This podcast was originally published on Becker's Healthcare Podcast “Building Cyber Resilience in Healthcare: Key Strategies with Tommy West of CereCore”
In a recent episode of the Becker’s Healthcare Podcast, Tommy West, Enterprise Fellow in Security Architecture at CereCore, explored how healthcare organizations can build a resilient cybersecurity posture in today’s complex landscape.
As digital transformation rapidly grows across healthcare, so do the risks. From remote work and cloud migration to API-driven data exchange and connected medical devices, the traditional network perimeter is no longer a reliable defense. Tommy shared actionable strategies that healthcare leaders can implement to stay ahead of evolving threats, while keeping patient care at the forefront.
6 Key Focus Areas for Healthcare Cybersecurity
Prioritize the Human Element Despite technological advances, many breaches still stem from human error. Tommy recommends:
Continuous Adaptive Training: Replace annual compliance modules with microlearning, gamification, and phishing simulations that are tailored to current threats.
Speak-Up Culture: Empower employees to report suspicious activity through clear, accessible channels, and reward proactive security behavior.
Privileged Access Management: Limit administrative access to only what’s necessary and enforce strong authentication for privileged accounts.
Tailoring Cybersecurity to Unique Organizational Needs Cybersecurity strategies must align with each organization’s clinical workflows, regulatory environment, and operational realities. Tommy emphasized, “it really starts and ends with delivering patient care.” Here’s what you can focus on:
Clinical Continuity First: Cyber incidents can disrupt surgeries, patient monitoring, and medication dispensing. Conduct clinical impact assessments and prioritize controls that protect patient care systems like PACS machines and infusion pumps.
Involve Clinicians in Planning: Include clinical staff in incident response planning to ensure strategies reflect real-world care delivery.
Regulatory Nuance: Account for HIPAA, GDPR, CCPA, and other data regulations. Understand where data resides; on-prem, in the cloud, or hybrid, and who has jurisdiction over it.
Data Governance: Implement data mapping and classification schemes and use governance tools to track data flow and ensure compliance.
Operational Resilience Beyond IT Downtime in healthcare isn’t just a revenue issue; it can be life-threatening. Tommy recommends:
Immutable Backups and Offsite Vaults: Use these technologies to enable rapid recovery in the event of a breach or outage.
Vendor Risk Management Healthcare organizations rely heavily on third-party vendors, each representing a potential attack vector. Tommy advises for:
Comprehensive Risk Programs: Go beyond questionnaires. Require independent audits (e.g., SOC 2 Type II), strong security clauses, and right-to-audit provisions.
Medical Device Transparency: Demand bill of materials disclosures and patching commitments from device manufacturers.
Managing Medical Device Risks Medical and connected devices are often underestimated but pose significant vulnerabilities. “You can't protect what you don't know that you have,” said Tommy. Check out his key best practices:
Comprehensive Device Inventory: Maintain a dynamic, continuously updated inventory of all connected devices, including contextual attributes like IP, OS, firmware, and network connectivity.
Network Segmentation: Isolate legacy devices that can’t be patched. Use microsegmentation to limit communication to only what’s necessary.
Vulnerability Management: Work closely with manufacturers to understand patching capabilities and monitor security advisories.
Behavioral Monitoring: Use specialized IoMT security platforms to passively monitor device behavior and network traffic for anomalies, such as connections to unusual external IPs or unauthorized data flows. Integrate alerts into centralized logging systems for faster incident response.
Communicating Cybersecurity to Leadership To gain buy-in from boards and governance committees, CIOs must translate cybersecurity into business language. Tommy recommends:
Shift the Narrative: Position cybersecurity as an enabler of patient care and operational resilience, not just a cost center.
Key Metrics to Present to Leadership:
Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR): Show trends over time to demonstrate improved visibility and response capabilities.
Quantified Risk Posture: Map cyber risks to business processes and critical assets. Highlight top risks and their potential financial, safety, and reputational impacts.
Security Control Effectiveness: Share metrics like patch compliance rates, MFA adoption, phishing simulation results, and intrusion prevention stats.
Incident Response Readiness: Report on tabletop exercises, remediation progress, and identified gaps to show proactive planning and continuous improvement.
Tommy closed with the reminder, “focus on the fundamentals”. Strong authentication, encryption, vulnerability management, and continuous monitoring remain the backbone of effective cybersecurity. Demonstrating these fortification strategies to organizational leadership will allow for more support and emphasis on what matters most; patient care.
CereCore Media Coverage shares insights and expertise from its
CereCore Media Coverage shares insights and expertise from its leaders in technology, operations, data security, and clinical operations published in industry news outlets. Our perspective stems from deep roots in hospital operations and our knowledge comes firsthand as we have helped hundreds of hospitals transform healthcare through technology.
