In this episode, Jason Nadal, BESLER’s Information Security Officer, and Eric Englebretson, BESLER’s Director of IT, provide us with a glimpse into BESLER’s next free webinar, Cybersecurity Best Practices and Strategies, hosted live on Wednesday, October 8, at 1 PM ET.
Podcast (hfppodcast): Play in new window | Download
Learn how to listen to The Hospital Finance Podcast® on your mobile device.Highlights of this episode include:
- Why building a security aware culture is so critical in healthcare
- Is meeting HIPAA requirements enough?
- What is Zero Trust?
- How hospitals are keeping up
- How to prepare for Ransomware
- Third party risk
Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast. We’re pleased to welcome back two of our amazing IT leaders, Jason Nadal, BESLER’s Information Security Officer, who has led BESLER through getting its products high trust certified and Eric Englebretson, BESLER’s Director of IT, who crushes IT threats with his mighty beard and award-winning attitude towards life. In this episode, Jason and Eric will provide us with a glimpse into BESLER’s next free webinar, Cybersecurity Best Practices and Strategies, that we’re hosting live on Wednesday, October 8, at 1 PM Eastern Time. Welcome back and thanks for joining us, Jason and Eric.
Jason Nadal: Thanks, Kelly. It’s great to be here.
Eric Englebretson: I’m glad to join the conversation.
Kelly: All right, well, let’s go ahead and jump in. So, we’re diving into a topic that’s never been more urgent, cybersecurity and healthcare. With record-breaking breaches and rising costs, how can healthcare leaders stay ahead of cyber threats in 2025? Let’s start with the human side. Jason, wwhy is building a security aware culture so critical in healthcare
Jason: Well, it’s huge, Kelly. Human error is still the number one risk. Phishing emails, social engineering. These are how most breaches start. Even the biggest attacks like the Anthem breach began with just a single click. We’ve learned that ongoing practical training and a culture of vigilance are essential. And it’s not just about IT; it’s about every single staff member from the front desk to the C-suite. They have to feel empowered to question anything suspicious. You need to foster that culture, practice the activities, and give out kudos to encourage others to do the same.
Eric: Your people are your human firewall. Hospitals that invest in regular training and that culture of vigilance that Jason mentioned, see a real reduction in successful attacks. It’s about making security second nature.
Kelly: Yeah, and you guys do a great job here at BESLER, helping us really stay super aware of that. Eric, compliance is a big buzzword, but is meeting HIPAA requirements enough?
Eric: I wish it was, but just anymore, it is not. Compliance is really just a starting point. The attackers are getting smarter and the regulations just can’t keep up with the pace of every new threat. The best organizations have to go beyond the minimum. You’ve got to encrypt your sensitive data. You have to use frameworks like NIST or HITRUST. And again, you have to foster a culture where compliance is seen as protecting patients and not just avoiding fines.
Jason: And you really don’t want to learn that the hard way. You want to learn without having to do that. Passing that HIPAA audit is not going to stop a ransomware attack. Treat compliance is just the baseline, the floor, not the ceiling.
Kelly: No, I completely agree. I mean, HIPAA is important, but there’s a lot more going on there. So, let’s switch gears a little bit. Let’s talk about Zero Trust. Jason, what does that mean in practice?
Jason: Well, Zero Trust is great. I mean, it gives you a baseline into how you should set your mind to thinking about security. So, Zero Trust means that you don’t trust anything by default, not even your own staff or your own devices. Every single access is verified and everyone only gets the permissions that they need. At BESLER, we’ve implemented multi-factor authentication everywhere that’s feasible, and we regularly review who has access to what. We’re continuing to implement more Zero Trust principles every day, but working towards Zero Trust is a mindset shift. It’s helping us prevent insider threats and helps safeguard us from external threats.
Eric: And it’s not just about people. Network segmentation and continuous monitoring are key components as well. If something looks off like a user downloading an anomalous amount of data at 2:00 AM, the system should flag it. It’s really about alerting as soon as possible and then minimizing the damage if someone does get in.
Kelly: Yeah, that makes a lot of sense. So, Eric, cyber threats are becoming more sophisticated. How are hospitals keeping up? I mean, is it even possible to keep up?
Eric: It is tough, but right here, I think we do have something that is a little bit of a game changer and that something is AI. I know that we hear a lot about AI as a buzzword, but here it actually does provide a lot of value. So, you’ve got modern tools like EDR, endpoint detection and response, and add on top of that XDR, extended detection and response. And those can spot unusual behavior across your network and respond in real time. They use AI to flag a phishing email on a rogue device before it causes damage. But unfortunately, what we’re also seeing is that the attackers are using AI too. So, it’s a bit of an arms race. The key here, I think, is to invest in advanced detection and response. And if you don’t have the resources, partner with vendors who do. There are a number of vendors that offer those services as kind of a turnkey out of the box type of thing that if you don’t have the staff, they’ll provide that sort of help for you.
Jason: Yeah, I’ll add on to that a bit. So, these AI driven monitoring systems that Eric is referring to…they can help stop your breaches before they start. So, you’ll use them to potentially catch zero-day exploits in progress, something that the old-school antivirus programs would miss, the ones that are based off of signatures. You may have seen similar behavior in other systems to prevent activities like large-scale encryption. We see that sometimes when ransomware is being prevented when a suspicious number of files are suddenly being encrypted, for example. It’s also key to be able to identify how AI is being used and can itself be exploited as an attack vector. So be cognizant of both the positives of AI and how it can help you, as well as the attack vectors from some of these AI things that are out there.
Kelly: Yeah, thank you for sharing that with us. Ransomware is still headline news. Jason, how do you prepare for the worst?
Jason: Well, preparation is certainly everything. There’s a laundry list of things you can do to be in that mindset of preparation. First and foremost, you need to keep offline backups because if something does go wrong, you’ll need to be able to eventually bring your environment back up. You’ll want to run regular incident response drills and make sure every department knows what to do if systems go down, not just those people necessarily in your tech services departments, but everyone from your back office people all the way up to your C-suites. So, it’s not just about IT either. It’s about keeping patient care going, even if you have to go back to paper for a few days, as we’re seeing a lot of organizations are doing. I can’t emphasize enough that the healthcare organizations that recover faster are the ones that plan and practice how to recover.
Eric: And you can’t forget communications. Staff, patients, and even law enforcement need to know what’s happening. The goal is to respond calmly and effectively not to panic.
Kelly: Yeah. Easier said than done, right? [laughter] So finally, let’s talk about third party risk. Eric, why is this such a big deal now?
Eric: Yeah, that’s a huge area that we’ve seen even within the last week with what’s called supply chain attacks. Ultimately, your security is only as strong as your weakest vendor. Over half of the recent breaches involve third parties, things like cloud providers, device makers, even HVAC contractors, which is how the target breach started a while back. You really have to rigorously vet your partners, require strong security controls, and monitor them continuously. And don’t forget medical devices. Those can often be kind of a soft underbelly of hospital networks that are kind of low-hanging fruit or easy to attack.
Jason: That’s right. And you’ll want to vet those partners upfront and then regularly after that, so you can make sure that they’re still adhering to your internal policies. We include vendors in our incident response drills. If they go down, it can impact our organization just as much as if we’re hit directly. In fact, supply chain attacks are seen as the easiest path to get a foot in the door of your organization, after which an attacker can exploit that trust to gain further access into your systems and data.
Kelly: Well, thank you for sharing that with us. And I know this has been a whirlwind discussion of the biggest cybersecurity challenges and opportunities facing healthcare in 2025. If you want to dive deeper, join us for our upcoming webinar, Cybersecurity Best Practices and Strategies, that we’re presenting live on Wednesday, October 8, at 1 PM Eastern Time. And we will break down each of these strategies in more detail. Thanks again, Jason and Eric.
Jason: Don’t miss it. Cybersecurity is a journey, not a destination.
Eric: That’s one we all need to take together. We’re all links in the same chain.
Kelly: Well, stay safe and vigilant, everyone. We will see you at the webinar, and thank you all for joining us for this episode of The Hospital Finance Podcast. Until next time…
[music] This concludes today’s episode of The Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.com/podcasts. The Hospital Finance Podcast is a production of BESLER | SMART ABOUT REVENUE, TENACIOUS ABOUT RESULTS.
If you have a topic that you’d like us to discuss on the Hospital Finance podcast or if you’d like to be a guest, drop us a line at update@besler.com.
