Compliance Isn’t Security: The Biggest Cybersecurity Myth in Healthcare (HITRUST Explained)

Trust, Verify, Repeat: Securing Healthcare in the Age of AI Voices

For years, healthcare organizations focused on securing digital channels while treating phone calls as a trusted service channel. That assumption no longer holds true.  In this episode, Sandy sits with Jason Barr [https://www.linkedin.com/in/jasonpbarr/], the Vice President of Strategic Sales for Healthcare at Pindrop [https://www.pindrop.com/?utm_source=chatgpt.com], who explains how AI-powered voice cloning, deepfakes, and synthetic identities are transforming the cybersecurity landscape. Jason shares how healthcare organizations can defend against AI-driven fraud, verify identity in real time, and protect patients, providers, and employees in a world where even a familiar voice may not be what it seems. In this episode, they talk about: * AI has transformed the phone from a trusted service channel into a rapidly growing cybersecurity threat vector for healthcare organizations. * Cybercriminals can now use AI-powered tools to launch thousands of voice-based attacks per day, dramatically increasing the scale and efficiency of fraud attempts. * Many attackers use voice channels not for immediate theft, but for reconnaissance, collecting sensitive information that can later be used to target providers, payers, and patients. * Traditional identity verification methods such as knowledge-based questions and one-time passcodes are becoming increasingly vulnerable to modern fraud tactics. * Continuous identity verification is emerging as a new security model that validates users throughout an interaction rather than only at the point of authentication. * Pindrop analyzes thousands of signals during voice interactions to determine whether a caller is who they claim to be, whether they pose a risk, and whether they are even human. * Healthcare organizations are facing a growing challenge in distinguishing between legitimate automation and malicious AI-powered bots. * Deepfake technology is now sophisticated enough to mimic both voices and video, creating new risks across hiring, workforce management, and patient-facing operations. * Help desks and support centers remain attractive targets because attackers often use social engineering tactics to pressure employees into resetting credentials. * Voice-based security solutions can reduce fraud while simultaneously improving operational efficiency and the customer experience. * One healthcare organization achieved a 90% reduction in fraud after implementing voice authentication and risk detection technology. * Healthcare leaders must begin evaluating voice security as part of their broader cybersecurity strategy, as AI-enabled attacks continue to grow at an unprecedented pace.  A Little About Jason: As a West Point graduate and former U.S. Army Officer, Jason brings the operational rigor, discipline, and leadership foundation of combat-tested command into the boardroom and the GTM arena. He thrives where GTM transformation is mission-critical: aligning strategy to investor outcomes, building high-performing teams, and delivering predictable growth.

Security vs. Convenience: Can Healthcare Have Both?

Workforce security in healthcare is no longer just about compliance—it’s about creating a seamless, secure digital experience for employees and patients.  In this episode, host Sandy Vance chats with Chandramouli Dorai [https://www.linkedin.com/in/chandramoulidorai?originalSubdomain=in], Chief Evangelist - Cybersecurity Solutions and Digital Signatures at Zoho.com [http://zoho.com]. Today, they will explore how password management, secure browsers, multi-factor authentication (MFA), identity and access management (IAM), and identity verification in document signing all come together to build a zero-trust, future-ready healthcare workforce.  Healthcare organizations are under constant pressure to strengthen cybersecurity without slowing down clinicians and staff.  In this episode, they talk about: * Healthcare organizations face a constant challenge in balancing strong cybersecurity protections with the need for convenience and productivity. * Weak and reused passwords remain one of the most common vulnerabilities across organizations, despite years of awareness efforts. * The 2024 Change Healthcare cyberattack demonstrated how a single account without multi-factor authentication can lead to massive data breaches and operational disruption. * Employees often disable or avoid MFA because they perceive it as adding friction to their daily workflows. * Modern authentication strategies must tightly integrate password management, single sign-on, and MFA to reduce friction while improving security. * Passwordless authentication methods such as passkeys, Face ID, and Touch ID are helping organizations improve both security and user experience. * Organizations adopting passwordless authentication are seeing measurable reductions in login time and increased user adoption. * Identity and access management platforms can enforce role-based and time-based access controls to reduce unnecessary exposure to sensitive systems. * AI-powered behavioral analytics can detect suspicious login activity and help organizations respond more quickly to threats. * Secure onboarding and offboarding processes are critical for protecting healthcare data and preventing unauthorized access. * Many healthcare organizations still operate in complex legacy environments, making interoperability and integration essential for workforce security solutions. * CIOs should approach AI adoption strategically by first understanding their current environment, educating users, and implementing changes in phases. A Little About Mouli: Chandramouli Dorai (Mouli) is the chief evangelist for cybersecurity solutions and digital signatures at Zoho Corporation. Mouli brings over 12 years of experience leading marketing and product strategy at Zoho. He carries an active interest in topics like workforce productivity, security, trust, and compliance, often sharing his thoughts and expertise on social media platforms like X and LinkedIn.  “The greatest example is the 2024 Change Healthcare breach, which happened because of one compromised account. That one account lacked multi-factor authentication, which was a loose end, and the attacker was able to get into the network and get away with millions of confidential records. The major problem is the trade-off between security and convenience.”

Rethinking Network Defense in Healthcare

Cybersecurity in healthcare isn’t just about keeping attackers out anymore. It’s about what happens after they get in. In this episode, Chris Boehm [https://www.linkedin.com/in/chrisboehmii/], Field CTO of Zero Networks [https://zeronetworks.com/], breaks down how organizations can move toward “Zero Trust” without disrupting clinical operations. From legacy systems and third-party access to the growing risks of AI, Chris shares how visibility, identity-based segmentation, and smarter automation are helping healthcare organizations stay secure while keeping care moving.  As healthcare organizations struggle to secure complex environments and protect sensitive patient data, it’s time to prioritize resilience over reactive strategies. Learn how healthcare teams can proactively reduce attack surfaces and build self-defending networks that keep critical operations running – even during active cyber incidents.  In this episode, they talk about: * Traditional perimeter-based security is no longer enough to protect healthcare organizations from modern cyber threats. * The industry is shifting from a focus on preventing breaches to a focus on containing them once they occur. * “Zero Trust” in practice means continuously verifying identity and controlling access rather than assuming anyone inside the network is safe. * Identity-based segmentation plays a critical role in reducing risk without disrupting day-to-day workflows. * Healthcare organizations face a unique challenge in balancing strong security measures with the need to maintain seamless clinical operations. * Most organizations achieve partial network segmentation, which leaves gaps that attackers can exploit. * Solutions like those from Zero Networks enable full segmentation while still allowing normal business and clinical activities to continue. * AI tools introduce new risks by potentially accessing more data than intended, especially without proper oversight. * A lack of visibility into network activity remains one of the biggest gaps in modern cybersecurity strategies. * Organizations must begin preparing now for upcoming regulatory changes, including evolving HIPAA requirements. * Real-world challenges such as workforce turnover and limited IT resources make implementing and maintaining security even more complex. A Little About Chris: Chris is the Field Chief Technology Officer at Zero Networks, leading security strategy and revenue alignment globally. He drives enterprise growth by connecting customer realities to product, go-to-market, and executive decision-making across complex, high-value enterprise pursuits. Specialize in Zero Trust architecture, identity-based microsegmentation, and lateral movement prevention—helping organizations reduce risk while enabling scale and operational resilience. He’s also held leadership roles at SentinelOne during its post-IPO growth to ~$800M ARR and at Microsoft, contributing to the early adoption and enterprise scaling of security platforms such as Azure Sentinel. Not to mention, Chris has advised CISOs and executive teams on security strategy, risk, and transformation—translating complex challenges into measurable business outcomes.

Compliance Isn’t Security: The Biggest Cybersecurity Myth in Healthcare (HITRUST Explained)

In this episode of the Cybersecurity at Vibe series on The Beat Podcast, host Sandy Vance sits down with Shreesh Bhattarai [https://www.linkedin.com/in/shreesh-bhattarai-cisa-ccsk-hitrust-ccsfp-chqp-5a052837/], Director of HITRUST at A-LIGN [https://www.a-lign.com/], for a candid and practical conversation about one of the most misunderstood topics in healthcare cybersecurity. With nearly a decade of experience building one of the highest-volume HITRUST assessment practices in the market, Shreesh breaks down the difference between checking a compliance box and actually being secure, walks through the three levels of HITRUST certification, and shares what organizations need to do right now to prepare for an AI-driven future. Whether you are just starting your compliance journey or managing nine certifications with a team of five, this episode has something for you. In this episode, they talk about: * Compliance is the baseline, not the finish line, and treating it as a once-a-year exercise is a serious mistake * The biggest risk in compliance is not failing the audit, but passing it while still being insecure * HITRUST has three certification levels: E1 (crawl), I1 (walk), and R2 (marathon) * Organizations should choose the certification that matches their risk profile, not just go for the biggest one * The best audits are boring because everything is already embedded in day-to-day operations * HITRUST's "audit once, report multiple times" approach eliminates duplicative work across frameworks * AI governance plans are no longer optional; shadow AI is a real and growing risk * HITRUST now offers an AI cybersecurity assessment to help organizations put guardrails around AI use A Little About Shreesh: Shreesh Bhattarai is Director and HITRUST Practice Lead at A-LIGN, where he works at the intersection of cybersecurity assurance, regulatory pressure, and business growth. Since 2017, he has led more than 500 HITRUST certifications and assessments across healthcare, digital health, and high-growth technology organizations. Shreesh partners directly with CEOs, CISOs, and executive teams navigating increasing scrutiny from regulators, customers, and third parties. He is known for challenging the “check-the-box” compliance mindset and reframing HITRUST as a strategic trust mechanism — one that strengthens security posture, accelerates enterprise sales, and reduces third-party risk friction. He leads a national team of security professionals within A-LIGN’s HITRUST practice and regularly speaks on the evolution of compliance in healthcare at forums including ViVE, Health and HITRUST Collaborate. Prior to A-LIGN, he was part of the audit practice at Ernst & Young, focusing on SOX 404 and SOC engagements.

Why Healthcare Organizations Are Losing the Cyber War (and How to Fight Back)

In this episode, host Sandy Vance sits down with Gary Salman [http://linkedin.com/in/garysalman], CEO and co-founder of Black Talon Security [https://www.blacktalonsecurity.com/], for a passionate and informative conversation about the growing ransomware crisis in healthcare. With over 30 years in health tech and a background as a part-time law enforcement captain, Gary brings a unique perspective to cybersecurity. He draws parallels between street-level crime and digital attacks.  Whether you lead a large hospital system or a small specialty practice, this episode is packed with practical insights on how to assess your cyber risk, respond to an active breach, and build a culture of leadership accountability before disaster strikes. In this episode, they talk about: * About 90% of breached healthcare organizations end up paying the ransom * Small practices are just as targeted as large health systems, especially those with strong insurance policies * Lack of visibility across the full attack surface is the most common security blind spot * Continuous Threat Exposure Management (CTEM) is replacing outdated point-in-time assessments * Known Exploitable Vulnerabilities (KEVs) are a primary attacker entry point, yet most orgs patch them too slowly * AI is helping hackers build malicious tools faster and with less technical skill * During a breach, deciding how quickly to shut down the network is the most critical early call * Most IT providers never deliver a documented risk report to leadership, leaving executives in the dark * Gary's cyber risk grading tool gives non-technical leaders a real-time security score per facility * Documented, improving risk scores can reduce regulatory penalties after a breach * Most ransomware attacks are preventable with proper patching, configuration, and monitoring A Little About Gary: Gary Salman is the CEO and Co-Founder of Black Talon Security, a leading innovator in cybersecurity solutions for healthcare. With an impressive 32-year career in healthcare technology, Gary is both a seasoned security expert and visionary. In the late 1990s, he developed one of the earliest cloud-based dental practice management systems that was acquired by a publicly traded company in 2002. Gary also has a unique background, as he is still actively involved in law enforcement as a Deputy Sheriff. Under his leadership, Black Talon monitors and secures approximately 65,000 devices worldwide. The company provides cybersecurity services to a wide range of clients, from small practices to some of the largest healthcare organizations in the United States, including many of the top 20 Dental Service Organizations (DSOs). As a respected authority in his field, Gary is a frequent lecturer at major national dental association meetings. Black Talon's services are endorsed by numerous state and national associations, affirming his expertise and influence. His work has been highlighted in over 100 prestigious dental and medical publications, reinforcing his status as a thought leader in healthcare cybersecurity. Gary has also trained tens of thousands of healthcare professionals on best practices for securing their practices and clinics. Beyond preventative measures, Black Talon also specializes in cyberattack remediation, successfully guiding hundreds of healthcare organizations through recovery from security breaches. Their expertise is often enlisted by leading law firms and cyber insurance carriers, underscoring their prominence in the field.