that that can bring, but also for a marketing standpoint, for, you know, a staff retention standpoint that offers a lot of value to us as an organization. At the same time, we're a nonprofit, and in the healthcare business, we run on, you know, razor thin margins. And so there's not always the resources and the robustness within the organization to help support some of that innovation. And so it's a fine balance between, you know, how can we be leading edge, cutting edge, innovative, but at the same time be conservative and safe with limited resources that we have. And so I think a couple strategies, you know, on top of having that strong governance and that interdisciplinary group to help review and ensure that any new technology or any new products that we bring in are well designed, well vetted and well understood before implementing. You know, I think that's a critical stake. But I think at the other end, we also want to help make sure that we have some sort of innovation model in place, right. That we don't just pick a product, roll it out across our system to find out that there's some bug or some miss that we didn't understand about it. Right. But how can we roll that at scale in some sort of kind of beta test or pilot sites to really better understand that ecosystem that we have with the product functionality that we're bringing in that's new and novel before we roll it out in mass? And I think that's one of the challenges we have had on previous rollouts is that we bring in a product that has been tested and validated in other organizations by the vendor, but we haven't put it into our unique ecosystem with our own intersections, integrations, infrastructure, and really understanding how it works within our environment before rolling in mass. And so doing some sort of beta test like that or an innovation unit can really pay dividends for us.
[15:38]
A
No one organization is exactly the same. You've got to kind of like know yourself. Right? Appreciate it, Ben. Anthony, what do you have here?
[15:45]
C
Yeah, so first of all, I would say be measured. Just because you have innovation doesn't mean you need to adopt innovation. It's very easy to go after the shiny objects and that's not always necessary. But then to tag on with what Ben just said, make sure that you put this stuff into a test environment. I'll say it a slightly different way, which is if you've been to one hospital, you've been to one hospital, every one of them needs to be tested appropriately whenever you bring some new tech in there. Plus, you need to make sure that the technology that you bring in is going to be adopted and it fits those, the clinical workflows. This isn't just a technical game. Ultimately there are clinicians out there, there are patients out there, and the worst thing you could possibly do is have them trying to get around things and have shadow it's. So you need to make sure that that group is accepting the technology that you're bringing in.
[16:34]
A
Yeah. Really important call out there in terms of not wanting to let that scenario shadow it. Sort of. Sort of arise. Thank you, Anthony, before we let you both go, is there anything you want to share with folks that maybe you didn't get to say something to re emphasize a final thought to share with listeners? Anthony, why don't you go ahead?
[16:53]
C
Yeah, I would say to make sure you form strong partnerships with the vendors that you're working on. This is no longer a case where we can just drop equipment off and walk away. We're involved in this deeply, as all the health systems are. So work with them, partner with them, bring them into your disaster recovery, have them working in your test environments. Bring those vendors close. We're seeing a consolidation of vendors. And so if you've got only a small, limited number of them, bring them in and utilize them to the full extent that you possibly can.
[17:25]
A
Excellent. Ben, what do you have?
[17:27]
B
Yeah, I think echoing that and even taking it a step further, certainly we need to do a better job of bringing the vendors into that table and building that partnership. But I think there's a huge opportunity to also expand that to other customers. Right. Find community partners and community hospitals that have gone through similar efforts or have gone through similar updates and learn from them. Find out what's working well and share with our peers. That's not something we do enough of. And you know, I think there's a huge opportunity here to not recreate the wheel as an individual organization, but to learn from others and grow the larger healthcare environment to really ultimately improve care for the patient.
[18:03]
A
Yeah, we're big fans of peer to peer learning here at Becker. So Ben, Anthony, appreciate you both taking the time. Thank you so much. Also want to thank our podcast sponsor, Philips. You could tune into more podcasts from Becker's Healthcare by visiting our podcast page@beckershospitalreview.com.