It may have been St. Patrick’s Day, but no one at the Colorado HIMSS CXO Breakfast and Advocacy Day was counting on luck to secure their health information systems.
While many attendees donned various shades of green and emerald in the ballroom at Denver’s historic Brown Palace Hotel (including a head-turning shamrock-spattered jacket), one panel stood out for its urgency amid the festivity: “Guardians of Healthcare: Strengthening Cybersecurity in an Evolving Threat Landscape,” moderated by Stephanie Broderick, SVP of Provider Solutions at Clinical Architecture.
With ransomware payouts soaring and health systems under siege, three battle-tested cybersecurity pros — Howard Haile, VP and CTO at Intermountain Health; Richard Staynings, Chief Security Strategist at Cylera; and Rick Bohm, CISO at Point Solutions Security and a self-proclaimed “professional hacker” — delivered a wake-up call about the threats facing healthcare leaders today.
From “annoyance” to national security threat
Broderick began with a grim roll call of 2024 cyberattacks: Change Healthcare, Ascension, Lurie Children’s, and others, which collectively impacted more than 200 million patients and cost organizations billions. More than mere data leaks, these were colossal disruptions to revenue cycles and patient access and safety.
Staynings warned that the massive Change Healthcare hack should be viewed as a national security threat. “If you were an adversary and saw that happen, wouldn’t you try to replicate it?” he asked. “U.S. healthcare is one of 16 critical national infrastructure industries. We’re seeing weekly attacks from nation-states or proxies.”
Haile noted that the Change breach illuminated the limits of existing risk models and the massive interdependence between healthcare providers and outside vendors.
“It taught us that third-party assessments for risk aren’t very effective,” he said. “This wasn’t just a vendor going down. You suddenly can’t bill or receive payment; your entire revenue cycle grinds to a halt.”
The complexity of the breach revealed how deeply some systems rely on a single vendor such as Change and how hard it is to pivot when that vendor fails.
“You get into it thinking, ‘This is just another third party,’ but then realize — this impacts your entire revenue cycle,” he admitted. “It’s not the same as losing access to a few patient records, it’s an existential threat to your operations.”
And standing up a new clearinghouse to make up for the Change outage? “That’s near impossible,” Haile noted. “Switching from Change Healthcare to another platform isn’t a quick fix.”
A large-scale outage requires a focus to match, Haile said. “You can’t always prevent it, but you better be ready to act fast when it happens.” This includes everything from tabletop exercises with executive teams to reassessing revenue-side dependencies and ensuring multi-factor authentication (MFA) is enforced across the board, he said.
Bohm cautioned about the sophistication of modern AI-enhanced attacks that can evade detection, emphasizing that even organizations confident in their defenses often have gaping internal vulnerabilities.
“I’ll come into an engagement and hear, ‘Oh, this is our 100th penetration test, you won’t find anything,’” he said. “I guarantee you — I’ll find something.”
“I’ve tested six very established EHRs – all six failed, miserably,” added Bohm, pulling no punches.
He offered a metaphor for breaching even well-defended systems that brought the threat uncomfortably close to home. “You take a beautiful building like [the Brown Palace] with hundreds of windows, hundreds of doors. A defensive person might fail to lock all of them, and here's somebody like me who checks every door handle, every window — and all I need is one. And that’s exactly what happened to Change,” he added.
Bohm stressed that while organizations often focus on protecting high-value data, attackers aren’t necessarily after individual records anymore.
“The big money isn’t in your personal health record, it’s in ransomware,” he said. “If you call me and say, ‘Hey, I think my information’s out there,’ I can get it back — for $10 in crypto. That’s what an individual record is worth.”
The real payoff, Bohm warned, is in taking entire organizations down. “That’s worth $2.5 billion to these guys.”
Beyond confidentiality: What’s truly at stake
Staynings was adamant that availability — not confidentiality — is now the urgent priority. “Every person in this room has had some level of their PHI or PII stolen,” he said. “What matters is making sure that systems are up, patients get prescriptions, doctors can diagnose. That their medical devices aren’t compromised. That their EMR hasn’t been encrypted.”
“We’re still myopically focused on confidentiality, but it’s already lost,” he added. “We need to shift our focus to true risk: system availability.”
Additionally, attackers are using AI to target MFA tokens, automate phishing, and create highly personalized social engineering campaigns that are nearly impossible to distinguish from real human behavior.
“It’s a force multiplier for us — but also a force multiplier for attackers,” Haile warned. “So, anything we’re doing, they’re doing the same, only faster.”
Deepfakes, AI weaponization, and the “soft, gooey center”
The panelists agreed: AI is both a powerful defense and an even more powerful offense.
Bohm described how easy it has become to use publicly available information and AI tools to craft hyper-personalized phishing attacks. “I used Prof GPT to write a nine-thread fake email exchange between two people, utilizing a scrape I did from social media,” Bohm explained. “Then I injected a malicious document into the fourth email, told one of them to check it out, and forward it on.”
That’s all it took, and no one questioned it.
Once inside, attackers don’t need to cause immediate chaos. They wait, escalate access, and move laterally. Bohm described what he called the “M&M model” — a hard shell on the outside, but soft and gooey on the inside — due to a lack of internal segmentation, proper endpoint protection, or behavioral monitoring.
“I can take a low-level account, and soon I’m the administrator,” he said. “All AI-generated. All untraceable unless you’re actively looking for it.”
Staynings picked up the thread, warning that healthcare’s vulnerability doesn’t stop at social engineering or phishing attempts — it’s rooted in the sheer sprawl and opacity of modern health IT infrastructure.
“Our healthcare networks are so complex now that IT only manages about 25% of the endpoints in a typical hospital,” Staynings said. “The other 75%? Consultant laptops, IoT devices, medical equipment, HVAC systems, badge readers, CCTV cameras. And security leaders have very limited visibility into these systems.”
Many of these devices, he added, are outdated or bespoke, with no modern security support — some still running code written in the 1980s.
“We’re literally keeping patients alive on technology from the Windows 95 era,” said Staynings. “None of us would do our online banking on that, but we’re running hospital equipment on it.”
He urged leaders to take third-party risk more seriously, especially as single points of failure such as Change Healthcare demonstrate how devastating a breach can be when a vendor dominates a critical space.
“We need to hold vendors accountable, which means risk analysis and active inventories,” Staynings said, adding, “And leveraging automation — because we simply can’t hire enough people to solve these problems manually anymore.”
And like others on the panel, he returned to a common refrain: AI is your friend, if you program it correctly.
What keeps CISOs up at night?
Before the conversation turned to policy, Haile grounded the threat in something more personal and disturbingly plausible: AI-powered impersonation attacks straight from today’s headlines.
“We’re talking about AI generating images, generating voice,” said Haile. “Now you can generate your CEO’s voice, who calls in and wants her password reset. And what frontline service desk person is going to say no to the CEO, right?”
Haile emphasized the urgent need for penetration testing of internal help desks, which have become prime targets for social engineering attacks bolstered by AI.
“If you’re not pen-testing your help desk, you’re going to have problems,” he warned. “You create a new face, and you can bypass that level of security.”
While the technology is daunting, the panelists pointed to organizational complacency and outdated regulation as some of the greatest risks.
“There’s this constant ‘catch up’ between regulation and security — HIPAA was out of date the day it was published in 1996, and it has proceeded to be embarrassing ever since,” Staynings stated bluntly.
The Health Infrastructure Security and Accountability Act (HISAA), currently moving through the U.S. House and Senate, would require regulated entities to follow mandatory cybersecurity standards, undergo annual audits and stress tests, and face real financial penalties — including reduced Medicare payments — for noncompliance. The law is designed to keep pace with evolving, real-time cyber threats. “If we ever have a functional government this year to write one, then that might actually start to move the needle,” Staynings said.
Even standards like ISO and AI 601, he warned, are doomed to lag. “Regulations by their nature are inherently out of date, as they regulate yesterday’s concerns. But the danger is that we could overregulate the space to the point that it stifles innovation.”
Bohm agreed: “Standards are great for compliance, and compliance is great to show that you did something you were supposed to do — last year.”
For real security, he argued, healthcare organizations must go beyond checkbox exercises and instead prioritize ongoing, real-time security assessments conducted by professionals actively engaged with today’s threat landscape.
Bohm shared a final reminder that the real threats are evolving faster than many realize. “We’re now seeing hackers use AI-generated images, fake credentials, and cloned voices to bypass verification,” he said. “And they’re doing it with 20-hour workdays and five million-strong forums on the dark web. Meanwhile, defensive AI is still trying to catch up.”
“The next Change Healthcare is coming,” Bohm warned. “It might not be in healthcare, but it will hit just as hard.”
Final takeaways
Broderick concluded with a lightning-round: If you controlled it all, what’s the one thing you’d prioritize?
- Haile: “Identity. Protecting identity and securing the human.”
- Staynings: “Automation and orchestration. We can’t hire fast enough to keep pace.”
- Bohm: “Test your systems: computers, processes, physical security. All of it.”
As the panel wrapped up, one thing was clear: Cybersecurity is no longer strictly an IT issue, it’s a healthcare leadership issue. And unlike wearing green on St. Patrick’s Day, keeping organizations and patients safe in today’s cyberthreat landscape is not optional.
MGMA resources
- Cybersecurity in Medical Practices Playbook — A member-exclusive resource that provides practical insights into understanding HIPAA compliance and frameworks for protecting secure data against threats or accidental exposure.
- MFA, AI and beyond: What are your next steps in securing your practice’s systems? (Insight Article)
- MGMA Insights: Navigating cybersecurity and generative AI in healthcare with Chris Bevil (Podcast)
- ACPME-accredited Cybersecurity Certificate (Course)
Explore Related Content
Sponsored Solution
Are You Ready to Unlock the Potential of AI in Your Practice?
