Healthcare cybersecurity has moved beyond the familiar debate of compliance versus innovation. For hospitals, health systems, managed care organizations, and the vendors that support them, the real issue is far more operational: how do you reduce cyber risk fast enough to protect care delivery without slowing the business of healthcare down?

That question sits at the center of a recent discussion with Charles Spence, Senior Vice President of Technology at Managed Healthcare Associates. His perspective is especially useful because it bridges enterprise technology oversight, cybersecurity leadership, and exposure to emerging AI use cases. The resulting message is clear: modern healthcare security is no longer just a technical hardening exercise. It is a business resilience discipline tied directly to patient safety, continuity of operations, and third-party governance.

For healthcare leaders, the practical takeaway is not "secure everything equally." That is neither realistic nor financially possible. Instead, the priority is to identify which systems, workflows, and vendor relationships create the greatest risk to mission-critical outcomes - and then build a layered defense around them.

Key Takeaways

  • Treat cybersecurity as a patient safety issue, not only an IT issue. In healthcare, disruption can delay treatment, interrupt procedures, and affect clinical outcomes.
  • Prioritize by operational impact, not just vulnerability scores. A severe technical finding matters most when it threatens care delivery, revenue cycle continuity, or regulatory exposure.
  • Legacy modernization should be framed as risk reduction. It is more than a routine refresh; it addresses structural weaknesses across devices, applications, and workflows.
  • If budgets are tight, harden the perimeter and identity layer first. MFA, identity governance, external-facing controls, and firewall protections often provide the fastest measurable reduction in exposure.
  • Use AI carefully for visibility and assessment, but govern AI data aggressively. Data minimization, contractual controls, and continuous monitoring are essential.
  • Third-party risk is now core risk. Vendors, data feeds, integration partners, and AI providers all extend the healthcare attack surface.
  • Security leaders need business fluency. The most effective CISOs and technology leaders shape strategy early rather than joining at the end for compliance review.
  • Maintain a practical incident response playbook before an event occurs. In healthcare, speed, role clarity, and communication pathways matter as much as the technical response.
  • Review your current tool stack before buying more. Duplicative products may be consuming funds that could be redirected to more urgent control gaps.

Why Healthcare Cybersecurity Is Different

Many sectors face ransomware, data theft, and operational disruption. Healthcare faces all of those risks, but under conditions that make the consequences uniquely severe.

Spence’s core point is that healthcare sits at the intersection of three difficult realities:

  1. Life-and-death operational stakes
  2. Highly sensitive data, including PHI and PII
  3. A technology ecosystem that was not uniformly designed with security as a first principle

That combination changes the risk equation. In financial services, a breach may create direct monetary loss and reputational damage. In healthcare, those same impacts can occur alongside canceled surgeries, delayed diagnostics, medication errors, and degraded care coordination.

That distinction matters because it changes how leaders should prioritize investments. In many industries, cybersecurity programs are still justified primarily by data protection and compliance. In healthcare, the more strategic framing is clinical continuity and enterprise resilience.

This is also why board-level conversations should avoid reducing cyber risk to abstract technical metrics. The better question is: Which cyber failures would most disrupt care, trust, and organizational viability?

The Structural Legacy Problem in Healthcare

One of the strongest themes from the discussion is that healthcare does not simply have a few outdated systems. It has what Spence describes as a deeper structural legacy problem.

That problem spans multiple layers:

  • Older workstation operating systems
  • Outdated medical device firmware
  • Legacy EHR and ERP environments
  • Aging infrastructure dependencies
  • Workflow processes built around old systems
  • Integration models that were never designed for today’s threat landscape

This is not limited to acute care hospitals. The healthcare sector includes provider organizations, payers, PBMs, device manufacturers, supply chain entities, and health IT vendors. Each segment carries different technical debt, procurement cycles, and regulatory pressures. That fragmentation makes standardization slow and uneven.

Why modernization is harder than it sounds

Many organizations talk about modernization as if it were a conventional refresh cycle. Spence rightly reframes it: this is a risk reduction program, not just a technology replacement project.

That distinction has major implications:

  • A device may be clinically validated and expensive to replace.
  • A software platform may support a critical revenue or care function despite poor security architecture.
  • Capital constraints may force organizations to stagger remediation over several years.
  • Clinical operations may not tolerate downtime for major upgrades.

As a result, healthcare leaders need a modernization roadmap that is risk-ranked, clinically aware, and financially staged. A blanket "upgrade everything" strategy is unrealistic. A targeted risk-reduction strategy is more durable.

How to Prioritize Cyber Investments When You Cannot Fix Everything

Spence emphasizes a principle many security programs still struggle to operationalize: prioritization should be based on business and mission impact, not just technical severity.

That sounds obvious, but in practice many teams still default to vulnerability counts, patch backlogs, or tool-driven severity ratings. Those metrics are useful, but incomplete.

A better prioritization model

For healthcare organizations, a more mature prioritization framework asks:

  • Which systems directly support patient care?
  • Which assets are essential to treatment, medication management, clinical documentation, scheduling, or emergency operations?
  • Which outages would create immediate safety consequences?
  • Which systems create the largest downstream revenue, compliance, or legal exposure?
  • Which third-party dependencies could become operational choke points?

In other words, start with the mission, then map technology risk back to it.

For a delivery organization, this could mean securing systems involved in:

  • Medication ordering and administration
  • Surgical scheduling and perioperative workflows
  • EHR availability and clinical documentation integrity
  • Identity and access controls for clinicians
  • Downtime procedures and emergency communications

For a payer or services organization, priorities may shift toward claims workflows, member data access, identity systems, and critical partner integrations. The exact answers differ by organization type; the underlying method does not.

High vulnerability does not always mean highest business risk

A key insight from the interview is that technical scores alone do not capture contextual impact. A severe vulnerability on a noncritical internal platform may matter less than a moderate control weakness on a core care-delivery dependency.

That does not mean ignoring technical severity. It means integrating it with operational context. Mature programs combine:

  • Asset criticality
  • Exposure path
  • Exploitability
  • Compensating controls
  • Clinical or business consequence
  • Recovery complexity

That is how organizations move from reactive patching to strategic risk reduction.

What to Do When Modernization Is Not in the Budget

Many healthcare leaders already know where the problems are. The challenge is funding, staffing, and sequencing. Spence offers a pragmatic view here: if an organization cannot modernize quickly, it should focus on visibility, compensating controls, and disciplined process execution.

First, build a 360-degree view of the environment

Before organizations can prioritize well, they need a credible picture of their environment. Spence points to the value of broader capability scanning and vulnerability analysis, including newer AI-assisted approaches that can help teams assess their footprint more efficiently.

The important concept is not the brand of tool. It is the outcome:

  • A current inventory of assets and services
  • A map of vulnerabilities and likely exploit paths
  • A clearer understanding of where controls are weak
  • Better linkage between technical findings and business systems

For many mid-sized healthcare organizations, this is still a major challenge. Asset inventories are incomplete, shadow IT exists, and medical device visibility may lag behind traditional endpoint visibility. Without that baseline, prioritization becomes guesswork.

Second, fortify the controls that sit between you and the outside world

If there is limited money for immediate control improvement, Spence advises putting it into the infrastructure that separates the organization from external threats.

In practice, that often means investing first in:

  • Firewalls and segmentation
  • Identity and access management
  • Multi-factor authentication
  • External access governance
  • Logging and alerting at major gateways

This advice aligns with what many incident reviews show: identity compromise and exposed external access paths remain among the most common and damaging entry points. Healthcare organizations often have a wide ecosystem of clinicians, contractors, business partners, and vendors connecting to systems. Identity is therefore not just an IT function; it is a primary control plane.

Third, do not underestimate the value of disciplined process

Spence makes an important operational point: even if an organization does not have best-of-breed tools, a well-defined and consistently followed process can still increase resistance to attack.

That is not an argument for underinvestment. It is a reminder that governance maturity matters. Basic disciplines such as account review, change control, access approval, incident escalation, and patch exception management often determine whether a known weakness becomes a major incident.

For resource-constrained teams, process maturity is one of the few risk reduction levers available without major capital expense.

AI in Healthcare Security: Powerful, Useful, and Easy to Misgovern

Healthcare is moving quickly on AI. That momentum is understandable. The sector is rich with administrative friction, documentation burden, coding complexity, and data-intensive workflows - all areas where AI can improve efficiency.

But Spence’s warning is timely: AI may be expanding faster than governance, especially around data provenance, data rights, and attack surface management.

The core AI security issue is not only the model

Too many AI risk conversations focus only on the model itself. The more practical concern is the surrounding data ecosystem:

  • What data is being used?
  • Who owns it?
  • Where is it stored?
  • What rights does the vendor have?
  • Is the data used for model training?
  • Can the organization audit usage and retention?
  • Does the workflow introduce new supply chain dependencies?

Healthcare organizations often adopt AI into clinical documentation, coding, analytics, operational support, and workflow automation. Each use case can create a new route for sensitive data to move outside traditional control boundaries.

That is why Spence highlights data provenance and availability as an underestimated risk area. If the data chain is weak, the AI layer inherits that weakness and may amplify it.

AI introduces new supply chain attack paths

One of the most important observations in the discussion is that attackers increasingly understand the value of going after data pipelines and adjacent AI supply chain components. That includes:

  • Data feeds
  • Integrations
  • APIs
  • Third-party hosted environments
  • Prompt-driven workflows
  • Embedded AI features inside existing software

The challenge is not simply "AI is risky." The challenge is that AI can make existing risk faster, broader, and harder to detect, especially when data moves across organizational or vendor boundaries.

Prompt injection deserves more executive attention

Spence also calls out prompt injection as a serious concern. While security teams know this issue well, many healthcare executives still treat prompt-based systems as low-risk convenience features.

That is a mistake.

If users upload documents, templates, or external content into AI systems, those materials may contain malicious instructions designed to manipulate outputs or trigger unintended behavior. In environments that connect AI functions to enterprise workflows, that risk grows significantly.

For healthcare organizations, the governance implication is straightforward: prompt-driven systems are not casual productivity tools when they touch protected, operational, or clinical information. They need controls, logging, review, and bounded use cases.

How Healthcare Organizations Can Reduce AI Data Risk

Spence outlines several practical principles that deserve wider adoption.

1. Practice data minimization

A simple but powerful idea: give AI systems only the least amount of data needed to perform the task.

That means evaluating whether the use case truly requires:

  • Full patient records
  • Direct identifiers
  • Broad operational datasets
  • Long-term retention
  • Cross-system data aggregation

Where possible, organizations should consider:

  • De-identified data
  • Synthetic data
  • Narrowly scoped task-specific datasets
  • Reduced data retention windows

This is not just a privacy issue. It is also a blast-radius issue. The less sensitive data exposed to an AI workflow, the smaller the consequence if something goes wrong.

2. Tighten contractual data rights

Spence strongly emphasizes vendor agreements, and with good reason. Many organizations are adopting AI features from vendors whose products existed long before AI became central to contract review.

Healthcare leaders should ensure agreements explicitly address:

  • Model training rights
  • Data ownership
  • Retention periods
  • Secondary use restrictions
  • Audit rights
  • Breach obligations
  • Subprocessor involvement

This is especially important in a market where many vendors now present themselves as AI-enabled, whether the underlying risk posture has materially changed or not.

3. Apply zero trust principles to AI environments

AI systems should not sit outside the organization’s broader security architecture. Spence argues that the same principles used for networks and identity should apply here too.

That includes:

  • No implicit trust
  • Identity-based access
  • Gateways with logging
  • Query controls
  • Metering and threshold monitoring
  • Segmented access to sensitive components

One particularly valuable point is the need to watch for unusual API or usage patterns. In an AI-enabled environment, abnormal volume may represent automation misuse, data scraping, or reverse engineering attempts that look superficially legitimate.

4. Continuously monitor for drift, misuse, and vendor behavior

AI systems should be treated as production systems, not one-time deployments. That means ongoing visibility into:

  • Model behavior changes
  • Usage anomalies
  • Data flow deviations
  • Vendor operational changes
  • Exposure introduced by new features

Healthcare organizations should also monitor whether vendors are using customer data in ways that increase privacy, compliance, or intellectual property risk. This is an area where many procurement and security teams remain undercoordinated.

The New Role of the Healthcare Security Leader

One of the strongest leadership messages in the interview is that healthcare no longer needs cybersecurity leaders who operate only as technical specialists or compliance enforcers.

That model is too narrow for a sector where digital systems are increasingly inseparable from care, operations, and growth strategy.

Security leadership now requires three forms of fluency

According to Spence’s framing, effective leaders must operate at the intersection of:

  • Business operations
  • Technology architecture
  • Security risk management

In healthcare, that often extends to clinical workflow awareness as well. Leaders do not need to practice medicine, but they do need to understand how technology decisions affect frontline care, scheduling, documentation, and patient throughput.

This is a major maturity shift. Security teams are most effective when they are involved at the beginning of product, platform, and operational planning - not brought in at the end to approve or reject a nearly finished initiative.

Why this matters for digitally connected healthcare

As healthcare becomes more interconnected, the security function increasingly influences:

  • Product design
  • Vendor selection
  • Data-sharing models
  • AI rollout governance
  • M&A integration
  • Clinical workflow digitization
  • Resilience planning

That requires a different leadership posture. The security leader must be able to explain tradeoffs, not merely identify risks. They must help the organization decide how to move forward safely, not only why something is dangerous.

How to Communicate Cyber Risk So the Business Acts on It

Security leaders often lose momentum not because the risk is unimportant, but because the language is disconnected from executive decision-making.

Spence’s recommendation is practical: translate technical risk into business terms tied to decisions the organization is already making.

For example:

  • If the organization is entering a new market, what security and privacy capabilities must exist to do so safely?
  • If a new digital product is launching, what is the cost of weak access controls or inadequate auditability?
  • If an acquisition is underway, what inherited third-party and identity risks must be assessed?
  • If cyber insurance costs are rising, which missing controls are directly influencing premium increases?

This approach changes cybersecurity from a parallel discussion into a core business planning input.

What executives respond to

The interview suggests three categories of messaging that tend to work well:

  1. Operational impact
    • Downtime risk
    • Care disruption
    • Workflow bottlenecks
    • Recovery complexity
  2. Financial impact
    • Premium increases
    • Revenue interruption
    • Duplicative spending
    • Remediation cost
  3. Governance impact
    • Privacy exposure
    • Compliance consequences
    • Contractual obligations
    • Third-party accountability

This is also where KPIs and outcome-based metrics become useful. Executives generally do not need a flood of threat taxonomy details. They need evidence that security investments are measurably lowering meaningful risk.

A Practical Starting Point for Mid-Sized Healthcare Organizations

The final part of the discussion is especially relevant for organizations with limited resources. Spence recommends three starting priorities, and they form a sensible minimum viable cyber program for many healthcare environments.

1. Conduct both a risk assessment and a capability assessment

These are related but not identical.

A risk assessment identifies major exposures and likely impact areas.

A capability assessment evaluates what tools, services, controls, and processes the organization already has in place.

This second step is often neglected. Organizations sometimes buy new tools before understanding whether current investments are overlapping, underused, or misaligned with the actual risk picture. In a constrained budget environment, that can be costly.

A combined review helps answer:

  • What are our biggest risks?
  • What controls already exist?
  • Where do we have duplication?
  • Which gaps are real versus perceived?
  • Which funds can be redirected?

For mid-sized organizations, this may be one of the fastest ways to improve efficiency while clarifying priorities.

2. Strengthen third-party risk oversight

Spence is right to elevate third-party risk near the top of the list. In healthcare, many mission-critical functions depend on outside entities:

  • Cloud providers
  • Billing and revenue cycle vendors
  • EHR and ERP partners
  • Medical device manufacturers
  • Data integration providers
  • AI vendors
  • Managed service providers

Each one can become an entry point or amplification point for cyber risk. And unlike internal systems, those environments are not directly controlled by the healthcare organization.

That means third-party risk management cannot stop at vendor questionnaires. It should include:

  • Clear contractual expectations
  • Ongoing monitoring
  • Defined escalation paths
  • Inventory of critical dependencies
  • Business continuity review
  • Evidence-based reassessment over time

For executives, this is not only a security concern. It is a resilience and governance concern.

3. Build and socialize an incident response playbook

Spence’s final recommendation may be the most operationally urgent: assume an incident will happen and prepare accordingly.

In healthcare, an incident response plan must be more than a technical checklist. It should clearly define:

  • Who declares the incident
  • Who owns technical containment
  • Who communicates with executives
  • Who contacts legal counsel
  • Who handles insurer notification
  • Who coordinates with affected business units
  • How clinical leaders are informed
  • How downtime workflows are triggered
  • When and how external reporting occurs

The best playbooks are practical, easy to access, and regularly reviewed. They should work during stress, not just in theory.

For healthcare organizations, especially those with patient-facing operations, incident response readiness is not optional. It is part of safe service continuity.

Strategic Implications for Healthcare Leaders

The discussion offers a useful corrective to several common mistakes in healthcare cybersecurity strategy.

Mistake 1: Treating modernization as optional hygiene

Legacy risk is not merely inconvenient technical debt. In healthcare, it can become an operational fragility multiplier. Organizations that defer modernization indefinitely should at least frame and manage the resulting exposure explicitly.

Mistake 2: Letting AI outpace governance

AI can accelerate efficiency, but unmanaged AI can also accelerate data leakage, vendor dependency, and new attack paths. Innovation without governance is not transformation; it is unmanaged exposure.

Mistake 3: Measuring security only through technical outputs

Patch counts, alert volumes, and severity ratings are necessary but insufficient. Executive decisions improve when risk is linked to patient safety, continuity, insurance costs, and business performance.

Mistake 4: Underestimating third-party concentration risk

Healthcare organizations often know their major vendors. They are less likely to understand the downstream dependencies, integrations, and data rights that create compound exposure.

Mistake 5: Waiting for the incident to define the process

In a sector where response delays can disrupt care, improvisation is too expensive.

Conclusion

Modern healthcare cybersecurity is not a race to eliminate every vulnerability. It is a discipline of making risk-informed decisions in an environment where patient care, legacy technology, AI adoption, and third-party dependence all collide.

Charles Spence’s perspective points toward a practical model: start with operational impact, modernize where risk is highest, use compensating controls where replacement is not feasible, govern AI at the data layer, and ensure security leadership is embedded in business strategy.

For healthcare executives, perhaps the most important shift is this: cyber maturity is no longer defined by how many tools an organization owns. It is defined by whether the organization can see its risk clearly, prioritize it intelligently, and continue serving patients safely when disruption occurs.

That is the standard modern healthcare security programs should be built to meet.

Source: "Navigating Cybersecurity Challenges in Modern Healthcare - Charles Spence" - TrollEye Security, YouTube, Jun 16, 2026 - https://www.youtube.com/watch?v=2G5FjQd3STc

Related Blog Posts