
Loading summary
A
Foreign.
B
Welcome to Risk Never Sleeps where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudette.
A
Welcome to the Risk Never Sleeps podcast in which we learn about the people that are on the front lines protecting patient safety and delivering patient care. I'm Ed Gaundet, the host of the program and I'm in Vegas HIMSS 2026. And guess who I just ran into?
C
It could be me. Greg Garcia. Greg Garcia. Good to be, right?
A
Right? Executive director.
C
What's your title? It's the executive Director of the Cybersecurity Working Group of the Healthcare Sector Coordinating Council.
A
All right. And good friend.
C
How you been, man?
A
I just saw you the other night.
C
So we're just firing in all senators at the Cyber Working group.
A
It's.
C
But we're getting a huge amount of new members and new best practices and I just learned that Senseinet is implementing one of our best practices, the Sector Mapping and Risk toolkit. Yes, very cool. Thank you for doing that. You are showing affirmation of the hard work we've put into recognizing mapping systemic risk in the healthcare system.
A
Tell our listeners more about that. Okay, about smart.
C
Smart was our response to the Change Healthcare attack. And we saw that whoever heard of Change Healthcare before it happened and we recognize that Change Healthcare has a third of the healthcare market. And when they went dark, 130 million patients were impacted by it. They did not get care or they did not get their prescriptions. The doctors did not get reimbursed. And. And it was a mess. What are those other critical services, critical utilities or functions that the health system depends upon? Major workflows like retail pharmacy, like medical imaging, blood or blood supply and distribution.
A
Right.
C
What are all of those workflows that depend on critical services and utilities? And what's the relative risk of those functions and utilities? We better map that out. We mapped out 17 workflows like the ones we just mentioned and try to pinpoint where are the weak points. What are those service providers that might not have good cybersecurity? The choke points? They're a choke point because they don't have good cybersecurity. They're a choke point because there's too much consolidation. They go down, everybody goes down. They're a choke point if they're located geographically in maybe a less stable country. Data center somewhere in Southeast Asia.
A
Not just cyber related risk. It could be operational risk, it could be geopolitical risk, it could be contract risk where we've signed exclusivity Clauses, which is what we found out from the change healthcare experience. And there were no alternatives that were actually built into the continuity plans.
C
Interesting. I didn't think about like those contract risks.
A
Yeah.
C
And so if you. The maps are literally like a board game.
A
Yeah.
C
It starts with the patient over here and data and services are winding their way from the beginning of the workflow to the end. And if something was gets severed along that pathway.
A
Yeah.
C
Whether it's contract. A contract or liability problems, a cyber attack or some kind of a glitch, we need to be aware of that. Yes. And we can't always control. No one can control change health because of their size. We don't have leverage, but at least we can plan for it. And in some cases you've got a third party provider that you know is not up to snuff. Get somebody else. Yeah, that's the process. Either manage what you know you can manage or find those backups and be prepared in case something goes down.
A
Yeah. They're like recipes for resiliency.
C
Yeah, yeah.
A
Which is really so critical in health care. And. And it really helps people focus on the risk that matters versus trying to boil the ocean across all the vendors and all the products and all the services.
C
And as we know, risk never sleeps.
A
It never does sleep. Thank you, Greg. It doesn't sleep. Yeah. Yeah. And as you pointed out, Sensenet added support. We had been through two versions of support. The new release product actually allows users to use like a mapping tool so they can visually set up the critical functions and map their vendors and products to those critical functions and connect their continuity and resiliency plans with those as well. So they have a full lifecycle view based on the smart maps of where risk sits across all business processes and more important, across all critical functions.
C
Yep. Well, and I'm excited today. On Tuesday 10th this afternoon, Eric Decker, our former chair, Samantha Jocks, our current vice chair and the co lead of the Smart tool, can be doing a presentation about and how Intermountain Healthcare has implemented it. That's just very exciting for me. And it's not just that Senseinet doing smart, but we were seeing that there are other vendors and technology solutions and consultancies that are likewise looking at many of our 35 best practices applications that we've done over the past few years, whether it's the medical device joint security plan or the health industry cyber practices called hiccup Model contract.
A
Yeah. How hic. Scrim.
C
The supply chain Scrimshaw. Yes. We like our acronyms. They are obnoxious but memorable. Hickscrim is the supply chain risk management.
A
That's right.
C
And we're looking to our consultancies to say how do you take these best practices off of PDF, which is the format that they're in now.
A
Yeah.
C
And actually turn it into a software program or a service, an AI tool.
A
Yeah. Bring it to life.
C
Bring it to life so that the people who need it, the hospitals, the medical device companies, the pharma companies, they can actually embed it into their systems. It's into some kind of er, plan and actually put it to use.
A
Yeah.
C
Rubber meets the road. So that's what is really exciting for me for the cyber working Group, that we're getting that recognition and you guys are able to monetize it.
A
Yes.
C
It's a win, win.
A
Yeah. Now as part of the Health Sector Coordinating Council we're also working on some new AI documentation and best practices and reference guides for the industry. Want to talk a little bit about that?
C
Yeah. We started the Artificial Intelligence Task Group, Cybersecurity Task Group more than a year, about a year and a half ago now and just recognized how complex an issue it is and we better take it in bites. And so we broke it out into five bites in subgroups and you're co leading one of those and we're about to see the fruits of your labor in the governance or I do too.
A
I do, I do. Third party risk and governance.
C
So that you just mentioned two of them. So we broke out into first the education subgroup which is. What's the terminology? What's the nomenclature we all ought to be using? You can have five different definitions for
A
the same this awesome glossary.
C
One glossary, that's number one. Number two is going to be second out of the gate is going to be the third party. Risk. Yes, that's self explanatory. The third one is going to be governance. And then it's a race to the finish for the last two subgroups. Either threat, operations and response happens when it does go south. And Secure by design.
A
Yeah, I love that one. Secure by design.
C
And Secure by design is going to in part refer back to one of our earlier publications, the Medical Device Joint Security Plan, which is how does a medtech company design and build and test cybersecurity into their medical devices from the ground up. It's called a joint security plan because it's not the medtech companies alone deciding this. It is the major healthcare providers who are saying this is what we expect from you and this will be our responsibility for architecting it. And so on. But it's a joint security plan, so the AI component needs to be built into that tool now, because Joint Security Plan was written originally, and it was published originally in 2019, updated in 2023, before AI became the Jubernaut that is now.
A
And quantum computing is also an area that we're starting to post.
C
Quantum computing just got kicked off.
A
Nice.
C
It's a massive undertaking and another one that's just getting started. Pretty technical, but when you realize the ubiquity of the difficulty that the complexity and the cost is. Segmentation and isolation.
A
Yeah.
C
How sexy is that? I just like to say segmentation and isolation.
A
You bring sex back to that. Oh, yeah.
C
Back to segmentation. Sex mentation.
A
Yeah, Making segmentation.
C
So that will get started fairly soon. He started up a couple of new task groups in addition. Workforce development. Yeah. And policy. And one thing about the Sector Coordinating Council is for listeners who don't know, the Sector Coordinating Council is an official advisory council to the government. And that means that the government is supposed to listen to us and not just work on some of the operational challenges we have, but also the policy. We are here in part to advise the government on what they ought to be doing in terms of policy, programs, regulation that will help us, that will facilitate the achievement of our cybersecurity of Jaggers.
A
Nice segue into landscape Analysis.
C
Landscape analysis, version 2. We did landscape analysis back in 2022, 23, which simply gathered a lot of data from different sources. Sense the next or that to say, how are we. How are the hospitals getting beat? What are those cybersecurity threats and vulnerabilities that are most frequently, most easily exploited for a successful cyber attack. And how are the hospitals prepared to deal with it? And so that first publication came out in partnership with hhs because HHS was under the gun to impose more regulations on the health care systems. But they smartly wanted to say, time out. What do we want to regulate? We don't just regulate. Let's do surgical regulation, shall we? Let's do something that's going to be most effective, not be counterproductive. And so the landscape analysis informed what ultimately became the cyber performance goal.
A
CPGs.
C
CPGs. So HHS, I know, wants to start updating the CPGs because they're two, three years old now. And to do that, we're going back on a landscape version too. So how have things changed such that the CPGs might need to be refined, tweaked a bit and they remain voluntary? Maybe they will become, or some of them will Become mandatory at some point
A
soon, maybe into hipaa.
C
Could be.
A
So, yeah. Any other updates on the landscape, on the regulatory landscape?
C
We're all sitting with bated breath about the HIPAA security. Nprm, the nose of proposed rulemaking, which came out at the beginning of January. We recommended as part of our policy responsibility that. Can we just put that proposed rule aside? It got nothing but hate mail from the community in the public comment period. How about if we sit down with the administration and negotiate what constitutes good, comprehensive cybersecurity rules for the health sector? By comprehensive, I mean it's not all on the shoulders of the health providers. There's medtech companies involved, there's the health IT companies.
A
It's an ecosystem.
C
It is an ecosystem. So how do we regulate? Create rules that will respect that interconnectedness? Yeah, and let's negotiate that. And by the way, government, we have an entire library of best practices, 35 of them we've published since 2019 in the Cyber Working Group. These can serve as the foundation to inform what constitutes good practices. And we can raise our hand as the industry and say, yes, we can be held accountable in mandatory rules for these, this set of practices. Because we said in our publication, this is what we already do. Yeah, you can tell us, we're going to hold you accountable to it. But these practices over here.
A
Yeah.
C
They should remain voluntary and also make
A
it sustainable because if you can't sustain it, it doesn't really matter.
C
And if you can't put everybody on an even plane. Yes, it doesn't matter because then you've got your weak link.
A
Yes.
C
So, and, and we want to be able to have some foundational rules that are required, must haves. But then you need a certain amount of flexibility in a voluntary framework so that we can evolve the way AI is evolving at a rapid pace. So it's exciting.
A
So that is.
C
That's a major regulatory issue. And then finally last week, the White House released its national cybersecurity strategy. It seems to have been watered down somewhat since the draft that I saw back in December. Really, a lot of you could call it vague or meaningless terminology. And maybe that's a good thing because then we can read into it.
A
Yeah, fill in the gaps.
C
Fill in the gaps. Define what we mean by regulatory rationalization or what, whatever. One of their pillars are working with the critical infrastructure industries. What does working with mean?
A
Yeah.
C
The White House has been clear that they want to work with us, particularly on rural healthcare, cybersecurity. Okay, what does that mean?
A
Yeah.
C
What initiatives can we embark upon together that they can leverage infrastructure that the sector coordinating counselor does and that we can use the bully pulpit of the White House to bring greater resources and mutual assistance communities. Yeah, make it more affordable, make it more affordable, make it more accessible. We have four key pillars in our cyber Security strategic plan and the Sector Coordinating Council, which is workforce, which is innovations, Community. The fourth one I'm going to come up with. You know you've been doing this a long time. Yes.
A
How long you been at this?
C
Oh, and policies.
A
Oh, policy.
C
Yeah, Workforce, community policy.
A
When did you start this journey?
C
16, 17, 2017. Brought on in the fall and I was looking back on it and I spent the first few months getting to know the community, the major trade groups, the influencers. And it was in April of 2018 or February of 2018 that we had our first organizing meeting of the Cybersecurity working group. About 80 organizations showed up in Washington D.C. and with the government to lay down, what are our priorities? We had the. We had the benefit, the luxury of a seminal report called the Healthcare Industry Cybersecurity Task Force Task Force Report that, that laid it out already. This was published in June of 2017. We said, okay, that's it. That's our compass. How do we implement that? So we organized ourselves into a task group structure that would implement those 200 plus recommendations that the task force report came up with. And as we've evolved over the years in actually delivering on those recommendations, we in 2024 updated that task force report with our own cybersecurity strategic plan of 2024. And so all of our work right now is focused on implementing those 12 strategic objectives that are part of that plan. And we've grown from 50 organizations in 2018 to 450 now.
A
400.
C
Hayden, how many members now overall there are of the organizations? There are 480 organizations. About two dozen of those are government agencies, federal, state and local. And there's probably about 1100 people. 1100 people representing those. We have 10 active task groups right now. We have stood up 37 task groups in total over the course of these eight years.
A
And next month we have an all hands meeting. All hands across.
C
All hands across America. America. There we go. Yes. We will have eight locations in four time zones.
A
Incredible.
C
Posting in person sessions.
A
What's the anchor, what's the anchor city for this?
C
Washington.
A
Oh, it is. Okay.
C
HHS will in their great hall.
A
Great.
C
And so they will be the main switchboard. And so you think of four time zones. What period of time can we all be Together or resume. That's 11am to 5pm Eastern time. So when we adjourn in Washington D.C. at 5pm Stanford Children's Hospital in California is. Still goes from 2pm to 3. 5pm Nice. So it's, it's a way for us to spread our footprint across the country, attract those members who otherwise don't have travel budget.
A
Yeah.
C
They can get in their car and drive two hours if they have the time. We'll still have the virtual version. So we'll expect last year's All Hands Across America. I think we had about 450 people.
A
Wow. That's incredible.
C
So not like what, the 50,000 that appear at HIMS.
B
Yeah. Yeah.
A
Pretty big. HIMS is bigger than five.
C
I find myself swimming upstream.
A
Incredible, isn't it?
C
Walking in circles.
A
It's incredible. Can we do some rapid fire about you? Let you in the background here? Okay. All right. If you weren't doing this job, what would you be doing?
C
Professional golf's your competitor.
A
Really?
C
Yes.
A
Do you still golf?
C
I don't have enough time for it. I.
A
What was your handicap? Oh, you were scratch golf.
B
Scratch, yeah.
C
I was competitive college golfer after my sophomore. I didn't know that. After my sophomore I was at UC Santa Barbara for my first two years. I was on the golf team. They were not a highly competitive golf team and I was not a highly competitive golfer because I took school seriously too.
A
Yeah.
C
Okay, timeout. I'll take a year off. And worked on my golf game, lived at home, worked on a golf course, played in a golf tournament every weekend to try to hone my game so then I could transfer to San Jose State University, which was a nationally ranked golf team at the time.
A
Yeah.
C
So that you use that as a springboard. That's how you become a professional golfer. Usually it's the high competitive collegiate golf, but by the end of those 15 months off, I realized I didn't have the right stuff. Very mental, you know. I've golfed like a machine, like many other players, very repeatable. But what goes on between the two ears.
A
Yeah.
C
Is how you win.
A
So true.
C
So I didn't have it, but I gave it my best shot. And so then I could go back to school with a good conscience that I tried and concentrate on my. My studies and on my career. And so that's. That's what I would be doing.
A
Looking forward as you think about your next chapter. What would you be doing when you eventually retire?
C
It's no secret to most, although I was sorry and surprised when I told you the Other day. And you told, oh, we're going to
A
announce it on the. On the. On the podcast for the world.
C
Yes, we're. It is happening. It's happening. It's happening. And you said, what am I going to be doing? Oh, I will retire at the end of.
A
Folks. He's pulling up his phone and looking at a list of things. My God.
C
Not that I'm looking forward to this, folks. I love what I'm doing. I'm at the top of my game. Seriously.
A
Is there a date? Work?
C
July, January 1st, December 31st. I'm 26. The end of this year.
A
Oh, December. Oh, right.
C
At the end of this year. 2026. I will be. I will be done.
A
You're almost a decade in this role.
C
Yeah, it will have been nine years. And honestly, this is. I've been in the financial services sector. I've been in the IT sector. I have been a presidential appointee at the US Department of Homeland Security. I've been in the United States Congress.
A
All right, knock it off.
C
Now, nothing. Nothing has brought me as much satisfaction, sense of national pride and accomplishment. I've been an entrepreneur, in effect, even within the government. I was not entrepreneur because I was starting up a whole new office.
A
Yeah.
C
Which became cisa. And so I've always had this desire to make things, to build something. But having been a part of building the Cybersecurity Working Group of the Sector Council is really the most rewarding of my career.
A
Yeah.
C
And I think it has. It has received some recognition, and I'm proud of that. And so why not go out on a high note? I am getting older, and I'm getting slower, and my powers of multitasking are not what they used to be.
A
And we have tools for that. There's this thing called AI you could start using.
C
My partner, the wonderful Alison Burke. We have a wonderful relationship. And this is one of those moments where she tells me something. I didn't know that, Greg. Yes, you did. We talked about it two days ago.
A
Shout out to Alison Burt.
C
Oh, Allison.
A
She holds it together.
C
She does. Yeah. And she holds me together.
A
I just text her saying, I'm at hims. I won't make the governance meeting.
C
She's.
A
I'm so bad the last couple of weeks.
C
Oh, she can handle it. She can handle it. She is my so good. She is my Zen. But. Okay, here's what I want to do.
A
Okay, this is.
C
I'm gonna. I'm not gonna read the whole list.
A
All right?
C
These are things that I love already. I have so much to retire.
A
Okay, let's go.
B
Okay.
C
I'm a classical guitarist and I want to get better at that. And I want to be able to perform. I. I want to get voice lessons because my steel string wants to play songs.
A
Wow.
C
So I play songs. But my acceptable voice range is very.
A
Okay.
C
So I'm gonna get voice.
A
Leonard Cohen.
C
Yeah.
A
Tom Waits. Come on, you could do this.
C
I can do Leonard Cohen.
A
Weights too.
C
Like singing like a farting goose. That's what they sound like. Yes. I can do that.
A
Okay.
C
Okay. Photography. I'm a decent photographer, so I want to expand on that and I want to.
A
Nice. Yes.
C
Be shown and do sign. Sign language immersion. My. I have a deaf niece. I love her dearly and my sign language is rudimentary at best. So I want to be able to communicate her as she reaches adulthood and we can have real conversations. I love to cook. I'm going to for the family every week. Find a new international recipe and do that. I'm a cyclist, so I used to race. I was on a racing team. I don't know at 65 if I should get in the saddle and race against 50 others.
A
Yeah.
C
In a pellet.
A
Well, you still have 10 years till then, so.
C
Yeah, wouldn't that be nice? But my prime, I was riding about 3 to 4,000 miles a year. So I want to get back to that.
A
Nice.
C
I want to get back to my golf. I had a coach, I had a good golf coach a few years ago right after the pandemic, and I. And he said, well, what's your goal? My goal is to qualify for the US Senior Amateur. Not to win.
A
Yeah.
C
Not to place.
A
Nice.
C
I just want to qualify. I love that. My wife is an up and coming potter, a wood fire potter. She's amazing. She has. She retired from a career in journalism and tank management. And her name of her book, the name of her book in 2007 was over treated how Too Much Health Care Is Making Us Sicker and Poorer. And she had a lot of years building on that foundation, on that messaging. But then she retired. Coming from a family of artists, a major sculptor, father in Honolulu, brothers who are very skilled, she discovered pottery. One thing many artists really suck at is self promotion. And I'm not very good at self promotion, but I'm very good at promoting others.
A
Yeah.
C
So I'm going to be her chief marketing officer.
A
Dude, that's awesome.
C
Yeah, look at that.
A
I love that. I love that.
C
And then after that, it's just a lot of, you know, projects.
A
You're not going to have any time to. Dude, there's no time.
C
I want to. I also. I want to volunteer for the needy. Washington D.C. has a homeless problem. And. Yeah, I might even become a D.C. tour guide. And for tourists, because I've been here all my life.
A
Oh, I would go on your tour.
C
I am also an actor. I do community theater. And the thing about. I can't promise anybody to do more plays because you do an art. I have to be. I have to be cast. Right?
A
Yeah.
C
So here's someone who's becoming a grandfather figure. And he's bald now. How many directors. How many parts are there that look like me?
A
So that's it.
C
What, Grandpa?
A
Just write that screenplay.
C
There you go.
A
Right.
C
I might learn how to write, because I'm going to write. I'm going to write my memoir.
A
Yeah, you.
C
And I enjoy. You and I enjoy poetry. We do. I am going to write poetry. Or poetry.
A
Oh, I love that.
C
The moth. Have you heard of the Moth? It's a storytelling community.
A
No, I don't know. The moth. It's.
C
It's a combination of learning how to do storytelling.
A
I love that word. The moth.
C
The moth. I don't know why I love Mothman prophecy, but you can listen to them. I think there's a moth podcast, so you check that out to people telling stories. You get five minutes to tell a story.
A
Oh, I have so many stories.
C
And you do.
A
I don't think you can tell a
C
story in five minutes.
A
That would be a challenge for you.
C
For me, it takes me five minutes just to clear my voice.
A
That's what I love about you, man. I love that. Oh, that'll be interesting to learn how to do that. Yeah. All right, I'll check that out. Yeah, I'll check that out.
C
How to structure a story.
A
Yeah. In five minutes or less.
C
Or it could have been seven. Yeah, but you have competitions. Yeah, it's cool. Like poetry slams and people. Yeah. Open mic and do a story.
A
Nice. Always a pleasure to connect with you. I'm so glad I ran into you again.
C
Yes. I was just walking by, and here we are in this massive. This seething mass of turgid humanity, and
A
you were circling a bit, and I thought you looked lost, so I was.
C
I am lost all day long.
A
It's like going back to your earlier comment. Yeah. Edgarta from the Risk Never Sleeps podcast. If you're on the front lines protecting patient safety, remember to stay vigilant, because Risk never sleeps.
B
Thanks for listening to Risk Never Sleeps for the show. Notes, resources, and more information and how to transform the protection of patient safety. Visit us@SenseInet.com that's C-E N S I N E T dot com. I'm your host, Ed Gaudet. And until next time, stay vigilant, because risk never sleeps.
Host: Ed Gaudet
Guest: Greg Garcia, Executive Director, Cybersecurity Working Group, Healthcare Sector Coordinating Council
Date: June 25, 2026
In this episode, recorded live at HIMSS 2026 in Las Vegas, Ed Gaudet sits down with Greg Garcia to discuss the state of healthcare cybersecurity in the wake of the Change Healthcare attack. Greg reflects on systemic risks, industry best practices, evolving regulatory requirements, and offers a behind-the-scenes look at the momentum and impact of the Healthcare Sector Coordinating Council’s Cybersecurity Working Group. The conversation spans from crisis-driven innovation to personal reflections on leadership and service.
“Whoever heard of Change Healthcare before it happened? ...130 million patients were impacted. They did not get care, or they did not get their prescriptions. The doctors did not get reimbursed. It was a mess.” – Greg Garcia (01:22)
Developed in response to the attack, SMART maps out critical healthcare workflows and the utilities they depend on—pharmacy, medical imaging, blood supplies, etc.
The toolkit identifies risk not just from cyber threats but from operational, geopolitical, and contract risks, such as exclusivity clauses limiting options during outages.
“We mapped out 17 workflows...and try to pinpoint where are the weak points? What are those service providers that might not have good cybersecurity?” – Greg Garcia (02:03)
SMART maps function like a board game, visually tracking data, services, and potential breakpoints along care pathways.
The approach shifts focus from “boiling the ocean” (managing all risks at once) to prioritizing what matters most:
“They’re like recipes for resiliency… It really helps people focus on the risk that matters versus trying to boil the ocean across all the vendors and all the products.” – Ed Gaudet (03:50)
Censinet’s platform is cited as an example of embedding SMART maps for holistic, lifecycle-based risk management.
“How do you take these best practices off of PDF… and actually turn it into a software program, or a service, or an AI tool?” – Greg Garcia (05:36)
The AI Task Group is tackling complexity in manageable “bites”, covering education, third-party risk, governance, threat operations & response, and secure-by-design.
“We better take it in bites… we broke it out into five bites in subgroups...” – Greg Garcia (06:29)
“Secure by design is going to in part refer back to our earlier publication, the Medical Device Joint Security Plan...” – Greg Garcia (07:33)
Joint efforts to update frameworks and controls for the AI and quantum computing age.
“The White House has been clear that they want to work with us, particularly on rural healthcare cybersecurity. Okay, what does that mean?” – Greg Garcia (13:38)
“Having been a part of building the Cybersecurity Working Group of the Sector Council is really the most rewarding of my career.” – Greg Garcia (20:23)
“I want to volunteer for the needy… might even become a D.C. tour guide… I am also an actor. I do community theater… I’m going to write my memoir.” – Greg Garcia (24:01–24:38)
On systemic risk and resilience:
“No one can control Change Healthcare because of their size...but at least we can plan for it.” – Greg Garcia (03:20)
On embedding best practices:
“Rubber meets the road. So that’s what is really exciting for me for the cyber working group, that we’re getting that recognition and you guys are able to monetize it. It’s a win-win.” – Greg Garcia (06:06)
On responsible, responsive regulation:
“Let’s do surgical regulation, shall we? Let’s do something that’s going to be most effective, not be counterproductive.” – Greg Garcia (10:02)
On the sector’s growth and mission:
“We have 10 active task groups right now. We have stood up 37 task groups in total over the course of these eight years.” – Greg Garcia (16:19)
Personal note:
“I was a competitive college golfer...by the end of those 15 months off, I realized I didn’t have the right stuff. Very mental, you know. ...But what goes on between the two ears is how you win.” – Greg Garcia (18:01–18:51)
| Timestamp | Segment / Topic | |-----------|---------------------------------------------------------------------| | 01:22 | The Change Healthcare cyberattack: scale and impact | | 02:03 | Mapping critical healthcare workflows for risk | | 03:06 | How SMART maps visualize data, services, and breakpoints | | 03:50 | Focus on resiliency versus “boiling the ocean” risk management | | 05:36 | Moving best practices beyond static documents to actionable tools | | 06:29 | AI task group structure and deliverables | | 07:33 | Secure-by-design in medical device security | | 09:39 | Landscape Analysis Version 2 and regulatory needs | | 10:37 | Cyber Performance Goals (CPGs) and policy implications | | 13:03 | Evolving regulatory frameworks and White House initiatives | | 16:04 | Growth of the Council: scope and impact | | 18:02–20:36| Greg’s background, leadership reflections, and retirement plans | | 21:37–24:48| Greg’s future goals and creative pursuits after his Council tenure |
For more resources: Visit www.censinet.com
Risk Never Sleeps. Stay vigilant.