Risk Never Sleeps Podcast – Episode #98

Tackling Cyber Threats in Healthcare: Essential Strategies for Protecting Patient Care
Host: Ed Gaudet (CEO & Founder, Censinet)
Guest: Chad Holmes (Product Evangelist, Cynerio)
Release Date: September 19, 2024

Main Theme / Purpose

This episode dives deep into the vital and rapidly evolving landscape of healthcare cybersecurity, emphasizing the strategies, challenges, and technologies necessary to protect patient safety in increasingly digital healthcare environments. Ed Gaudet sits down with Chad Holmes to discuss the realities of systemic cyber threats, the impact of major incidents (like the CrowdStrike event), and actionable approaches for healthcare organizations to manage escalating risks—especially in environments where resources are thin and stakes are high.

Key Discussion Points & Insights

Chad’s Background and Industry Perspective

• Chad shares his path to healthcare cybersecurity

  • From software development to security testing, training, and now product evangelism with Cynerio.
  • Focus at Cynerio: Healthcare cybersecurity, especially IoMT, IoT, OT, and network detection.
  • "My background is in software development, and that kind of graduated me up to security testing and now working with product and research at Cynerio." (00:57, Chad)

• On why healthcare is behind other industries

  • Chad compares the current healthcare security landscape to what other industries experienced 15–20 years ago.
  • Calls out the need to apply learning from other sectors—like card payment industry data breaches—to healthcare.

CrowdStrike Event Analysis & Patient Impact

• Implications of CrowdStrike’s Outage (Operational, Not a Cyberattack)

  • CrowdStrike’s recent operational incident had modest direct impact on healthcare, because:
    • Many devices can’t support EDR/XDR solutions.
    • About half of healthcare environments use bespoke (non-Windows) operating systems—meaning protection methods like EDR aren’t applicable.
    • If EDR were installed on life-critical medical devices, outages could have resulted in direct patient deaths.
    • "Imagine if every IV pump in the world, or even just a fraction of them, had CrowdStrike on them. We would have seen mass patient casualties." (04:24, Chad)

• On “Deaths” from Cyberattacks:

  • Direct harm is less common than indirect harm—care delays, canceled surgeries/appointments, and system outages cause increased mortality rates.
  • Cites a Michigan Medicare study revealing a 35% increase in mortality in certain cohorts due to operational disruptions.
    • "We need to start thinking this about impacted patient care, not direct for us, their lives, because that's what's really killing people and impacting their care." (05:27, Chad)
  • Highlights “ripple effect”: when one hospital is hit, neighboring facilities are overwhelmed, multiplying risk.

Top Priorities for Healthcare Security (Next 12–24 Months)

• Chad’s Three Priorities for Healthcare Security

  1. Helping healthcare organizations manage current, real risks with attainable technologies.
  2. Making advanced protections (like device identification & microsegmentation) more accessible and easier to adopt, especially for understaffed environments.
  3. Network Detection & Response (NDR): Stop attack replication as a short-term defense while building long-term strategies.
  • "The number one priority is helping healthcare learn how they can handle the risk they're seeing today...identifying technologies that they can adopt today to stop the attack replication." (07:25, Chad)

• Challenges with Data Overload & False Positives

  • Cynerio processes 22 petabytes of data/month, but healthcare teams can’t sift through that volume.
  • Their system filters incidents down to a handful of actionable threats, supported by a live analyst team.
  • "The three IT folks in a hospital do not have the time to do that. So what we add... is additional analysis...to find the two or three valid attacks each month..." (09:36, Chad)

Detection Strategies & Unique Healthcare Challenges

• Encryption (or Lack Thereof) in Healthcare Networks
  • Most healthcare network traffic is unencrypted, allowing for deeper packet inspection but also representing a risk.
  • Cynerio blends signature-based and behavioral approaches, leveraging knowledge of 160+ healthcare-specific protocols.
  • "Most healthcare networks do not encrypt the data. Right. 99 point whatever percent...so we're actually doing deep packet inspection." (10:32, Chad)

AI in Healthcare Cybersecurity

• AI Applications in Cynerio’s Products
  • Streamlining reports (e.g., “show me all IV pumps in site A”).
  • Enhancing incident analysis via trained models.
  • Accelerating marketing and content creation.
  • Chad cautions against hype and encourages skepticism:
    • "Anyone that says they know everything about AI and ML and exactly how they're using it is not true." (12:43, Chad)

Notable Quotes & Memorable Moments

• On the Shift from “Lizard Brain” to Real Impact:

  • "We have to really educate the market about how patients are impacted by these attacks in reality. And the reality is we need to stop thinking with the lizard brain, the scary part." (05:27, Chad)

• On Industry Staffing Challenges:

  • "They hire them, they quickly go to Google or Facebook...because they pay so much more." (07:43, Chad)
  • Acknowledges the retention crisis in healthcare IT security.

• Ed’s Reflection on Career Pivots:

  • "My father pulled me aside...‘Your mother and I, we want to talk to you. We're really concerned about your ability to hold a job.’...This is tech. It’s very different." (17:05, Ed)
    • Laughter over generational differences in job expectations.

Rapid-Fire & Personal Insights

• Chad's Passions Outside Work

  • Avid hiker—completed major hikes in New Hampshire and Utah.
  • "Anyone watching this that knows me just is screaming hiking right now." (14:54, Chad)

• Riskiest Thing He’s Ever Done

  • Finished the NH 48 4,000-footers in winter, facing dangerous conditions.
  • "You never want to be in that point, I promise you...I reevaluated a lot after that." (17:46, Chad)

• Desert Island Picks

  • Book: Bill Bryson’s A Walk in the Woods
  • Music: Ben Folds retrospective & AJR’s The Click
  • Movies: Prefers documentaries; “Moneyball” is a go-to (21:23+)

• Hardest Career Lesson

  • "The ability to influence people is so incredibly valuable. And a lot of technical folks miss that...that’s 90% of the battle." (21:51, Chad)

• Advice to New Entrants

  • For cyber: Get practical skills (cyber ranges, SANS), not just theoretical education.
  • For healthcare: Passion for patient impact is essential due to higher frustrations and lower pay versus other industries.
  • "Know you better have a really good passion for helping people because there's a lot of other industries where you can make more money." (22:40, Chad)

Timestamped Highlights

| Topic / Quote | Speaker | Timestamp | |----------------------------------------------------------------------------------------------|-------------|--------------| | Chad's path and Cynerio's focus | Chad | 00:57 | | Impact of CrowdStrike outage on healthcare, potential for patient deaths | Chad | 04:24 | | On indirect patient harm from cyber events ("lizard brain") | Chad | 05:27 | | Ripple effect to surrounding hospitals after an attack | Chad | 07:00 | | Top priorities for next two years: NDR and actionable protections | Chad | 07:25 | | Data overload: "22 petabytes/month – half a million incidents – 2 or 3 real attacks" | Chad | 09:36 | | Most healthcare traffic not encrypted, deep packet inspection advantages | Chad | 10:32 | | AI use in security (and skepticism about AI hype) | Chad | 12:43 | | Riskiest adventure: Completing NH 48 4,000-footers in winter | Chad | 17:46 | | Biggest career lesson: Influence vs tech skills | Chad | 21:51 | | Breaking in: "Get practical experience. Passion is essential for healthcare." | Chad | 22:40 |

Tone & Takeaways

Both Ed and Chad bring a candid, conversational, practical tone—mixing real-world experience with technical depth, humor, and personal anecdotes. The episode is especially valuable for healthcare leaders, cybersecurity practitioners, and newcomers looking to understand both strategic and day-to-day nuances of protecting digital healthcare environments.

Key Takeaways:

• Real patient harm from cyberattacks is more about healthcare disruption than cinematic sabotage.
• Solutions must fit resource constraints—make security practical, not idealized.
• AI and advanced analytics can help, but demand skepticism and human oversight.
• Long-term, sustainable improvement in healthcare security relies on tailored solutions, workforce retention, and strong mission alignment.

For more resources and insights about healthcare risk and patient safety, visit Censinet.