Safe Mode Podcast Summary
Episode: What leaders can learn from the WEF's Cybersecurity Outlook
Date: February 5, 2026
Host: Greg Otto
Guests: Derek Johnson (Cyberscoop Reporter), Stephen Schmidt (Chief Security Officer, Amazon)
Episode Overview
This episode of the Safe Mode Podcast dives into two core topics: the privacy and legal implications of AI companies entering the healthcare space, and Amazon’s approach to large-scale identity management through its Midway tool. Host Greg Otto interviews Cyberscoop reporter Derek Johnson about privacy in healthcare AI tools before turning to an in-depth conversation with Amazon CSO Stephen Schmidt on how strong, universal identity standards can safeguard even the largest organizations.
AI in Healthcare: Legal and Privacy Gaps
Guest: Derek Johnson, Cyberscoop Reporter
Timestamps: 00:24–09:56
Key Discussion Points
- AI's Move into Healthcare:
Major AI firms (OpenAI, Anthropic, Google) have recently launched health-focused chatbot products (e.g., ChatGPT Health). - Data Security Concerns:
While technical risks (data leakage, prompt injection) are present, the most pressing issue is that your health data in these tools isn't protected by U.S. laws like HIPAA in the way your medical provider's records are. - HIPAA Applicability:
HIPAA (Health Insurance Portability and Accountability Act) mandates data security and breach notifications for "covered entities"—healthcare providers, insurers, and their associates—not for tech firms operating consumer-facing AI apps.- Derek Johnson:
"The lawyers and healthcare experts that we talked to said that these tech companies are almost certainly not covered under HIPAA." [03:36]
- Derek Johnson:
- Voluntary vs. Legal Protections:
Tech companies tout robust privacy, but these are enforced by terms of service, not federal law.- Derek Johnson:
"There's a difference between data protections that are backed by the force of law and data protections that are backed by a terms of service agreement." [04:23]
- Derek Johnson:
- Accountability Shift to Consumers:
OpenAI and Anthropic state they "support HIPAA compliance," but this is voluntary—they won't make formal statements of HIPAA compliance, putting the burden on users.- "It's really onto the user to make sure that they're doing everything to make sure that they're HIPAA compliant..." [06:28]
- Comparisons to Previous Incidents:
Parallels drawn to 23andMe, where consumer genetic data security relied on company promises rather than legal obligation, resulting in complications after a bankruptcy.- "When it came time when they went bankrupt...they had to negotiate a separate agreement to get that buyer to agree to treat their data..." [07:56]
- Consumer-Level Implications:
These health chatbots are being marketed directly to the public and will likely see mass adoption.- Greg Otto:
"This is definitely something that...affects individuals writ large." [09:02]
- Derek Johnson:
"Anecdotally, we all know people who Google their symptoms or they use ChatGPT to ask them about their symptoms." [09:35]
- Greg Otto:
Amazon’s Identity Architecture: The Midway Story
Guest: Stephen Schmidt, SVP & Chief Security Officer, Amazon
Timestamps: 13:12–36:10
The Fragmentation Problem in Identity
- Complexity in Large Enterprises:
As companies grow, so does identity fragmentation—different authentication methods, gaps in legacy/test systems, inconsistent standards.- Greg Otto: "There's just more, more, more, and it becomes weak links in the chain." [13:06]
- Adversary Tactics:
Attackers actively seek out these weak spots rather than tackling well-protected core systems.- Stephen Schmidt:
"Our adversaries understand the fragmentation problem...looking for that crack in the armor." [14:27]
- Stephen Schmidt:
Building Midway: Amazon’s Unified Authentication
- Why Centralize:
Universal authentication across all accounts—no exceptions for test, legacy, or production environments—is crucial for defense. - Key Enablers:
- Simplicity for Developers:
"One of the overriding goals for Midway from the beginning was the simplest thing that we can possibly do and make it the easiest for our builders to implement." [16:56]
- Executive Buy-in:
- Schmidt reports directly to the CEO:
"Andy, our CEO, views security as foundational to everything that we do..." [17:40]
- Schmidt reports directly to the CEO:
- Centralized Security Investment:
"We can go across the entire company...and say we are all going to go in this direction." [17:53]
- Simplicity for Developers:
- Technical Decisions:
- Use of U2F universal second factor security keys instead of OTPs or SMS (more phishing-resistant)
- "We chose U2F...rather than one time passwords or soft tokens...it gives you a strong cryptographic anchor." [19:52]
- All accounts, including test/personal use, are subject to the same high security bars
- Use of U2F universal second factor security keys instead of OTPs or SMS (more phishing-resistant)
Protecting Against Nation-State Threats
- Defending Against Advanced Attacks:
- Threats like Midnight Blizzard (APT29/Cozy Bear, Russia-affiliated) target infrastructure through password spraying and sophisticated phishing.
- "We have to be able to defend against the most sophisticated attackers on the planet..." [22:00]
- Passwords and SMS codes are outmoded—hardware tokens required.
- "Passwords...their time is gone. They're not really useful." [23:36]
- Threats like Midnight Blizzard (APT29/Cozy Bear, Russia-affiliated) target infrastructure through password spraying and sophisticated phishing.
- Case Study – Stopping Midnight Blizzard:
- Amazon modified Microsoft Entra ID (formerly Azure AD) authentication so that all logins pass through Midway.
- "Any login to our Entra ID environment had to go through Midway...when the Midnight Blizzard actor attempted to compromise accounts, they couldn't." [26:02]
- A rival major tech company was breached by the same attack due to a test account without strong auth, enabling escalation through trust relationships.
- Amazon modified Microsoft Entra ID (formerly Azure AD) authentication so that all logins pass through Midway.
Engineering & Governance for Secure, Rapid Development
- Automated Enforcement (Mechanisms):
- Tools not just identify, but enforce compliance and automatically revert risky changes.
- "We also built tooling to identify any situation where that path was not being followed...if someone has enabled password authentication...we can revert the change." [28:45]
- Automation is crucial for speed; waiting for SOC intervention is too slow.
- "It's gotta be a reaction that occurs automatically within a couple minutes to really protect you appropriately." [29:56]
- Tools not just identify, but enforce compliance and automatically revert risky changes.
- Developer Velocity:
- Security tooling must reduce friction for engineers, making the secure path also the fastest.
- "If Midway took an hour for a developer to implement originally, it's now down to less than 15 minutes...we've constantly filed off the sharp edges..." [31:08]
- Security tooling must reduce friction for engineers, making the secure path also the fastest.
- Business Case & Playbook:
- Centralized investment in security yields massive saved developer hours, justifying cost.
- "That money adds up fast at our size. So it makes financial sense to do the centralized investment as well." [32:01]
- Start with getting execs to understand the real threats. Security must act as enablers, not blockers.
- "Get the folks to understand what the threat is, that this threat is real, it's not theoretical. Dispassionately give examples..." [33:29]
- "Security teams can go one of two ways. They can either be people who are enablers or they can be people who say, no, don't do that. You've got to be an enabler here." [33:36]
- Regularly track and report the total developer hours costed by security procedures—and work to reduce it iteratively.
- Centralized investment in security yields massive saved developer hours, justifying cost.
Notable Quotes & Moments
-
On Law vs. Trust in Data Protection:
"There's a difference between data protections that are backed by the force of law and data protections that are backed by a terms of service agreement."
Derek Johnson [04:23] -
On Simplicity and Adoption:
"It’s harder to do the wrong thing than it is to do the right thing."
Stephen Schmidt [17:20] -
On Adversarial Tactics:
"Attackers look for the chink in the armor...places to get a foothold."
Stephen Schmidt [14:31] -
On Automated Security Enforcement:
"If the state is not present, it alarms and it reverts so that we automatically protect ourselves...hours is forever. You're done."
Stephen Schmidt [29:34] -
On Security’s Business Value:
"Security, if done right, can be an accelerant for your business. Turn it into that positive, turn it into something that people want to embrace."
Stephen Schmidt [35:58]
Key Takeaways for Leaders
- Healthcare AI platforms are not held to HIPAA standards—privacy promises rest on goodwill and terms of service, not enforceable law.
- Identity management must be universal, simple, and enforced automatically; exceptions anywhere can sink the security of even the strongest organizations.
- Security must enable development, not hinder it—make secure paths the fastest, invest in developer experience, and build business cases around productivity as well as protection.
- Executive sponsorship and organizational willpower are as crucial as technology in evolving security practices at scale.
- Automation is key—automatically detect and fix exceptions, aiming for reactions within minutes, not hours.
- Security leaders must educate, measure, and iterate—communicate real threats, measure friction, reduce it, and keep improving.
This episode blends technical and organizational wisdom on modern security, making it essential listening for enterprise leaders navigating both the evolving AI landscape and internal identity challenges.