top of page
Search

Why Cybersecurity in Healthcare Must Be a Clinical Conversation


Reflections from my conversation with Ed Gaudet, CEO of Censinet Listen to the episode on Spotify: https://open.spotify.com/show/0idCTXcel0SvjHLalRoxIl

ree

Cybersecurity in healthcare has often been treated as a compliance task or an IT responsibility. That view is changing. Increasingly, cybersecurity is being recognized as part of the clinical and operational core of health systems.

In this episode of Inside MedTech Innovation, I spoke with Ed Gaudet, CEO and founder of Censinet, about why cybersecurity now directly affects patient care, what health systems are learning post–Change Healthcare, and how vendors can build trust by being transparent about risk.

Here are a few key ideas from our conversation:


Risk is Not Just Technical. It is Operational and Clinical

Timestamps: 00:00

Hospitals often face pressure to move quickly when a new clinical technology shows promise. But speed can introduce risk. A single software implementation can affect systems beyond its intended use, especially if security gaps exist.

As Ed puts it, the tradeoff is real. Cyber risk can lead to service disruption that impacts patient access. The question is not just whether a product works but whether the organization can operate safely with it in place.


Fragmentation Slows Risk Management

Timestamps: 05:45

In most industries, risk assessments are standardized. In healthcare, each hospital often creates its own set of risk questions. The result is inefficiency on both sides of the transaction. Vendors struggle to respond. Hospitals struggle to compare.

Censinet developed a shared framework and infrastructure to help both parties streamline this process. Standardization can reduce friction, clarify expectations, and allow teams to focus on managing risk instead of recreating assessments.


Change Healthcare Was a Tipping Point

Timestamps: 20:00

The 2024 ransomware attack on Change Healthcare disrupted financial and operational functions across a large segment of the U.S. healthcare system. Hospitals lost access to payment processing, faced staffing issues, and in some cases were unable to deliver timely care.

What stood out in our conversation was not just the scope of the incident but what it revealed: many organizations had limited visibility into the full role of third-party vendors in their operations. As digital infrastructure grows more complex, that gap in awareness becomes a risk in itself.


Risk is Dynamic, Not Static

Timestamps: 16:45

Too often, hospitals treat vendor risk as a box to check during procurement. But a vendor’s footprint can change over time. New features, integrations, or user behavior can introduce new risks.

Ed emphasized that hospitals need to look beyond procurement and adopt a lifecycle view of vendor risk. Risk assessment should be ongoing, not one-time. And it should account for how the product is actually used within the health system.


AI’s Role in Risk Management

Timestamps: 39:00

AI is already playing a role in streamlining parts of the risk assessment process. It can assist in collecting and organizing vendor data, highlighting inconsistencies, and helping teams focus on higher-risk areas.

But Ed is clear about the current limitations. AI is not a substitute for security expertise. It is a tool that can improve efficiency, especially when resources are limited.


Building Trust Without Overpromising

Timestamps: 34:00

One of the most important parts of our discussion focused on trust. Ed shared that in Censinet’s early days, the company was transparent about what it had in place and what still needed development. That honesty, he said, helped build long-term relationships with customers.

The takeaway here is simple. Security programs do not have to be perfect. But they do have to be clear, well-documented, and open to scrutiny. That transparency can be a differentiator in a crowded and often opaque vendor market.


What Needs to Change

Timestamps: 44:00

To close the episode, I asked Ed what changes he would make across three dimensions: hospitals, vendors, and public policy.

His answers were grounded:

  • Hospitals should stop deferring process improvements because of internal change fatigue.

  • Vendors should use their security posture as a differentiator, not just a compliance requirement.

  • Policymakers should create incentives that support small and rural hospitals in adopting better security practices.


Final Reflections

Timestamps: 53:00

Cybersecurity is now tied to patient safety, system resilience, and operational continuity. That reality requires different conversations at every level—technical, clinical, and administrative.

This episode is a useful starting point for anyone evaluating health technologies, designing policy, or managing vendor relationships. It’s also a reminder that digital transformation cannot succeed without trust and risk transparency built in.

To stay updated on new episodes, follow me on LinkedIn or visit shannonlantzy.com. If you have thoughts or experiences to share on this topic, I’d welcome the conversation.


This content was repurposed from the original podcast discussion by a genAI prompt.

 
 
bottom of page