Data Security Decoded: "HIPAA 2.0, Minimum Viable Hospitals, and Strategies for Cyber Resilience within Healthcare"

Host: Caleb Tolan (Rubrik)
Guest: Errol Weiss (Chief Security Officer, Health-ISAC)
Date: July 15, 2025

Episode Overview

This episode of Data Security Decoded explores the evolving landscape of healthcare cybersecurity. Host Caleb Tolan converses with Errol Weiss, CSO of Health ISAC, about the mounting challenges of protecting sensitive healthcare data, the implications of new regulatory proposals like "HIPAA 2.0", differences between industry ISACs, the readiness and resilience of hospitals, and strategies for building a security-first culture in healthcare organizations.

Key Discussion Points & Insights

1. Errol Weiss’s Career Journey and the Role of ISACs

[01:45–03:19]

• Weiss shares how his career began with the NSA, transitioned to financial services, and eventually led him to Health ISAC through strong relationships in the industry.
• ISAC Definition:
  • Health ISAC (Information Sharing and Analysis Center) is part of a larger movement that began in the 1990s to promote private sector collaboration on critical infrastructure threats.
  • "If you've seen one ISAC, then you've seen one ISAC." (A, 03:29) – underscoring that each ISAC operates differently but shares the core mission of info-sharing and resilience.

2. Unique Challenges in Securing Healthcare Data

[03:20–07:30]

• Health ISAC serves members with varied cybersecurity maturity—from large hospital systems with robust teams to small, resource-strapped providers.
• The organization focuses on producing actionable, anonymized threat intelligence for all members, supporting especially those with limited internal resources.

3. Differences in ISAC Models Across Industries

[05:45–07:30]

• Health ISAC vs. Financial Services ISAC:
  • Financial institutions may desire attribution for intelligence; healthcare leans into trust and altruistic info sharing.
  • "There's a much different motivation and orientation for people like that and these kinds of organizations. And I think it just carries over to the technical teams…" (A, 06:50)

4. From Disaster Recovery to Cyber Resilience

[07:31–08:50]

• Shift from “protection mindset” to resilience:
  • Evolving networks and technology make perimeter-focused security less viable.
  • Resilience now relies on detection, rapid response, and recovery.
  • "We can't protect it all—we've got to be better about detection, recovery and so, sort of a floating resilience out there." (A, 07:54)

5. HIPAA 2.0: Regulatory Proposals and Industry Readiness

[08:52–11:53]

• HHS’s proposed rules (dubbed "HIPAA 2.0") include strict recovery timelines (72 hours) and ongoing sensitive data tracking.
• Weiss’s take:
  • Unlikely to move forward soon due to current political climate; the industry also lacks the necessary resources and staff to comply.
  • “You can mandate something, but if we don't have the money to implement that, if we don't have the people to implement all that, it's not going to get done.” (A, 11:22)
• January 2024: HHS released Cyber Performance Goals (CPGs)—not requirements, but baseline security suggestions.

6. Policy-making and Small/Rural Hospitals

[11:53–12:35]

• Regulatory approaches often lack perspective on resource-limited, rural hospitals.
• There's a call for broader, more inclusive policymaking to avoid disproportionate impacts on these organizations.

7. The Human Side: Building Security Culture in Healthcare

[14:03–15:44]

• Weiss on security culture:
  • "Security can't operate for security's sake...We need to build that culture where nurses, doctors, administrators feel like they're all part of that solution… And we need buy-in from every person in the organization…" (A, 14:09)
  • Continuous, role-relevant security training is crucial—must go beyond simple, annual compliance exercises.
  • Staff should feel empowered to report issues safely, without fear of retaliation.

8. Minimum Viable Hospital (MVH) as a Cyber Resilience Strategy

[15:44–17:33]

• MVH: Ensuring core operations and critical patient care services persist during/after a cyberattack.
  • Adoption is “all over the place”—commonly found in larger, urban hospitals with mature teams.
  • Smaller, rural hospitals are held back by resource constraints.
  • "In my conversations, I think 30, 35%, about a third of the healthcare companies… are exploring or implementing MVH principles. But again, it's kind of all over the place." (A, 17:26)

9. Looking Ahead: Optimism vs. Pessimism in Healthcare Security

[17:45–19:08]

• Errol is “normally an optimistic sort of person… maybe a little cynical and jaded” (A, 17:45).
  • He’s excited about the rise of AI in health—improved diagnostics, personalized medicine, and the potential for AI-enhanced security.
  • But acknowledges AI is also a double-edged sword, bringing more sophisticated threats.
  • “It's going to make our jobs better and allow us to do more.” (A, 18:51)

10. Getting Engaged: Health ISAC and Beyond

[19:35–20:26]

• Weiss encourages engagement in industry ISACs, citing personal and organizational benefits.
  • "You get so much more out of it than what you put into it. And it's a great learning environment…" (A, 20:17)
• For more information: health-isac.org and the National Council of ISACs.

Notable Quotes & Memorable Moments

• "If you've seen one ISAC, then you've seen one ISAC."
  (A, 03:29)
  Emphasizes the unique approaches of each ISAC, despite similar missions.

• "Security can't operate for security's sake...We need to build that culture where nurses, doctors, administrators feel like they're all part of that solution…"
  (A, 14:09)
  Highlights the necessity of organization-wide buy-in for real security progress.

• "You can mandate something, but if we don't have the money to implement that, if we don't have the people to implement all that, it's not going to get done."
  (A, 11:22)
  Powerful reminder of the gap between regulatory intent and operational capability.

• "The threats just keep getting worse… but I'm super optimistic though in terms of where we're going, where the industry is heading."
  (A, 17:50)
  Balances the challenges ahead with cautious optimism around future advancements.

Timestamps for Key Segments

• 01:45: Weiss’s career path and entry into Health ISAC
• 03:20: What is an ISAC?
• 06:05: Differences between ISACs and inter-industry collaboration
• 07:31: Disaster recovery vs. cyber resilience philosophy
• 08:52: "HIPAA 2.0" proposals and regulatory landscape
• 14:09: Building security culture among non-technical staff
• 15:44: Embracing the "Minimum Viable Hospital" concept
• 17:45: Weiss’s outlook—threat horizon vs. optimism
• 19:35: How to get involved with Health ISAC and other information-sharing organizations

Tone Summary

The exchange is practical, relatable, and forward-looking. Weiss shares candid, real-world accounts and advice with a balance of caution, humility, and optimism. The host, Caleb, keeps the discussion accessible, focused, and audience-aware.

Key Takeaways

• Healthcare cybersecurity requires community—small and large actors both benefit from intelligence sharing.
• Resilience trumps perimeter: Emphasize detection, rapid recovery, and business continuity.
• Effective security cultures rely on buy-in, continuous training, and psychological safety for all staff.
• Proposed regulations like HIPAA 2.0 face resource-related roadblocks, especially for rural providers.
• AI will challenge and empower defenders and attackers alike—adversity breeds innovation.
• Engaging with ISACs is a force multiplier for cyber resilience.

For more insights or to get involved, visit health-isac.org or the National Council of ISACs.