Summary5 min read

Podcast Summary

Episode Overview

Podcast: Becker’s Healthcare Podcast
Title: Greg Sieg on Building a Resilient Cybersecurity Program Across a Growing Health System
Date: February 10, 2026
Guest: Greg Sieg, Chief Information Security Officer at University of Michigan Health Regional Network
Host: Laura Dirdo

This episode features a candid and insightful discussion with Greg Sieg about the complexities and evolving challenges of building a resilient cybersecurity program, especially as health systems undergo rapid growth and integration through acquisitions. The conversation centers on balancing technology and people processes, prioritizing identity governance, navigating the unique challenges of healthcare expansion, and fostering strong interdepartmental relationships during organizational change.

Key Discussion Points & Insights

1. Greg Sieg's Professional Background and Current Role

Greg has over three years at the University of Michigan Health Regional Network, moving from help desk and support roles up to leadership, including experience at a rural health facility.
His current focus is on information security and integrating acquired healthcare entities into a standardized cyber framework.

“I have a background in IT and networking, security. Kind of worked my way up through the rankings…you wear quite a few hats, not just one, before I moved over to the university here.” (00:32)

2. Recent Initiatives and Ongoing Integration Projects

Major work last year involved integrating two acquired affiliates:
- Aligning different organizations under a single cybersecurity framework for consistent standards.
- Focused not only on tools, but also “culture” and communication between departments.
Emphasized the importance of a holistic approach involving both technology and people.

“It’s not just about tools. It’s about people and…building up, you know, a culture.” (01:23)

3. 2026 Priorities and Cybersecurity Headwinds

Main Focus: Identity Governance
- Managing identities across multiple systems (people and machines) to ensure security.
- Addressing challenges of deduplication and clean governance as organizations and vendor relationships grow.
- Importance of strong identity management to prevent bad actors from exploiting the system.
The Role of AI:
- Acknowledged fast-paced changes driven by AI in cybersecurity threats and defenses.

“If you don’t have your identity right, a lot of your tools are…hard just to say that they’re working right.” (03:16) “Right now you get a bad actor that gets a good identity. It’s very hard to track that down…” (03:58)

4. Structuring Governance Processes Uniquely

Single Pane of Glass: Effort towards unifying toolsets for better visibility across newly acquired entities.
Machine Identities: Increasing attention to securing non-human accounts (e.g., for devices, servers, applications), which require different protective measures and automated credentials management.

“…machine identities…have a lifecycle that is a little different than say, a human account…those are things we’re keenly looking at…” (05:18)

5. Persistent Challenges: The People Side

Social Engineering & Phishing:
The most persistent threat is not technical but human: social engineering attacks remain common and difficult to eliminate with tools alone.
Continuous Life Cycle
Cybersecurity is not a “set and forget” task but requires ongoing tuning and vigilance, relying heavily on current cyber threat intelligence.
Communication & Training:
Ongoing staff and patient education is essential, requiring balance and clear communication to ensure compliance without friction.

“Cyber is really a very continuous lifecycle. At the end of the day, we don’t get to go and put a tool in and then walk away and say, okay, the job’s done…” (07:27) “The people side is very subjective. That’s where…we still see a lot of social engineering, a lot of phishing.” (06:51)

6. Growth Opportunities and Risks

Expansion Beyond Hospital Walls:
- Organizational growth is increasingly outside core hospital settings, including ambulatory clinics, virtual care, and home-based care, often driven by AI and technology.
- This expansion complicates security perimeters and increases risk.
Role of Mergers & Acquisitions:
- Continuous M&A activity accelerates change and integration challenges for the cybersecurity program.
- Security must enable, not hinder, business growth.

“Healthcare is expanding…pretty rapidly right now, but it’s expanding outside of the hospital walls…We’re seeing new ambulatory clinics. We’re seeing a lot of virtual. We’re seeing AI playing a role in this as well, bringing a lot more care direct to the patient… And that makes it…a little bit harder [for cybersecurity]…” (09:34) “From the cyber side, I look at it, our job is making sure that as we do these, we’re doing the right pieces to keep us secure, to allow the business to do that organizational growth and feel confident…” (10:22)

7. Integration & Relationship-Building During Mergers

People and Relationships:
- Importance of respecting local cultures at acquired organizations, valuing their experience and input, and collaborating rather than imposing top-down mandates.
- Success in integration depends on building trust and partnering across all departments—not just IT.

“Healthcare’s very, very keen on people and relationships…I want to be looked as a partner that can come in and help. Because when you’re a barrier, people look to go around you versus when you’re a partner, people will come to you and ask you how they can proceed to the next step…” (11:30, 12:53)

Notable Quotes & Memorable Moments

On organizational culture:
“It's not just about tools. It's about people and...a culture.” (01:53; Greg Sieg)
On identity focus:
“If you don't have your identity right, a lot of your tools are...it's hard just to say that they're working right.” (03:54; Greg Sieg)
On continuous improvement:
“Cyber is really a very continuous life cycle. At the end of the day, we don't get to go and put a tool in and then walk away and say, okay, the job's done...” (07:27; Greg Sieg)
On being a partner, not a barrier:
“The last thing I want is to be looked at as a barrier...I want to be looked as a partner...” (12:53; Greg Sieg)

Timestamps for Important Segments

Background and role: 00:32 – 01:15
Recent integration initiatives: 01:23 – 02:43
2026 priorities, especially identity governance: 03:16 – 04:46
Unique governance strategies & challenges with machine identities: 05:18 – 06:43
The toughest challenge (people/processes/social engineering): 06:51 – 09:01
Opportunities and risks from organizational growth: 09:34 – 11:04
Integration challenges and the importance of relationships: 11:30 – 13:26

Conclusion

Greg Sieg emphasized the fundamentally human-centric nature of cybersecurity amidst rapid technological and organizational change. Building resilient programs relies as much on relationships, education, and cultural integration as on technology and frameworks. As health systems grow beyond traditional boundaries, successful security leadership adapts, partners with all stakeholders, and cultivates trust across the organization.

Loading summary

Transcript20 lines

[00:00]
A
This is Laura Dirdo with the Beckers Healthcare Podcast. I'm thrilled today to be joined by Greg Sieg, Chief Information Security Officer at University of Michigan Health Regional Network. Greg, it's a pleasure to have you on the podcast today.
[00:11]
B
Thank you, Laura. It's a pleasure to be here with you.
[00:14]
A
Absolutely. Now, I'm excited for our conversation because I know cybersecurity is such an important topic in healthcare right now and certainly will continue to be as things change and we have more in technology and AI than ever before. But before we dive into the broader discussion, can you tell me a little bit more about yourself, your background and the organization?
[00:33]
B
Yeah. Been with the University of Michigan Health center for about three and a half years now. I have a background in IT and networking, security. Kind of worked my way up through the rankings, starting in healthcare at a help desk and then moving into different support roles and into leadership and spent quite a bit of time at a rural health facility where, you know, you wear quite a few hats, not just one, before I moved over to the university here and where now I get to focus on security and really kind of dig into it.
[01:16]
A
That's great to hear. And, you know, when you think about the last year in particular, were there any great initiatives that you led? What did you do and what were the results?
[01:24]
B
Yeah, last year we've been working on an acquisition that we purchased about two years ago. That's what I've been porting, as well as another affiliate that we acquired as well and working on bringing them together. So there's been a lot of different pieces to that work in the last year. So I wouldn't really pinpoint, say, one thing from that standpoint. But I would say that as we've been bringing it over, we've been trying to align to a cybersecurity framework that will work across the organizations regardless of size and be more of a standard. That work has helped us lay the groundwork, if you will, for moving, tooling, our people. All the work that we've kind of been bringing together, the work's been. The results have been good, but it's a lot of work. It's not just about tools. It's about people and, you know, communication with the different departments and building up, you know, a culture, if you will. So it's been satisfying to see the. Where we've come in the last year and the work that we've done as we've moved through it.
[02:44]
A
Absolutely. I think, you know, you have that two things that you talked through right there and just Looking at the cybersecurity, the technology side of it, and then the people side too, which I know is no easy task to make sure everybody is practicing the proper cyber hygiene and being a good spot of communication and culture, as you put it. So when you think through what you've been able to accomplish over the last year and then look ahead, what are you kind of focused on? What are some of the priorities and headwinds that are top of mind for you in 2026?
[03:16]
B
Yeah, the fun thing with cybersecurity is it's ever changing. The last few years we were hyper focused on AI in the industry with changes that came out of that and the speed that it goes at. But I would say right now our focus from an overall is really looking at our identity. So whether that is a person, a machine identity, really kind of across the gamut, looking and making vendors and so on, making sure that we've got the correct structure around, the correct governance around it. We're doing the correct auditing with it, you know, and we're, we're keeping track of those identities as they, as they come through the system. So working with multiple systems, multiple HR systems that they come through and making sure that we're deduping those identities and that again, we get a nice clean, clean look at them. So there's a lot of work that goes in Dendi, and it hits pretty much every facet of cybersecurity. So it's one of those areas that if you don't have your identity right, a lot of your tools are, you know, it's hard just to say that they're working right. You know, the. Right now you get a bad actor that gets a good identity. It's very hard to track that down and, you know, determine that you have something in your system. So having a good secure program around that is really our focus right now.
[04:47]
A
It makes a lot of sense. And, you know, I think it's especially critical to have that type of governance in place in something a lot of health systems are focused on right now and continuing to evolve. And so, you know, I'm curious if you could dig a little bit deeper and share a little bit more about how you're structuring the governance process at University of Michigan. That would be helpful to understand. I think, you know, anything that you might do differently or uniquely because of the last year of how, you know, things are evolving at such a rapid pace.
[05:18]
B
Yeah, so one of the things that I would say we're focused on right now is trying to align the entities. So working through M and A, you typically are working through multiple tools in different environments. So we're working on doing alignment and visibility across those organizations. Right now we have it in tool sets, but we're looking to get it into a single pane of glass and make it a little bit easier for us to view those. And then as I mentioned, the machine identity, that's something that I'm very intrigued with getting into more as we go through items, because a lot of times your machine dandies are items that they're created for a server, an application, a device, and those have a lifecycle that is a little different than say, a human account, typically not having the same password reset functions on them and items. So there's things you can do with certificates and different work to better secure those accounts and also allow us to change those passwords on the fly with automation. And those are some things that we're keenly looking at to try to be better along those lines.
[06:43]
A
That's helpful to know. Thank you for digging a little bit deeper there. Now, looking into the next year as well, what do you think the hardest thing you'll have to do will be?
[06:51]
B
So, as we talked here, cybersecurity is not just about deploying a tool to secure yourselves. There is a very large people process technology piece to working together. And the people side is very subjective. That's where coming in, we still see a lot of social engineering, a lot of phishing. It's not something that, like I said, that you can just put a tool in place and be fixed. So when you look at that and then you look at healthcare, which is an area that, you know, we're also having to balance with, you know, patient safety and regulatory requirements. It gives us, you know, a lot of work to do, I guess is the best way to say it. So, you know, the next year, as I mentioned, we're going to continue to work with, with identity, but also looking at ways that we can make sure that we're doing a good balance of our communications out to staff and even our patients on how to keep themselves secure and how to keep our environment secure while they're there, as well as continuing to look at our technologies and our processes to make sure that they're going in the right direction. Cyber is really a very continuous life cycle. At the end of the day, we don't get to go and put a tool in and then walk away and say, okay, the job's done, let's move on to the next. So the moment that tool goes in and gets configured. We're going right back and tweaking and adjusting as we learn new things. And a lot of that comes through what we call cyber threat intelligence. Working on that to try to make sure that the tools and the processes that we have in place and the education that we're doing with our employees is the right stuff for our environment and that we're, you know, protecting the right way. So we utilize a lot of that intelligence information to help us make those decisions and to, you know, move forward in the right way.
[09:01]
A
That makes a lot of sense. And, you know, I appreciate you talking through everything that goes into the process, not only technology, but how you want to make sure that the processes are there and everyone understands the importance of following them, because it just makes such a big difference. And the data you have, too, I can imagine, you know, really helps you keep track of all of these things in a way that you weren't able to in the past.
[09:25]
B
Absolutely.
[09:27]
A
Now, before we wrap up here, I want to talk about growth, too. Where do you see some of the best opportunities for organizational growth in the future?
[09:34]
B
Yeah, so this one, you know, healthcare is expanding, you know, pretty rapidly right now, but it's expanding outside of the hospital walls. Yes, we're seeing expansion hospitals, too, but a lot of it is. We're seeing new ambulatory clinics. We're seeing a lot of virtual. We're seeing AI playing a role in this as well, you know, bringing a lot more care direct to the patient, even. Even in their home. And that makes it, you know, it. We don't have that footprint of, you know, within the hospital walls like we once did. And for cybersecurity, that makes it a little bit harder because, you know, you don't have a set line, you know, that you're looking at. So as we go through and we look at that, we. We have to grow and adjust with them. And in cybersecurity, we've got to be able to be flexible to allow the facility to grow as well. The other point that I didn't put out there is, as I mentioned earlier, we're doing mergers and acquisitions that helps accelerate this. You know, we're still seeing that fairly heavy in the health care industry right now. But from the cyber side, I look at it, our job is making sure that as we do these, we're doing the right pieces to keep us secure, to allow the business to do that organizational growth and feel confident that we're putting the right steps in place as we do those, we're doing the Risk assessments on the sites and bringing everything up.
[11:05]
A
That makes a lot of sense. And it's cool to hear, especially the way that you can integrate into that whole growth process. And when you are bringing on new sites, new facilities amid some of the larger M and A and the integration of those kinds of things, what are some of the challenges that arise or the things that you have to troubleshoot as you're trying to get everything up to speed? So you're bringing the new facilities or organizations into the fold?
[11:31]
B
Yeah, I would say healthcare's very, very keen on people and relationships, and I think that's one of the biggest things that you have to focus on when you go into these events. You have organizations that, you know, may have. May have been there for, for 50 years, you know, or more. And you've got people that might have spent their careers there that they, they know their way of doing things and they might have ways of doing things better. You know, they might have ways of doing things that are different. And it's, it's looking at those, validating those, and reviewing the risk and determining, you know, what the next step is. But, you know, at the end of the day, you know, there's a. It's. It's all people centric, you know, when you get into that. So, you know, like I said, it's very easy to think, oh, I'll just go deploy a tool and get a score. But that doesn't tell the whole story. So working with staff, working with the departments, it's not just. I'm not just working with, with a IT department or security department. I'm working with, with clinical departments, with financial departments to make sure that we're there assisting them, getting the right steps that they need to really, to get the next process going and make sure that they're doing it in a right and secure way and that they understand what we're there for. The last thing I want is to be looked at as a barrier, you know, to what the business is trying to do. I want to be looked as a partner that can come in and help. Because when you're a barrier, people look to go around you versus when you're a partner. People will come to you and ask you how they can proceed to the next step and get it and get around a barrier that's in front of them.
[13:26]
A
I love that analogy. Greg, thank you so much for joining us on the podcast today. This has been such a fun and informative conversation. I really appreciate your time and I'm excited to see you as well at our annual meeting coming up in April. I know you'll be speaking on a panel in definitely digging deeper into some of the things we talked about today. And so it'll be great to get your expertise and to see you in person.
[13:46]
B
I'm absolutely looking forward to it. Thank you for your time again today as well, and appreciate this.