
Loading summary
A
Foreign.
B
Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudette.
A
Welcome to the Risk Never Sleeps podcast in which we learn about the people that are on the front lines delivering and protecting patient care. I'm Ed Gaudette, the host of our program and and today I am pleased to be joined by Adam Rosen, the Chief Information Security Officer at Roswell Park Comprehensive Cancer Center. Welcome, Adam. How are you today?
C
Thank you. I'm doing well.
A
And I hear you're from Buffalo.
C
Yes.
A
How's the weather?
C
Weather right now is good, a little cool. Don't ask me any questions about the bills because I won't be able to say anything intelligent about it.
A
How about the Sabres? You a hockey fan?
C
No.
A
Pretty much.
C
Same position on the and I'll show up for games there from time to time. Enjoy the stadium food. But that's about the extent of my sports participation. Sounds like me.
A
So we'll probably get into what we did when we were kids. Were you D and D? Were you Dungeon Dragons place? Yeah, me too.
C
It's very much a ghost sports ball.
A
Exactly. All right. That was a little off the cuff, but we usually start with a little bit about you. Your background, your current role and your organization.
C
Sure. Currently I am Chief Information Security Officer at Roswell Park Comprehensive Cancer Center. We are an NCI designated cancer center. That means that aside from our patient care mission as far as curing and treating cancer, we also have research areas and very heavy focus on cancer research and also on education. Those three bind our mission as far as it relates to cancer. So we're very focused on that particular area of medicine. We were the first NCI designated cancer center in the U.S. if my memory is serving me. And then as far as what got me here before talking about too much about what I do, I've always been into computers. My father was a computer person, did sales and I think the first computer we had in the house was a Compucolor which nobody ever has heard of. It seems like when I talk to people. But pre D, then we got an Amiga, we moved up and then very early IBM laptop back when it was a big box with a small screen and got me into like basic programming and just fiddling and tinkering around. It was something I was always interested in. And so then through high school and into college, the focus was computer science and engineering and originally was going to be start my own game studio. That was my original plan.
A
That's cool.
C
And Then went into grad school and started getting into security there, at least theoretically. I went to work as an independent study on a security project that wasn't what I was expecting. It was really around user behavior analytics in the sun environment and analyzing and detecting unusual activity patterns. It was written I think in Java, which was not my language at that point that I was familiar with, especially with the GUI programming. And I spent two out of the three months of the semester tearing this apart trying to understood how it worked because I couldn't figure it out. And it turned out all he did was UI stuff and it wasn't me. It was like I just figured I was missing something when I was tearing it apart. So that was my first security project that didn't really pan out the way it did, but from after grad school I went to the Naval Undersea Warfare center island and did some ATM networking but also did some work with on firewalls with an allied submarine program there. Started getting more into security and monitoring in that role and I was there for about three years and then we moved back to Buffalo. At that point I started my own IT consulting company because I figured it's easy just hang my shingle and a lot harder than that. But I had a set of clients and just naturally my focus started becoming more on just the basic security of small business security. Antivirus, backup recovery, disaster resiliency setup, early cloud backup to my own data center kind of environment. And then turned one of my clients that was a small healthcare provider became my. They were becoming my larger clients and they ended up just becoming my full time job. And I had shut down the shop that I had started and I was doing everything there. The only IT guy, soot to nuts, VMware design, resiliency and SAN configuration. But focusing more and more on the security side. It was just getting more interesting and the HIPAA compliance and it was just given the different projects that's where I'm willing to spend my time. And so after a certain amount of time there I decided to seek out just a security focus. I came here as a security engineer under the previous CISO who was the first CISO here that escalated quicker than anticipated. I was there for about six months and she came and decided that I was going to be her succession plan for when she left. Two, three years down the road and she wanted to start getting me up to speed and on some of those operations she left eight months later. So a little faster than planned. And then just. It was a leap, but one that was. I liked the challenge that took me into the role and for a while I was doing double duty. I was doing my old duties at it, but the new stuff, but that has mostly settled down over the intervening years.
A
Interesting, interesting.
C
So that's what brought me into this role. And it's been challenging. It's been interesting. It's joining a community that is in healthcare security has been an experience where you have a lot of people to lean on and good people to commiserate with when you're sharing your challenges that everybody shares. It's a role I've been enjoying most days. And then as far as how what we're doing here, I don't think it's too much different than seeing most healthcare organizations, except it can be a little more challenging because we have the academic and we have the research and we have a clinical, all in that same environment. Serving different masters can provide some of its own challenges. Balancing and enabling the researchers to be flexible and access the services they need while making sure that the phi is secure, the environment is secure, because patient care is number one and this is.
A
Like an IRB research function. Interesting. And how are you working that into your overall security process? Because obviously I'm assuming you're exchanging data. The parties that are involved in the research, how are you managing that process?
C
We interface with legal and privacy teams. We work to make sure that wherever we're giving our data, it's third party vetting to make sure that they're following the appropriate controls and that we have the assurance that high level of assurance that our data is going to be kept secure. Contracts are in place, BaaS liabilities, cyber insurance. But I've always taken the stance of those are good things to have. They help mitigate the overall impact. But from a patient privacy perspective, regardless of how much you're going to be reimbursed for it, the records are just as brief. You haven't protected the privacy. We focus a lot on that due diligence and looking at the architecture for exchanges, a lot of which have been standardized at this point through various platforms. Whichconics things a little bit easier. We don't have to keep reviewing everything as its own entity.
A
And are you an EPIC shop or no?
C
We are not.
A
Okay. And when you look out over the next 12, 24 months, what are some of the top priorities on your plate?
C
Number one has really been that I'm trying to change the way communicate and involve the business in risk. One of the especially when I first started starting the job, I would talk about risk in very Technical terms about what's on our risk register, about not having a hole in our DLP or configuration that wasn't secure, but that just goes over the heads leadership and then supportively nod their heads and expecting to take care of it and do our best. What I've been focusing on the past six months, and this is an evolving process, is really working with the business. So first of all, risk is the intersection of impact and likelihood. So my line has been my team is proficient in determining the likelihood of something happening, but we're not the best at determining the impact. Right. And where it's scale the scale is. So instead of us doing a thumb in the earth, where do we think it falls on that matrix? We've been bringing in the business very heavily. So like privacy compliance and legal, you tell me what level of number of records is a medium impact, catastrophic impact, et cetera. So that we're all talking the same language when we come back with risk. And then we're following better governance because we're creating tolerances about where we need review when the risk level hits a certain threshold. And we're doing that with financial. You tell me what the dollar values are for each of these different criteria. Catastrophic, essentially being something that jeopardizes our ability to operate. And we're doing it with intellectual property and reputation, which has been more challenging to qualify. And also with clinical impact. Right. From a senior executive level looking at, you tell us if this particular system meets the criteria that an outage would be a catastrophic impact. Obviously the EHR qualifies as that.
A
Sure.
C
That lets us talk more about the risk on an equal footing because we've gotten that buying in and everybody's aware of what we mean when something is a medium risk or a medium high risk, et cetera. The other part of what we're doing that I've been really focusing on is really talking to senior leaders and executives about the high level business risks and some of the technical risks. And we've revamped our risk register to take, I think we've got about 40 business risks like loss of clinical availability due to ransomware, breach of privacy due to ransomware or external attacker in general, breach of privacy due to internal threat, loss of the data center because of fire or flood. Right. Environmental risks and. Okay. And then we're taking our risk register and we're tying each of those technical findings to one or more of those business risks and then mapping that out on a risk matrix to the what do we feel the risk of all of these business Issues are that they care most about and then we can talk about the technical things we're doing to address them. For example, loss of phi to a third party change, health care, Blackbaud a few years ago, that's up in the high dark red because you look at a five year period, which is how we look at it, it's pretty much guaranteed to happen. And the impact as defined by the business of the loss of that number of records is a high impact. When we talk about that being high up in the upper right corner, they understand that and it's not an arbitrary decision on my department. And then we can say, okay, well can we reduce that if and and same thing with ransomware. And then what we're doing is then we're taking the various information security projects that we're working on now or proposing for the near future and we map that so you can actually see in the dashboards that we built. This project touches these risks that are distributed hopefully usually in the high risk areas because those are the ones you want to address, giving them that feedback and that hopefully clear understanding of what we're trying to do on an annual basis with our projects.
A
Got it. And where does the adoption of AI fit within your priorities and your scope today?
C
It's something we're actively working. We're trying to create best practices around how to use it, and not just from a cyber perspective, but from a data quality perspective, bias perspective, copyright and the legal aspects of it. And how do we manage that? How do we make it effective and enabling for the business? As we've sampled certain AI technologies that are more consumer focused, we're looking at it in clinical areas about how it can improve physician productivity and patient experience. But all of these from the security side, we're creating our standard expectations around it. A lot of these things, especially when it's cloud based or SaaS based, so much of it is just the same due diligence you would usually do.
A
Right.
C
But then it's what do you go above and beyond with when it's okay? How are you taking prompt data and integrating that into what can be returned and making sure that access controls is properly is respected when you're returning data and then when we're talking about internal, internally developed projects, what are our expectations there? And ideally I'd like to say to make sure that your model is not subject to model poisoning attacks, but we're not quite at the point where we even know what does that mean in an AI world that we can be providing them the guidance as to what you have to do to an AI model to make it resilient to that.
A
Yeah.
C
Not learning.
A
And how are you handling governance? Have you set up a governance process, committee policy yet?
C
Yeah, almost. We've had some other stuff in place and checkpoints and conversations, but we're working on getting that last piece of formality and structure.
A
Yeah, a lot of folks are on that journey today. Sue, when you think about your current job and what you do, what would you be doing if you weren't doing this role? What are you most passionate?
C
I go back to that game programming. That was my original dream. I found out during one of my projects in grad school. I am horrible at 3D modeling and animation, so I probably would have hired out tons of it, but I missed some of the programming days from my earlier experiences. That was always very rewarding to face a puzzle and get to work it through to completion and see the finished product, which is harder in security because you've never done. We do wrap particular projects, but when I look at the big picture of what I'm trying to accomplish, it's just there's the next thing and. The next thing.
A
Yeah. Interesting. What games did you play? I assume you're a child of the 80s or.
C
Yes.
A
Yeah, yeah. So what were your favorite video games?
C
Going back to Nintendo, I think Zelda 2 was one of my favorites. Moving into, like, high school and early college, I worked at an Internet cafe. So this was before everybody had computers. Games were not networked for Internet connect shim in place for those. So my friends and I would get together at night after the cafe closed and we'd go. We'd play Duke Nukem Descent and just kill doing those. While I'm running back and forth, getting people sodas and coffees, various snacks and keeping the register going for my boss. So he was.
A
I love the game. I don't know if you. You remember Tempest?
C
Yeah, Yep.
A
And Defender. You remember Defender This.
C
Tempest was that one where you go around the circle.
A
Yeah, yeah, yeah, yeah, yeah. They'd start to start from the bottom and come up and.
C
Yeah, I think that was the first. What, vector graphics.
A
That's right, yeah. And Defender. The spaceship. And I would just go linear some.
C
Yeah, I think I know which one you're done.
A
And then the first one where it was animation. Dragon Slayer, I think it was called.
C
Oh, yeah. Dragon Slayer. Prawn was my other. One of my other favorites in the deadly discs.
A
Oh, yeah.
C
Arcade.
A
Nice.
C
I was just good at it, but I liked it.
A
Nice. Yeah, We Talked about D and D earlier. Were you multiclass?
C
No, I was always. I was typically the wizard.
A
The wizard, huh?
C
I spent way too much time on my prop spell book that had for my one character that was going through the campaign and I had all the pages and I burnt the edges so it looked like I had been thrown in a fire. It was just nerdtastic.
A
Those are the good old days. Yeah. So if you could go back in time, what would you tell your 20 year old self?
C
I think the easy stuff is hard and the hard stuff is hard too. But so much is from the technical perspective and I faced this early on when I first started in this role and we needed to do a much wider MFA deployment that we've heard that we had at the time. And from a technical perspective, it's you flip a switch, you put everybody in the right active directory group and you're done. And you're done. Or maybe you're nice about it and you send people instructions on how to enroll. Yeah.
A
Until the uprising.
C
Yeah. So it's going into these things saying, yeah, technically it's easy, but it's culture change. Yeah, it's again, we're heavy research and so the researchers are saying, we don't deal with phi. It's mouse data. Why do we have to. Yeah, but you're on. You're in our email system business compromise, you're on our network. Getting that, that buy in throughout the organization was a bit of a culture change for some of the key players. Making sure that again, you just from that technical perspective, you're just that from that engineering background I have, I just was so used to just being in control of it. You turn it on and make it work and you make it work as easy as possible and it smooths only from there. But when you're dealing with that large organization with people at different skill levels, you gotta make sure that the supporting infrastructure is there. Right. Like the service desk understands how they have to support and handle calls that are going to come in. What's the rate of enrollment before you're overwhelming the system and the people that are supporting you? Yeah, it's just, it was that early mindset that it's just, just flip the switch and you're done.
A
Yeah, it's great. Hardest lesson in your career.
C
Just like the fragility of the ecosystem, you look at change, you look at crowdstrike, it's not coming from where you expected. We're defending our borders and our perimeter and our applications and you look at Kronos a Few years ago, you're aware of the impact of third party and supply chain. But Kronos didn't affect the entire healthcare ecosystem the way Change Healthcare did and was focused on that one industry. And then CrowdStrike, the tool that you have to prevent outages, is the tool that created the outage. And you just start having to look at everything with a different lens and start weighing the risk of bringing on this new tool. We evaluated the other endpoint tool agents that we have on the system from a security perspective and could they do that? And how are we rolling them out and staging upgrades? Are we doing the best way? And so we made some changes there. It's just how fragile the system, the entire environment can be.
A
Yeah. That was amazing to see the crowdstrike debacle because you would, one would expect after so many years of rolling out client software and having the scars that we would have still been faced with an outage of that scale of magnitude.
C
But when you're doing your evaluation for software, how many people are asking if it's operating at ring zero and then bringing in.
A
They're not. Nobody is. No, they will now. But. Yeah.
C
Or what are your.
A
How do you roll out upgrades? Do you Big bang? Do you stagger them? Like, how are you.
C
We were N minus 1. Right. With the sensor, we were N minus 1. So we figured we're covered because we're looking at that piece of it. Not same thing with when semantic or whatever your endpoint agent of choice was before. We never questioned the impact of that definition. You could have.
A
That's right.
C
That's right.
A
All right, I've got to ask this question. This is the Risk Never Sleeps podcast. What's the riskiest thing you've ever done, Adam?
C
And the problem with that one is I'm so tame. I don't believe it. Everyone says that.
A
And then I hear these stories and I go, wait, that's pretty risky.
C
Risky. Okay. I don't know if this qualifies as risky. I'll tell it anyways. Getting drunk on stage during a play and then taking a bow and almost falling off stage, I think that's just stupid. Behind it. He made me do it.
A
Okay. Who made you do it?
C
The stage crew. Oh, they did.
A
Oh, Were you part of the theater group or.
C
Yeah, I was part of a theater.
A
Oh, awesome.
C
We were doing a series of one act plays.
A
Oh, cool.
C
One that I was in. It starts off with me and my father sitting at like a kitchen table sharing a bottle of wine, talking about my relationship, problems with My wife. And then halfway through, the lights go down on us. And it's dim. You can still. And we would pantomime talking. And then the scene moves over to my wife and my mother talking.
A
Her side having the same type of conversation.
C
So the last night of the show, we go to. To drink our wine. And it's actual wine. They gave us a bottle.
A
Oh.
C
And so the lights come down. They're like. We're in the middle of the scene and we realize. And we got to hide it. But as soon as the lights come down, I say to my partner on that, we're finishing this bottle. So we're just downing a glass after glass because we've only got a few minutes while the other half of the sea.
A
Oh, no.
C
Downing this. And I thought it was fine. And we were the last of. I think we were the last one. So right after that was curtain calls. And that almost did not go well.
A
Almost a little bit of a mosh pit stage dive. Nice. That's pretty risky. I guess. Not so much stupid. I'm glad you told the story best.
C
I got him. Sorry. Never.
A
No white water raft. You worked at a nuke sub, right? Didn't you work in the warfare?
C
Didn't get to go out. I went on a couple subs for configuration. I almost had to get flown out to one that was at sea and having technical issues.
A
They must airlift you. Right. Drop you down.
C
Yeah, that's pretty. But I did. But in the end, I didn't have to do it. They fixed the problem. But it would have been interesting. But at the same time, like, if they had to dive, I'm cut off for weeks or however.
A
Yeah, you're in a sub. Pretty risky.
C
It didn't pan out, so I don't have any good stories.
A
Well, that's pretty funny. That's good. All right. What I asked this. I'll ask you this question. You probably are steeped in the finer parts of culture, music and movies. What are your, let's see, desert Island Top 5 records or movies you'd bring with you?
C
I bring books. You can bring books?
A
Sure. Yeah. All right.
C
Ender's game.
A
Oh, okay. Now you're talking. My language.
C
Zen and the Art of Motorcycle.
A
Oh, Robert Persing. Beautiful.
C
I'd bring the Matrix.
A
Oh, how about Cryptonomicon?
C
That one I don't know.
A
Oh, that's. Oh, Neal Stephenson. You have to read that.
C
Okay.
A
That you're a cyber guy and.
C
Yeah, I know the Cuckoo's. Cuckoo's egg.
A
Oh, no. This is fantastic.
C
This is One of the.
A
Yeah, it's a historical novel. So if you like historical novels, they bring in these three time periods together and it's all. It's about cryptography.
C
All right.
A
I mean, it's a great. It's big, but it's a good book.
C
Okay. It'll keep you booted.
A
Yeah. Let me know what you think.
C
Okay.
A
Awesome. So no music.
C
Oh, I'm pretty Margaritaville, the Jimmy Buffett best of. But Ocean by John Butler, I don't know if you know that one. That's my Zen. That's my amp up music.
A
Oh, okay. Oh, I'll check it out. John Butler.
C
Yeah. Yeah.
A
Nice.
C
Ocean is the song.
A
Okay, cool. Any advice? Last question. Any advice to folks coming out of school? They want to break into cyber, they want to break into healthcare.
C
Dabble in a lot of things. Some of this is my bias, I think, coming in from that general technologist perspective where I've done programming, I've done active directory administration, I've done networking to a certain level, VMware administration, including site recovery and replication. All of those have contributed in some way to the. My contribution to security. Even the stuff that I'm not good at anymore or haven't kept up with just understanding the jargon, understanding the ecosystem, understanding some of those big picture challenges that the infrastructure people are dealing with on a daily basis, that I think has value. I think having that broad understanding and not just. I've done pen testing and coming through, just having done those kinds of tasks, but not understanding how it's going to interact with Active Directory or the other aspects. I think that broad view is very valuable. Yeah, I love that nowadays.
A
Yeah, it is. Yeah. I love that though. It's be a multiclass technical infrastructure and cybersecurity.
C
Yeah, no, it definitely comes in handy. You didn't used to have people that graduated cybersecurity. You did it and then you specialized. And I understand why we're moving away from that model because there's so much that's necessary, even if you don't have that as part of your formal training. Build the lab, play around.
A
Yeah, yeah, yeah. And that third dimension is that you brought it up earlier is understand the business and understand how to communicate to the business. Yeah. Which is great. All right. That's a great way to end. Adam, thank you very much. This is Ed Gaudette from the Risk Never Sleeps podcast. And if you're on the front lines protecting patient safety and delivering patient care, remember to stay vigilant because Risk never sleeps.
B
Thanks for listening to Risk never sleeps. For the show, notes, resources and more information and how to transform the protection of patient safety, visit us at senseinet. Com. That's C E N S I N E t dot com. I'm your host, Ed Gaudet. And until next time, stay vigilant because risk never sleeps.
Guest: Adam Rosen, CISO, Roswell Park Comprehensive Cancer Center
Host: Ed Gaudet
Date: October 10, 2024
In this episode, Ed Gaudet sits down with Adam Rosen, Chief Information Security Officer at Roswell Park Comprehensive Cancer Center, to explore the multidimensional challenges of risk management in a healthcare environment that is both clinically active and research-driven. Adam shares his career journey, strategies for involving business leaders in risk discussions, handling AI adoption and governance, and the critical lessons learned from real-world incidents that have shaped his approach to cybersecurity in healthcare.
Early Exposure to Computers:
Adam’s fascination with computers started young, influenced by his father, and evolved from programming on early devices like the Compucolor and Amiga to formal computer science education and an original ambition to create a game studio.
Transition to Cybersecurity:
His career path shifted in grad school with a project on user behavior analytics which, though less successful than expected, sparked his focus on security. This practical security journey continued through roles at the Naval Undersea Warfare Center and as an IT consultant focusing on small business and healthcare.
Entry to Roswell Park:
A chance succession led Adam to the CISO role at Roswell Park, progressing from security engineer to his current strategic leadership position.
Quote:
"I've always been into computers... got me into like basic programming and just fiddling and tinkering around. It was something I was always interested in."
— Adam Rosen (01:38)
Integrated Mission:
Roswell Park’s triple focus on clinical care, research, and education creates a landscape where diverse needs often compete, especially in IT security.
Balancing Research and Clinical Security:
Ensuring flexible access for researchers while maintaining strict control over patient health information (PHI) and securing the clinical environment is a unique challenge.
Quote:
"Balancing and enabling the researchers to be flexible and access the services they need while making sure that the phi is secure…the environment is secure, because patient care is number one."
— Adam Rosen (05:57)
Stakeholder Collaboration:
Security works closely with legal and privacy teams, vetting third parties and establishing strong contractual controls.
Beyond Contracts:
Adam emphasizes that BAAs and cyber insurance mitigate financial impacts but don’t address the core issue if patient privacy is breached.
Quote:
"From a patient privacy perspective, regardless of how much you're going to be reimbursed for it, the records are just as brief. You haven't protected the privacy."
— Adam Rosen (07:22)
Reframing Risk:
Adam shifted from technical descriptions of risk to collaborative, business-oriented risk conversations.
Mapping Technical to Business Risk:
Technical findings are linked to about 40 high-level business risks; dashboards visualize how security projects mitigate those risks.
Concrete Impact:
Using events like the Change Healthcare and Blackbaud breaches as examples helps communicate risk severity and likelihood.
Quote:
"My team is proficient in determining the likelihood… but we're not the best at determining the impact. And where it scales… So we've been bringing in the business very heavily."
— Adam Rosen (08:25)
Memorable Analogy:
"Instead of us doing a thumb in the earth… we've been bringing in the business very heavily… So that we're all talking the same language when we come back with risk."
— Adam Rosen (08:39)
Adoption and Caution:
Roswell Park is actively building best practices for AI, covering security, data quality, bias, and legal concerns.
Due Diligence and Unknowns:
Policies are emerging, and there’s recognition that known security practices only go so far with AI (e.g., model poisoning resistance).
Governance:
Adam notes a formal governance process for AI is "almost" in place — aligning with an industry-wide effort.
Quote:
"We're trying to create best practices around how to use it, and not just from a cyber perspective… data quality perspective, bias perspective, copyright and legal aspects…"
— Adam Rosen (12:47)
Alternative Path:
If not in security, Adam would pursue game programming, citing a love for solving technical puzzles and creative problem-solving.
Gaming Nostalgia:
Favorite games include Zelda 2, Duke Nukem, Descent, and early arcade classics like Tempest and Defender. Also a dedicated D&D wizard.
Quote:
"I missed some of the programming days from my earlier experiences. That was always very rewarding to face a puzzle and get to work it through to completion…"
— Adam Rosen (14:59)
Quote:
"Technically it's easy, but it's culture change… you're just… used to just being in control of it. You turn it on and make it work… but when you're dealing with that large organization… you gotta make sure that the supporting infrastructure is there."
— Adam Rosen (17:27)
Third Party Dependency:
Incidents like Kronos, Change Healthcare, and CrowdStrike underscore the interconnected vulnerability of healthcare IT.
Lesson:
It’s not enough to review only the obvious risks; even tools meant to protect (like CrowdStrike) can become sources of disruption.
Quote:
"The tool that you have to prevent outages, is the tool that created the outage… you just start having to look at everything with a different lens…"
— Adam Rosen (19:04)
On Taking Risks:
Adam shares a humorous story of getting drunk onstage in a theater production, highlighting his more measured approach to risk in professional life.
Almost Adventurous:
Details on nearly being airlifted to troubleshoot a submarine — averted, but illustrative of unique, odd risks faced in prior roles.
Books:
Music:
Well-Rounded Experience:
Adam advocates for broad exposure—programming, networking, administration, and more—to build a foundational understanding of the entire IT and security ecosystem.
Be Multiclassed:
Understanding the business and communicating risk effectively is as important as technical depth.
Quote:
"Dabble in a lot of things … That broad view is very valuable."
— Adam Rosen (24:54)
This episode is a must-listen for anyone navigating healthcare cybersecurity or aiming to understand why risk—and the strategies to manage it—never truly sleep.