Managing healthcare cybersecurity is a complex proposition, to say the least.
Health system CISOs, CIOs and other information security leaders used to simply have to worry about ensuring robust network security and preventing lost laptops.
Now they have many new challenges to grapple with, and the threat landscape – and regulatory landscape – are getting more complex by the day.
Sophisticated AI-driven ransomware attacks, proposed HIPAA security rule changes and third-party vendor risk mitigation are three issues in particular that concern one security expert.
Barry Mathis is managing principal of IT advisory consulting at PYA, a healthcare management consulting firm. He has nearly three decades of experience in the information technology and healthcare industries as a CIO, CTO, senior IT audit manager and IT risk management consultant.
Healthcare IT News recently spoke with him to get his views on these and other concerns.
Q. With the rise of AI tools like FraudGPT and WormGPT, there is a shift where even non-technical criminals can launch highly effective ransomware and phishing attacks. How is this democratization of cybercrime changing the threat landscape, particularly for healthcare organizations, and what can be done to stay ahead of these evolving threats?
A. As someone who has spent decades in healthcare IT leadership, I’ve seen the evolution of cyber threats firsthand. But the rise of AI-driven ransomware is unlike anything we’ve faced before.
Tools like FraudGPT and WormGPT are shortening the onramp for cybercriminals, enabling even those with minimal technical skills to launch successful attacks. In healthcare, where patient safety and data integrity are paramount, this is especially dangerous.
Nearly 400 U.S. healthcare organizations were targeted by ransomware in 2024 alone, with attackers exploiting vulnerabilities in IoT devices and outdated infrastructure. The use of AI for automated vulnerability scanning means attackers now can identify and exploit weaknesses faster than ever.
Although I have seen a noticeable increase in hospitals and health systems investing in cyber protection, it’s still concerning to me how many healthcare organizations are still ill-equipped to handle modern cybersecurity threats. Despite long-standing awareness of these risks, I continue to encounter health systems lacking both the infrastructure and internal safeguards to stop data breaches.
Alarmingly, many have no clear protocols to restrict unauthorized access. From my audit and assessment work, a familiar pattern appears. Hospitals pour resources into digital health initiatives like electronic records and mobile apps yet overlook essential security practices. Basic issues like misconfigured endpoints, outdated software and inadequate recovery planning persist across the industry.
Artificial intelligence shouldn’t just be seen as a hacker’s advantage. It has powerful potential to reinforce defense. Unfortunately, most health systems have yet to harness that capability.
Answering this question, one of my favorite current TV commercials comes to mind. It features a bank security guard who simply informs the patrons that the bank is being robbed. While they expect the security guard to do something about the robbery, he explains his job is only to monitor.
Healthcare organizations must take a hard look at their current security frameworks and move toward more advanced and adaptive protections. This includes deploying AI-driven tools to identify and respond to threats in real time, applying virtual patching solutions to safeguard older systems that can’t be easily updated, and running regular simulation exercises to test response readiness.
As the nature of cyber threats continues to grow in complexity and speed, defensive strategies must shift from reactive to proactive. Integrating intelligent, anticipatory security measures is no longer optional – it’s essential for resilience.
Q. The proposed updates to HIPAA security rules aim to bolster protections for electronic protected health information. Beyond compliance, how do these changes reflect a broader shift in how healthcare organizations should approach cybersecurity risk management in an increasingly hostile digital environment?
A. The proposed updates to HIPAA’s security rule are long overdue and reflect a growing recognition that the healthcare sector is under attack. As a former CIO and IT compliance officer, I’ve always viewed HIPAA not just as a regulatory requirement, but as a foundation for community and patient trust.
These new changes aim to modernize protections for electronic protected health information, especially in light of the increasing sophistication of cyber threats. But the real question is: Will organizations treat this as a compliance checkbox or as a catalyst for real change?
The proposed updates place a strong focus on risk-driven security practices, incident preparedness and oversight of third-party relationships. These are areas where many healthcare organizations continue to struggle.
Over the past three decades, I’ve seen countless examples of outdated risk assessments and templated policies that fail to account for real-world threats. The HIPAA changes seem intended to encourage a move toward ongoing risk evaluation and more flexible, responsive security strategies.
With cyber threats evolving rapidly, especially with the rise of AI-driven attack methods, rigid, checklist-style compliance approaches are no longer sufficient and completely unacceptable based on my personal interaction with Health & Human Services investigators.
No matter how the final rule is structured, the essential message is clear: Digital protection must be treated as a core responsibility across health systems. This requires active involvement from leadership, cooperation across departments, and steady commitment to upgrading both tools and skills. Meeting minimum standards isn’t enough.
Those merely checking boxes will fall behind and likely become victims of cyberattacks as well as defendants in civil and federal investigations. The organizations that succeed will be the ones that view security as a driver of long-term stability and operational strength, not just a task for compliance teams.
Q. Even with strong internal cybersecurity controls, healthcare providers often face risks from third-party vendors. As these vendors become more embedded in healthcare operations, what strategies should organizations adopt to ensure their extended digital ecosystem doesn’t become their weakest link?
A. Third-party vendors often pose the most significant vulnerability in a healthcare organization’s digital security defense. Even a well-secured hospital can be compromised through oversight gaps when interacting with external vendors.
In my experience leading technology operations and conducting audits, I’ve consistently encountered instances where inadequate vendor safeguards, such as unmaintained systems or unchecked access, create a clear pathway for unauthorized access.
For instance, an entire hospital and more than 600 affected systems were out of service for more than a month, necessitating a complete reconstruction from scratch. The root cause of this vulnerability was a single unpatched server being used as a support portal for a third-party vendor.
As health systems adopt more digital tools, from cloud infrastructure to virtual care and remote monitoring, these points of exposure are multiplying and require sharper oversight than ever before.
One of the persistent issues in healthcare security is the absence of a structured approach to managing risks tied to external vendors.
While some organizations may perform an initial review before onboarding a vendor, consistent follow-up often is missing. As digital environments grow more complex and with connected devices and intelligent systems becoming commonplace, this lack of oversight becomes increasingly problematic.
From what I’ve seen, managing these risks effectively requires more than a one-time check. It demands an end-to-end process: thorough evaluation before engagement, clear security terms in contracts, active oversight throughout the partnership and coordination when incidents arise.
Regardless of regulatory or other outside influences, healthcare organizations must treat third-party vendors as extensions of their own infrastructure. This means integrating them into security awareness training, requiring proof and artifacts of regular independent assessments or certifications, and using automated, data-driven scoring systems that assess the cybersecurity posture of organizations.
As vendors become more integral to care delivery, their security becomes your security. The organizations that recognize this, and act on it, will be far better positioned to protect their patients and their reputations.
Follow Bill’s HIT coverage on LinkedIn: Bill Siwicki
Email him: [email protected]
Healthcare IT News is a HIMSS Media publication.
WATCH NOW: Epic Emeritus CMIO on becoming a CMIO – and succeeding
