Podcast Summary
Podcast: To The Point - Cybersecurity
Episode: How AI and Third Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet
Release Date: September 30, 2025
Host(s): Rachael Lyon & Jonathan Knepher
Guest: Ed Gaudet (CEO & Founder of Senseinet)
Episode Overview
This episode explores the evolving landscape of healthcare cybersecurity, focusing on how artificial intelligence (AI) and third-party risk are dramatically reshaping security challenges and strategies. Ed Gaudet, with extensive experience in disruptive technologies and healthcare, shares insights on the convergence of technology, regulation, and real-world risk in medical environments. Key topics include the impact of AI, the shifting importance of response and recovery, the criticality of inventory and risk prioritization, and the unique risks posed by medical devices and shadow IT.
Key Discussion Points & Insights
1. Third Party Risk in Healthcare: Complexity & Scope
- [02:11–04:59]
- Ed Gaudet explains how healthcare's digital transformation has led to widespread third-party dependence.
- The 2009 federal push (Obama Administration) enabled healthcare to catch up technologically with other industries, but this also escalated third-party integration.
- Medical supply chains now involve SaaS applications, on-premise apps, IoT, and a proliferation of medical devices, all contributing to an expanded “attack surface”.
- Quote:
"Third party support every single business process today in health care, whereas 10 years ago it was a mix. Right. So cyber has to change. Cyber goes from a vertical function to a horizontal function."
— Ed Gaudet [04:19]
2. Shifting Security Response: From Prevention to Resilience
- [05:26–08:06]
- The focus in healthcare cybersecurity is evolving from solely prevention (Identify, Protect, Detect) to also prioritize Response and Recovery.
- Recent high-profile breaches (notably Change Healthcare) highlighted that recovery speed is essential—it’s about minimizing downtime for critical business and care functions.
- Organizations must understand which business processes (lab, blood, imaging) are truly mission-critical, and map vendor dependencies accordingly.
- Legal and contractual risks (e.g., exclusivity clauses without alternatives) also now form part of continuity planning.
- Quote:
"It's not a matter of if, it's a matter of when... So if you’re going to get attacked at some point, then you really need to think about your investments shifting from the identify, protect, detect functions to the respond and recover functions."
— Ed Gaudet [05:40]
3. Inventory, Prioritization, and Secure-by-Design
- [08:40–09:39]
- A core security axiom: you can’t protect what you don’t know—comprehensive asset and application inventory is the essential first step.
- Inventory allows organizations to tier and prioritize resources and defenses, focusing limited resources on what truly matters.
- Quote:
"You can’t protect what you don’t know... That lens really helps you prioritize where to spend your scarce resources."
— Ed Gaudet [08:46]
4. Secure-by-Design and Secure-by-Default: Navigating AI Adoption
- [09:39–14:51]
- Secure-by-design means integrating security into the foundation, not bolting it on later; secure-by-default means functionality (especially AI) is off unless explicitly enabled.
- AI features must be rolled out transparently and allow organizations control over activation to suit their risk posture.
- Ed points out common pitfalls, with software vendors enabling AI features by default after updates—contrary to best practice.
- Medical organizations are increasingly creating cross-functional AI governance committees to meter, vet, and govern AI adoption due to risks of "shadow IT."
- The "insidious risk" is that AI capabilities may enter an environment not only through overt adoption (front door), but silently via software updates (the "attic or floorboards").
- Quote:
"Everyone thinks it's coming through the front door... but it's also coming through the back door and the bathroom window and the attic and the floorboards."
— Ed Gaudet [13:51]
5. AI-Specific Healthcare Risks: From Data Loss to Patient Safety
- [15:03–17:47]
- The danger of AI in healthcare is not just data breach, but also data quality deteriorations (e.g., hallucinations, data drift) that can directly affect patient diagnoses and safety.
- Ed cites a collaboration with the Ponemon Institute revealing that ransomware had a "20% mortality rate" in affected organizations—a startling link between cyber incidents and real-world harm.
- With AI, the risks are less binary and more insidious (subtle errors in clinical decision-making), emphasizing the unique patient safety challenges in medicine.
- Quote:
"Whereas AI, it's not so black and white. It's not so binary. The risks, I think, are the same: you have data loss... but you also have a patient safety vector."
— Ed Gaudet [17:10]
6. AI Vendor Due Diligence and Lifecycle Management
- [17:47–21:16]
- Health systems must vet not just what an AI app does, but who is behind it (location, business model) and how patient data is managed over time.
- Fly-by-night AI vendors pose enduring risks—patient data may be left in limbo if a company folds or pivots.
- Rubrics for AI evaluation now include data handling, jurisdiction, longevity, traditional cybersecurity scrutiny, and ongoing data efficacy and safety validation.
- Ed sees hope in more deliberative adoption, rather than an uncontrolled rush, stressing the need for balance: “We do want to adopt it, but we don’t want to cause any harm.” [20:59]
Notable Quotes with Timestamps
-
On Healthcare’s Newfound Parity:
"They went from being five years behind to being at parity with most industries, in fact, in some ways adopting AI maybe faster... Which is good and bad, a little scary, a little risky."
— Ed Gaudet [02:54] -
On Mapping Risk to Business Criticality:
"Some are important, but some don't shut the business down... lab, blood, imaging that require quick recovery because without those services, you cannot operate as an organization, you cannot deliver care."
— Ed Gaudet [06:31] -
On the Pace and Penetration of AI:
"AI is exponential in terms of what it's going to do, not only to the industry, but I think society in general. And it's happening so quickly."
— Ed Gaudet [14:43] -
On the Reality of Health Sector Cyberthreats:
"I thought 2% mortality rate [from ransomware]. Increases [were] over 20% mortality rate in 2021... Now we made that connection with not just data loss, but patient safety, patient lives and patient care."
— Ed Gaudet [16:20]
Memorable Moments
- [13:51] Ed's vivid metaphor about AI risks sneaking into systems in unexpected ways:
"Everyone thinks it's coming through the front door. It is, but it's also coming through the back door and it's coming through the bathroom window and it's coming through the attic and it's coming through the floorboards."
- [14:51] Sobering reminder on the velocity of the AI wave:
"People are just scrambling to get their arms around how do we adopt what we need today and then how do we manage these risks as they come to the front door, but also as they appear in the back?"
Timestamps for Key Segments
| Segment Topic | Timestamps | | --------------------------------------- | -------------------| | Introduction & Ed’s Background | 01:05 – 02:08 | | Third Party Risk Landscape | 02:11 – 04:59 | | Cybersecurity Response & Recovery | 05:26 – 08:06 | | Inventory, Asset Prioritization | 08:40 – 09:39 | | Secure by Design & AI Governance | 09:39 – 14:51 | | Insidious AI Risks | 13:51 – 15:03 | | AI Risks & Patient Safety | 15:03 – 17:47 | | Vetting AI Vendors & Data Ownership | 17:47 – 21:16 |
Conclusion
This episode offers a candid look at how AI and expanded third-party networks present both tremendous opportunities and profound risks for healthcare cybersecurity. Ed Gaudet underscores the need for resilience, proactive inventory and prioritization, rigorous AI governance, and a practical, patient-first approach to technology adoption. For listeners seeking a current, real-world perspective on healthcare cyber risk, especially in the AI era, this conversation delivers actionable insights and memorable observations.
