Could you provide some of the highlights from the latest executive order?

The executive order directs CISO’s to expand AI-enabled cyber defense support and facilitate access to tools for critical infrastructure, explicitly naming rural hospitals. It also orders an AI Cybersecurity Clearinghouse to coordinate vulnerability discovery, remediation, and patch distribution within the critical infrastructure. It brings a lot of awareness to the threats of AI and also the challenges of rural healthcare operating with fewer resources than larger organizations in the ecosystem.

What does the creation of a federal AI Cybersecurity Clearinghouse mean for healthcare organizations?

It really brings resources to the identification of where there are exposed vulnerabilities due to accelerated exploitation from AI. It allows for a clearinghouse to distribute those vulnerabilities and patch remediation capabilities faster to the ecosystem, so that every organization is not left up to their own devices to try to respond to those increasing threats.

Do you feel like anything is missing from the executive order?

I think it's a great start. Most importantly, it brings a lot of awareness to the risk that's introduced to the industry by AI. It will help to speed up vulnerability management, but I think it also emphasizes the need for every organization in healthcare to really implement governance around AI and have a process in place for accelerated vulnerability and patch management.

I think it's critically important that organizations do their own inventory and understand their asset inventory, and where they have vulnerabilities that could be exploited. It doesn't supersede the HIPAA security rule. It doesn't make any new compliance or changes to requirements that already exist.

Organizations in healthcare really need to continue to emphasize their focus on execution against the security rule, and that includes things like risk analysis, risk management, good governance, policies, access controls.

The executive order's expanded cybersecurity support for rural hospitals does not address the workforce shortages that undermine security efforts. What are your thoughts on this?

We recognize that small and rural hospitals have the same threat exposure as larger organizations, but they don't have the same amount of resources to keep up. I think the executive order is an acknowledgment that we need to bring more resources and support to the smaller organizations. I think they're going to bring some tools that will help those organizations, but as we know, tools alone really aren't the answer.

Rural healthcare and hospitals don't struggle because of the lack of access to tools. They really struggle because they lack the expert capabilities internally to configure, monitor, and act on those tools. While I think this order really opens the door and brings more resources…they still need support, and they're going to need the resources internally to use those tools properly.

Could you talk about AI-enabled cybercrime and how this EO reflects the concerns about this?

Adversaries are using AI for phishing reconnaissance, more aggressive exploitation of those vulnerabilities, and social engineering. I think that really puts an emphasis on that, as you have more enforcement around those types of criminal behaviors, which is a good thing. That is an area we've really got to respond to as an industry to be able to keep up, because the attackers are moving very aggressively with these new capabilities. AI can be a great resource for the industry to respond to that, but we've got to be able to adopt it across the industry and respond quickly.

The order itself, I think, does a good job of prioritizing enforcement against those criminal behaviors and, hopefully, can have an impact on reducing those threats.

What do you feel healthcare organizations should do now to stay ahead of this?

First and foremost, they need strong governance over their infrastructure. You need a strong asset inventory; you need to know where you have connected devices, which applications are great for receiving, maintaining, and transmitting ePHI, and that you've got good risk management around all of that.

I think this also really emphasizes the need for stronger vulnerability and patch management. I think we need to make sure we have strong incident response capabilities to respond to those threats quickly and mitigate the impact of those threats.

We talked a minute ago about AI-enabled phishing and deepfake social engineering. I think that's just going to continue to create risk for the industry, so we've got to be very well prepared not just to reduce the likelihood of those events occurring, but also their impact. Incident response planning is critical.

I think we need strong vendor risk reviews around AI tooling and how we're using patient data within these AI tools. The HIPAA security rule doesn’t go away. It really emphasizes the concepts of risk analysis, risk management, and the requirements in the HIPAA rules.

I think the speed at which the industry is moving is accelerating. Healthcare has historically not moved at the same pace as other industries. This really puts an emphasis on us as an organization, as an industry, that we need to operationalize AI as part of our defenses. I think it really just puts a greater focus on cybersecurity and risk management, and the need to invest effectively to respond to these accelerated threats.