Podcast Episode Summary

To The Point - Cybersecurity

Episode: How AI and Third Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet, Part 2

Date: October 7, 2025
Host: Rachael Lyon & Jonathan Knepher
Guest: Ed Gaudet (CEO and founder, Sensinet)

Overview

This episode continues a deep-dive conversation with Ed Gaudet on how artificial intelligence (AI) and the evolving landscape of third-party risk are reshaping healthcare cybersecurity. With a particular focus on the real-world threats, complexities, and practicalities of risk management, the discussion explores why traditional frameworks are no longer enough, the need for continuous holistic approaches, and how leadership must evolve in step with accelerating technological change.

Key Discussion Points & Insights

1. AI’s Unique Risk Profile in Healthcare

Non-deterministic, Creative Risks:
AI implementations bring a new layer of non-deterministic and creative risks that don’t align with traditional risk assessment practices.
- Insight: Risk now extends beyond the system itself to the value, accuracy, and potential impact of AI’s outputs, such as brand reputation or clinical decisions.
Guardrails and Human Oversight:
- Even as AI is rapidly adopted, healthcare organizations must maintain rigorous review and validation of AI-generated outputs.
- Notable Use Case:
  Ambient Listening: AI records and summarizes patient-doctor interactions so physicians can focus on patients instead of note-taking. Still, the clinician must verify and sign off on AI-generated notes to ensure accuracy.
  
  “That last mile of review and validation and verification is so important.” — Ed Gaudet [05:04]
Industry Adoption Rates:
- High-risk sectors like healthcare will integrate AI more cautiously and incrementally compared to lower-risk environments (e.g., warehouses).

2. Complexities in Contextual Understanding

Limits of AI Interpretation:
- AI can misinterpret nonverbal cues or sarcasm in medical conversations, making slow, careful adoption essential.
  
  “Sarcasm is human. You’re not going to see sarcastic robots anytime soon.” — Ed Gaudet [06:57]
- Memorable moment: Rachael Lyon jokes about doctors using sarcasm:
  
  “Sarcasm. John, who has sarcasm in doctor conversations?” — Rachael Lyon [06:53]

3. Continuous and Holistic Risk Management

Point-in-Time Assessments Are Obsolete:
- The pace of software and system updates in healthcare has rendered periodic, static assessments (like traditional SOC 2 audits) insufficient.
  
  “By the time it [SOC 2] gets published, we’ve already gone through probably another 10, 15 releases on the product.”— Ed Gaudet [13:55]
- Continuous risk assessment must keep up with system modifications, changing data types, and evolving third-party relationships.
Life Cycle Approach:
- Risk management must track software and vendor risk from “cradle to grave”, continually updating as integrations and data usage evolve, especially with sensitive information like PHI.
People, Process, Technology Trinity:
- Effective transformation demands harmonizing technology shifts with changes in people and processes—not just new tools.

4. On Cybersecurity Scorecards and Universal Ratings

The Scorecard Fallacy:
- Simple scoring systems (like credit scores for organizations or UL ratings for appliances) fail to capture the complexity and rapid evolution of cyber risks.
  
  “Don’t be fooled by simple numbers... We knew what our risk was, and it wasn’t good... I just laugh at that rating because it’s like, we’re not an A. I know I’m not an A.” — Ed Gaudet [15:59]
Transparency as a Value:
- Ed advocates for honest communication about risk status with clients; long-term trust and partnerships are built on transparency, not artificially inflated ratings.

5. Generally Accepted Principles for Cybersecurity (GAPC)

The Case for Standardized Reporting:
- Envisions an industry-wide framework, akin to GAAP in finance, to standardize cybersecurity disclosures and benchmarking at the board and public level.
  
  “Risk and security should be a board level topic and at board level responsibility... Wouldn’t it be nice if we had a standard way to communicate risk and a standard way to drive the accounting... of risk and cybersecurity across all industries?” — Ed Gaudet [17:30]
- Regular (“quarterly”) reporting on cybersecurity posture, just like financials, could provide transparency and drive improvements via benchmarking.
Transparency and Repeatability:
- Transparency in scoring methods and regular updates are essential to make scorecards meaningful.
Challenges:
- Achieving such standardization is a formidable, time-consuming process, likely to draw disagreements among experts.

6. Leadership, Accountability, and Regulation

Transformation Requires Leadership:

“Transformation requires leadership. And leadership is hard.” — Ed Gaudet [25:03]
- Boards must proactively address cybersecurity, not delegate it; skilled cyber expertise must be represented at the highest level.
Regulatory Shifts Lag Innovation:
- Efforts to modernize regulations (e.g., HIPAA) are slow and subject to political changes, leaving gaps in accountability.
Checkbox Mentality:
- Many organizations only “check boxes” for compliance, rather than genuinely addressing security holistically.

7. Emerging Threats and the Future Risk Landscape

Growing Scale and Sophistication:
- Attackers have shifted from hobbyists to organized, specialized teams—effectively acting as “mafioso” using division of labor and advanced tools.
  
  “Hackers were independent, some were kids... The last five years they’ve organized, they become organized criminals, they become mafioso, if you will, electronically.” — Ed Gaudet [30:49]
Third-Party & Supply Chain Risks:
- Incidents like “Change Healthcare” and vulnerabilities like Log4j exemplify how interconnected vendors and open-source components can propagate risk throughout the healthcare sector.
Potential Catastrophic Scenarios:
- Widespread attacks could jeopardize not just individual hospitals but entire infrastructures, with real-life consequences for patient care, especially if critical operations are interrupted (e.g., ambulance diversions).
AI as a Double-Edged Sword:
- Rapid breakthroughs in generative AI pose as-yet-unknown risks, especially in model training and hidden vulnerabilities.
  
  “It’s been eerily quiet on the western front... There’s going to be something big, I think, because it’s been too quiet.” — Ed Gaudet [30:49]

Notable Quotes & Memorable Moments

On Validation in AI:
“That last mile of review and validation and verification is so important.” — Ed Gaudet [05:04]
On Scorecard Ratings:
“Don’t be fooled by simple numbers. ... We’re not an A. I know I’m not an A.” — Ed Gaudet [15:59]
On Board-Level Cyber Expertise:
“Risk and security should be a board level topic and at board level responsibility... you should have a cyber committee and you should hire board members that have cyber experience.” — Ed Gaudet [17:30]
On Industry Evolution:
“Wouldn’t it be great in five years if we had a GAPC that we could report on and every public company reported on it? ... That’s the vision.” — Ed Gaudet [23:14]
On Leadership:
“Transformation requires leadership. And leadership is hard.” — Ed Gaudet [25:03]
On Organizational Change:
“Nobody wants to be the most secure... It’s human nature. ... The notion of checking the box is so critical.” — Ed Gaudet [28:17]
On Imminent Threats:
“It’s been eerily quiet on the western front... There’s going to be something big, I think, because it’s been too quiet.” — Ed Gaudet [30:49]

Timestamps for Key Segments

01:10 — Framing AI risk in healthcare
02:47 — Example: AI in ambient listening and medical note-taking
06:03 — The need for slow, careful AI adoption (sarcasm, human nuance)
07:32 — Integrating cyber, data, and enterprise risk frameworks
11:47 — The limits of security “scorecards”
16:58 — Board-level responsibility and the call for GAPC
20:33 — What standardized cybersecurity reporting could look like
23:53 — Leadership and regulatory slowdowns
29:00 — The persistence of checkbox security
30:49 — Organized criminal sophistication and future “big event” threats
31:49 — Third-party risk and catastrophic interconnected vulnerabilities

Closing Thoughts

The episode delivers a candid, clear-eyed look at the fast-changing intersection of AI, third-party risk, and cyber governance in healthcare. Ed Gaudet’s message stresses continuous vigilance, adaptability, board-level ownership, and honesty—reminding us that superficial metrics or “checkbox” compliance will not stop the next breach. True resilience will require transformation rooted in leadership, transparency, and holistic discipline.

For Further Information

Visit forcepoint.com/podcast for show notes and additional resources.
Listen to new episodes every Tuesday for cutting-edge insights and expert discussions.

Podcast Episode Summary

To The Point - Cybersecurity

Episode: How AI and Third Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet, Part 2

Date: October 7, 2025
Host: Rachael Lyon & Jonathan Knepher
Guest: Ed Gaudet (CEO and founder, Sensinet)

Overview

Key Discussion Points & Insights

1. AI’s Unique Risk Profile in Healthcare

Non-deterministic, Creative Risks:
AI implementations bring a new layer of non-deterministic and creative risks that don’t align with traditional risk assessment practices.
- Insight: Risk now extends beyond the system itself to the value, accuracy, and potential impact of AI’s outputs, such as brand reputation or clinical decisions.
Guardrails and Human Oversight:
- Even as AI is rapidly adopted, healthcare organizations must maintain rigorous review and validation of AI-generated outputs.
- Notable Use Case:
  Ambient Listening: AI records and summarizes patient-doctor interactions so physicians can focus on patients instead of note-taking. Still, the clinician must verify and sign off on AI-generated notes to ensure accuracy.
  
  “That last mile of review and validation and verification is so important.” — Ed Gaudet [05:04]
Industry Adoption Rates:
- High-risk sectors like healthcare will integrate AI more cautiously and incrementally compared to lower-risk environments (e.g., warehouses).

2. Complexities in Contextual Understanding

Limits of AI Interpretation:
- AI can misinterpret nonverbal cues or sarcasm in medical conversations, making slow, careful adoption essential.
  
  “Sarcasm is human. You’re not going to see sarcastic robots anytime soon.” — Ed Gaudet [06:57]
- Memorable moment: Rachael Lyon jokes about doctors using sarcasm:
  
  “Sarcasm. John, who has sarcasm in doctor conversations?” — Rachael Lyon [06:53]

3. Continuous and Holistic Risk Management

Point-in-Time Assessments Are Obsolete:
- The pace of software and system updates in healthcare has rendered periodic, static assessments (like traditional SOC 2 audits) insufficient.
  
  “By the time it [SOC 2] gets published, we’ve already gone through probably another 10, 15 releases on the product.”— Ed Gaudet [13:55]
- Continuous risk assessment must keep up with system modifications, changing data types, and evolving third-party relationships.
Life Cycle Approach:
- Risk management must track software and vendor risk from “cradle to grave”, continually updating as integrations and data usage evolve, especially with sensitive information like PHI.
People, Process, Technology Trinity:
- Effective transformation demands harmonizing technology shifts with changes in people and processes—not just new tools.

4. On Cybersecurity Scorecards and Universal Ratings

The Scorecard Fallacy:
- Simple scoring systems (like credit scores for organizations or UL ratings for appliances) fail to capture the complexity and rapid evolution of cyber risks.
  
  “Don’t be fooled by simple numbers... We knew what our risk was, and it wasn’t good... I just laugh at that rating because it’s like, we’re not an A. I know I’m not an A.” — Ed Gaudet [15:59]
Transparency as a Value:
- Ed advocates for honest communication about risk status with clients; long-term trust and partnerships are built on transparency, not artificially inflated ratings.

5. Generally Accepted Principles for Cybersecurity (GAPC)

The Case for Standardized Reporting:
- Envisions an industry-wide framework, akin to GAAP in finance, to standardize cybersecurity disclosures and benchmarking at the board and public level.
  
  “Risk and security should be a board level topic and at board level responsibility... Wouldn’t it be nice if we had a standard way to communicate risk and a standard way to drive the accounting... of risk and cybersecurity across all industries?” — Ed Gaudet [17:30]
- Regular (“quarterly”) reporting on cybersecurity posture, just like financials, could provide transparency and drive improvements via benchmarking.
Transparency and Repeatability:
- Transparency in scoring methods and regular updates are essential to make scorecards meaningful.
Challenges:
- Achieving such standardization is a formidable, time-consuming process, likely to draw disagreements among experts.

6. Leadership, Accountability, and Regulation

Transformation Requires Leadership:

“Transformation requires leadership. And leadership is hard.” — Ed Gaudet [25:03]
- Boards must proactively address cybersecurity, not delegate it; skilled cyber expertise must be represented at the highest level.
Regulatory Shifts Lag Innovation:
- Efforts to modernize regulations (e.g., HIPAA) are slow and subject to political changes, leaving gaps in accountability.
Checkbox Mentality:
- Many organizations only “check boxes” for compliance, rather than genuinely addressing security holistically.

7. Emerging Threats and the Future Risk Landscape

Growing Scale and Sophistication:
- Attackers have shifted from hobbyists to organized, specialized teams—effectively acting as “mafioso” using division of labor and advanced tools.
  
  “Hackers were independent, some were kids... The last five years they’ve organized, they become organized criminals, they become mafioso, if you will, electronically.” — Ed Gaudet [30:49]
Third-Party & Supply Chain Risks:
- Incidents like “Change Healthcare” and vulnerabilities like Log4j exemplify how interconnected vendors and open-source components can propagate risk throughout the healthcare sector.
Potential Catastrophic Scenarios:
- Widespread attacks could jeopardize not just individual hospitals but entire infrastructures, with real-life consequences for patient care, especially if critical operations are interrupted (e.g., ambulance diversions).
AI as a Double-Edged Sword:
- Rapid breakthroughs in generative AI pose as-yet-unknown risks, especially in model training and hidden vulnerabilities.
  
  “It’s been eerily quiet on the western front... There’s going to be something big, I think, because it’s been too quiet.” — Ed Gaudet [30:49]

Notable Quotes & Memorable Moments

On Validation in AI:
“That last mile of review and validation and verification is so important.” — Ed Gaudet [05:04]
On Scorecard Ratings:
“Don’t be fooled by simple numbers. ... We’re not an A. I know I’m not an A.” — Ed Gaudet [15:59]
On Board-Level Cyber Expertise:
“Risk and security should be a board level topic and at board level responsibility... you should have a cyber committee and you should hire board members that have cyber experience.” — Ed Gaudet [17:30]
On Industry Evolution:
“Wouldn’t it be great in five years if we had a GAPC that we could report on and every public company reported on it? ... That’s the vision.” — Ed Gaudet [23:14]
On Leadership:
“Transformation requires leadership. And leadership is hard.” — Ed Gaudet [25:03]
On Organizational Change:
“Nobody wants to be the most secure... It’s human nature. ... The notion of checking the box is so critical.” — Ed Gaudet [28:17]
On Imminent Threats:
“It’s been eerily quiet on the western front... There’s going to be something big, I think, because it’s been too quiet.” — Ed Gaudet [30:49]

Timestamps for Key Segments

01:10 — Framing AI risk in healthcare
02:47 — Example: AI in ambient listening and medical note-taking
06:03 — The need for slow, careful AI adoption (sarcasm, human nuance)
07:32 — Integrating cyber, data, and enterprise risk frameworks
11:47 — The limits of security “scorecards”
16:58 — Board-level responsibility and the call for GAPC
20:33 — What standardized cybersecurity reporting could look like
23:53 — Leadership and regulatory slowdowns
29:00 — The persistence of checkbox security
30:49 — Organized criminal sophistication and future “big event” threats
31:49 — Third-party risk and catastrophic interconnected vulnerabilities

Closing Thoughts

For Further Information

Visit forcepoint.com/podcast for show notes and additional resources.
Listen to new episodes every Tuesday for cutting-edge insights and expert discussions.

wavePod

How AI and Third Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet Part 2

Powered by Wave AI

Summary

Podcast Episode Summary

To The Point - Cybersecurity

Episode: How AI and Third Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet, Part 2

Overview

Key Discussion Points & Insights

1. AI’s Unique Risk Profile in Healthcare

2. Complexities in Contextual Understanding

3. Continuous and Holistic Risk Management

4. On Cybersecurity Scorecards and Universal Ratings

5. Generally Accepted Principles for Cybersecurity (GAPC)

6. Leadership, Accountability, and Regulation

7. Emerging Threats and the Future Risk Landscape

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Closing Thoughts

For Further Information

Summary

Podcast Episode Summary

To The Point - Cybersecurity

Episode: How AI and Third Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet, Part 2

Overview

Key Discussion Points & Insights

1. AI’s Unique Risk Profile in Healthcare

2. Complexities in Contextual Understanding

3. Continuous and Holistic Risk Management

4. On Cybersecurity Scorecards and Universal Ratings

5. Generally Accepted Principles for Cybersecurity (GAPC)

6. Leadership, Accountability, and Regulation

7. Emerging Threats and the Future Risk Landscape

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Closing Thoughts

For Further Information