Gehen Sie zum Hauptinhalt
Background image

How AI and Third-Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet - Part II

Share

Podcast

About This Episode

Welcome back to the To the Point Cybersecurity Podcast! In this week’s episode, hosts Rachael Lyon and Jonathan Knepher continue their engaging conversation with Ed Gaudet, CEO and founder of Censinet, as they dive even deeper into the evolving world of risk management in healthcare and beyond. Ed unpacks the complex landscape of AI adoption, from ambient listening in clinical settings to the delicate balance of technological innovation and patient safety. The discussion covers the limitations of current risk ratings, the continuous nature of cyber threats, and why traditional approaches—like static audits and certification “scorecards”—fall short in today’s rapidly changing environment. 

Ed also shares his vision for a future framework similar to GAAP for cybersecurity, emphasizes the critical importance of board-level leadership, and explores the challenges of fostering true transparency in risk reporting. With insights that span from technical to strategic, this episode is packed with practical takeaways for business and security leaders navigating the ever-shifting risk landscape. Tune in—and don’t forget to subscribe for your weekly dose of cybersecurity perspective!

Podcast

Popular Episodes

      Podcast

      How AI and Third-Party Risk Are Transforming Healthcare Cybersecurity with Ed Gaudet - Part II

      FP-TTP-Ed Gaudet_Webpage-Transcript-image.png

       

      Rachael Lyon:
      Hi, I'm Rachel Lyon, here with my co-host Jon Knepher. We're excited to welcome back for our part two discussion, continuing conversation with Ed Gadette. He is the CEO and founder of Censinet, that's developed the first and only collaborative cloud platform and exchange for enterprise and third-party risk management in healthcare.

      Rachael Lyon:
      He has more than 25 years of software experience, including serving as CMO at Improvada and holding senior executive roles across a number of innovative startups and public software companies. He also holds patents for mobile and quorum-based authentication, secure content sharing, and managing data objects in a distributed context. So without further ado, let's get to the point.

       

      [01:10] Understanding AI Output Risk

      Jonathan Knepher:
      You know, I'm really intrigued, like on the risk here, right? Like the, you know, I get the traditional like security risk assessment, but how do you analyze like the, the output risk, if you will.

      Jonathan Knepher:
      Right.

      Jonathan Knepher:
      Like you've got all the normal things to do. But I mean, this is, AI is almost like a creative, it's non-deterministic. Like, how do you figure out like is the outcome and the outputs of the system useful? Does it, does the value add exceed the risk value, and how does that fit into that, the risk framework you're talking about?

      Rachael Lyon:
      Well, and to piggyback there. And who's assessing this?

      Rachael Lyon:
      Right.

      Rachael Lyon:
      I mean, that's the other part. John. Yeah, I'm excited for this answer, Ed.

      Ed Gaudet:
      Yeah, it's a hard answer because mostly on one hand, it starts off with really understanding the use case.

      Ed Gaudet:
      Right.

      Ed Gaudet:
      And understanding the outputs in a way that enables you to validate, verify efficacy.

      Jonathan Knepher:
      Right.

      Ed Gaudet:
      No different than, I'll give you an example. If, if you're leveraging AI in a way to generate content, let's just say, okay, and your brand, the reputation, and the risk of brand reputation is important to you. Well, you better not send out that.

      Ed Gaudet:
      Content without reviewing it. Right? Right.

      Ed Gaudet:
      So there's a, you know, there's a guardrail that has to still. And this is why I think you see this adoption sort of spiking and then sort of slowly, you know, cresting, and now sort of coming into this realization that, wow, we can adopt quickly, but we better make sure that maybe we take a pilot approach to this. So we really understand the risks, not just the cyber risk, but the data risk. So, you know, understanding in that example, the content, great, you can generate all this content, but if you send out something that's offensive, whether you know, verb, you know, in the written word or images or whatever, you run the risk of reputational damage. You run the risk of. Right, so it's a very similar approach, like you can generate diagnoses, you can generate care, but if someone's not looking at that with an eye to efficacy, quality, right, that you run the risk of doing the wrong thing. So, you know, I think one of the, one of the, probably one of the largest use cases right now and most adopted use cases in healthcare is ambient listening. And so ambient listening, for those of you not aware of it, is in a typical session with a doctor, right? There's typically there's a conversation between the doctor and patient, and the doctor is interacting with technologies in some way.

       

      [04:23] Ambient Listening in Healthcare

      Ed Gaudet:
      Sometimes the doctor has their head in the screen, sometimes they're using an iPad, but they're capturing notes, they're capturing that interaction electronically, so they can go back and review those notes and maybe create a care plan or whatever.

      Ed Gaudet:
      Right.

      Ed Gaudet:
      Ambient listening removes that distraction. Now the doctor, the caregiver, the clinician can have a face-to-face conversation like we're having and not look at the keyboard and not look at the screen.

      Ed Gaudet:
      Right?

      Ed Gaudet:
      Because the ambient listening is pulling in the conversation details and then creating summary notes. Now the doctor is still responsible for those notes. They're his or her notes.

      Ed Gaudet:
      So they have to review them and they have to make sure they're accurate. So that step, that last mile of review and validation and verification, is so important. Now, will we come to a point where there's a governance agent governing the other agents? Right. Because this is all going agentic.

      Ed Gaudet:
      And what level of autonomy will we give these agents? Full autonomy or maybe, you know, partial autonomy? I think we're going to have humans involved with AI for, you know, the next five years or so until we work through the kinks. Some industries will probably adopt it sooner. Warehouse applications and things where, you know, the risk is low. And then some, like healthcare, will adopt.

      Ed Gaudet:
      It, you know, a lot slower in a lot more deliberate and practical.

      Ed Gaudet:
      Does that, does that help? John, I know it's a great question you asked. It's just such a. It does.

      Jonathan Knepher:
      But, but, but you're making me scared now, right?

      Ed Gaudet:
      Like, like you should be scared.

      Jonathan Knepher:
      This ambient listening thing, right? Like, like if there's an engagement going on, like.

      Jonathan Knepher:
      Yeah.

      Jonathan Knepher:
      How, how do you differentiate then, like sarcasm and just like facial expressions, like there's a lot of communication.

      Ed Gaudet:
      That's right. That's, that's why, you know, you go slow with the adoption. You recognize, like, for example, templates like what, you know, every doctor has a different approach to putting the data into the EHR, into the notes. I want it in my template. I want my language being used. I want my, you know, my inflection, you know, I want to understand the sarcasm from the actual diagnosis. Right, yeah. Those are all tunings that have to happen throughout that process as you get it.

      Ed Gaudet:
      Right?

      Rachael Lyon:
      Sarcasm, John, who has sarcasm and doctor conversations?

      Ed Gaudet:
      Come on, sarcasm is human. You're not going to see sarcastic robots anytime soon. Thank you.

      Jonathan Knepher:
      I mean, who knows what they're asking?

      Ed Gaudet:
      It's Soylent Green, John. It's people.

       

      [07:10] Integrating AI into Risk Frameworks

      Jonathan Knepher:
      Exactly. So how do we tie all this together? Right? Like, like we have all of these different security things. We've talked about AI and everything else. This all needs to end up in your overall enterprise risk framework and process. How do we pull it together? What are the risks, and what happens if we fail to do that?

      Ed Gaudet:
      Yeah, the biggest. And again, this is pan industry, right? So, but, but healthcare in particular, because that's, that's what we're, that's what sense and IFO focus on. You know, it has to be transformative. We can't approach the risk process landscape with the same assumptions that we did a decade ago.

      Ed Gaudet:
      So a decade ago or longer, systems changed three, four times a year, max. So this point in time risk process was necessary and sufficient. Today, a SoC2, by the time it's published, it's not a date, right? Because it's a process of 140 controls, and you've got to have evidence. And as you're doing that again, your system is changing. And so by the time it gets published, what you looked at and what the controls you looked at may have been affected based on the change, the scope of risk changes. What we've looked at risk, we've had the luxury of looking at risk. A decade ago, in that point in time frame, we could do a high-trust audit, we could do a NIST CSF audit.

      Ed Gaudet:
      One time we could do. And we could, every couple years, we could reassess somebody, right? Because the state of change and the rate of change was manageable. Now that all bets are off, right? So you still need those certificates, you still need those processes and audits, right? But that becomes evidence into your overall program and posture. Necessary but not sufficient. And so we try to stress to individuals that are on this journey, on this path is a. You really have to look at this through a transformative lens. You have to take not just the technology. And if you just are looking for a tool to solve all your ills, you're never going to get there, especially in risk management.

      Ed Gaudet:
      Risk is hard, it's difficult, it's complex. Right. It's people. But so then you have to think about it holistically across that trinity of tech, people, process technology.

      Ed Gaudet:
      You have to harmonize those three things as you're adopting new technology and new approaches. If you're just taking our tool, for example, and I tell my customers all the time, if you're taking my tool to solve a problem and you have certain outcomes that you're assuming and you're not looking at your people and you're not looking at your processes, you're not going to get the outcomes you desire because this is transformative. We're changing the way you think about risk. In the past, one and done. Now we're looking at it across the life cycle, from cradle to grave and every point in between. And I adopt a product out of the box, I know what the risk profile is, but then I bring it in, and I configure it, and I integrate it changes the scope and the profile. And then maybe two years down the road, I didn't have PHI Protected Health Info or PCI involved in that application. And then the usage change, and now it's in there.

      Ed Gaudet:
      My risk profile needs to be updated. I need a business associate agreement now with that vendor, because they've added PHI Protect the Health Information in there, which is a specific class regulated under HIPAA.

      Ed Gaudet:
      So there's so many opportunities for this to change, which means the way we approach risk has to change as well.

       

      [10:58] Risk Scorecards and Their Limitations

      Rachael Lyon:
      Asking maybe a tangential question here, because it makes me, and I know this is a topic that comes up from time to time in terms of, let's say, a cybersecurity or risk scorecard.

      Rachael Lyon:
      So when you. It would be a rating, right, that you would have, kind of like food, you know, it always thought I lived in New York, sidebar for like 15 years, and when Chick-fil-A came, they had a C rating on the restaurant, which is not good, but nobody cared. That line for chicken was around the block. But you know what I mean? It's an interesting way to kind of gauge. I'm willing to roll the dice for Chick-fil-A, maybe not so much for this, this other vendor, but, you know, is that where we're going, we need to go, or you know, what's even the viability of some kind of system like that? And I'd just be interested in your perspective.

      Ed Gaudet:
      Sure, yeah. So there are, there are approaches, there are technologies or vendors out there that provide, let's call it a, let's call it a credit score for risk.

      Ed Gaudet:
      So I get this credit score, you know, 800. What does it tell me, really?

      Ed Gaudet:
      It tells me at the point of time I scored an 800.

      Ed Gaudet:
      But just like credit scores, they change all the time.

      Ed Gaudet:
      So this notion of life cycle continuous monitoring is really important. Also, they're looking at those types of security scanning score, scorecard applications.

      Ed Gaudet:
      They're looking at the organizational risk profile from the outside in. What can I see on the dark web? What can I see from the systems that they're representing to the outside world?

      Ed Gaudet:
      And then I create some type of risk profile and score, and that gives me one dimension of risk. But I'm not, I'm not taking the organization and putting it into my health system and using it. I'm taking their product or products. So I really need to understand the product risk. And so that's a different type of risk that requires a different approach to risk management. You need both.

      Ed Gaudet:
      Necessary. But what's sufficient to get a real understanding of that risk over time?

      Rachael Lyon:
      Yeah, it would be a tricky one. I mean, given, right. The landscape and scope of risk. It's different for everyone, and your appetite for risk is different. And it would be difficult to have like a universal system. But I just think it's an interesting thing.

      Ed Gaudet:
      It's very complex, and people have looked for the equivalent of a UL rating.

      Ed Gaudet:
      Which, okay, great. I would love to have a UL rating, but it's a plug with well-understood standards that don't change. Could you imagine having a UL rating, and all of a sudden, you got AI coming in, all bets are off on your UL rating.

      Rachael Lyon:
      It sounds preposterous. Yes.

      Ed Gaudet:
      I think, I don't think it's possible, quite frankly. And I've been spending a lot of time thinking about it. I think there's certain things that you can certify as indicators, but I don't think you're going to get a real, true risk profile because things change so dramatically. I mean, every two weeks we have this flywheel where we work with our customers. They help us identify opportunities to consolidate on the platform. And every two weeks, we push out features. They might be fixes to existing features, but mostly they're new things that we hadn't thought about initially, but now we have this customer interaction, and they're feeding us. And so this.

      Ed Gaudet:
      Every two weeks, they're getting new things.

      Ed Gaudet:
      Can you imagine trying to manage risk for that? Like, it's hard, right? And so if I do a SoC2 and we're in the middle of doing a SoC2, so, I mean, we have to do it because, okay, we'll do it. It's a good thing to do. It's good hygiene. But like I said, by the time that thing is published, we've already gone through probably another 10, 15 releases on the product. So I think those things are good to do. It also shows the discipline in the organization and the organization's ability to do those things, which is, again, is a good indicator of what their security profile looks like. But don't be fooled by simple numbers. And I remember when I first started this journey, one of the customers I was working with says, oh, we just ran your.

      Ed Gaudet:
      Your risk. We did a security scan on. On your company. And you came back and. And you got an A.

      Ed Gaudet:
      You're great.

      Ed Gaudet:
      You check. I'm like, what? And I'm like, what? Can I see that? And I read it, and I went through the document. I'm looking. And now we. Of course. Cause we're a risk company. We pro. We knew.

      Ed Gaudet:
      I knew what my risk was, and it wasn't good. Cause I was a new company, and we were just building on our risk program and our security program, and we represented that to customers. I didn't want to give them a false. Hey, look, we're. We're an F here, but we're, but we're going to fix it.

      Ed Gaudet:
      So. But we're going to give you that transparency always. So you know what you're getting. Because if I lie to you, it's never going. It's not going to help anybody in the long run. And I found early in my career, if you're honest with customers and you tell them, some of them will say, you know what? We'll come back to us. But most of them will say, wow, thank you. We'll work with you.

      Ed Gaudet:
      You know, we'll make sure we hold. We'll hold you accountable to what you're telling us, but we'll work with you. And, And I just laugh at that rating because it's like, we're not an A. Like, I know I'm not an A. And that's what I started thinking about this whole, this whole question about certificates and audits and how realistically are these, you know, how effective are these longer term?

       

      [16:41] Cybersecurity as a Board-Level Priority

      Jonathan Knepher:
      So how does this stuff fit in to? With you know, we. Your the generally accepted principles for cybersecurity. Is there a connection here on, on trying to fill in the expectations here of cybersecurity?

      Ed Gaudet:
      Yeah, that's a great question. So I write articles for the Forbes Tech Council, and I'm always thinking about things that could make life better for security analysts and risk analysts and things. And first and foremost, I think risk and security should be a board-level topic and at board level responsibility, actually. Just like you have a finance committee and you have an audit committee, and you have a comp committee committee, you should have a cyber committee, and you should hire board members that have cyber experience.

      Rachael Lyon:
      Yes.

      Ed Gaudet:
      And you shouldn't delegate that down, quite frankly, to the teams to come and present because A, there's always an impedance mismatch between the ciso's world and the world of the board.

      Ed Gaudet:
      And sometimes you get, you know, you get really great CISOs that figure it out and understand how to communicate, but most often there tends to be that friction and that struggle between, what are you telling me? What's MFA? What am I doing? So I think if we made it more mandatory, then we would make strides in understanding at the board level, which would help it with investments, would help it looking at gaps, it would help it look at where, benchmarking where we are from our program relative to peers. So we could say, hey, we're spending too little in this area. All of our peers are spending, you know, 4%, we're spending 1%.

      Ed Gaudet:
      So let's have a conversation now about resources and the business risk through the lens of the business. That's why this whole point about business process and critical function mapping is so important, because boards understand those things well.

      Ed Gaudet:
      So, as it relates to gap cities, I had a conversation with a CISO from an insurance agent, from an insurance organization, a payer God, three, four years ago, and we were having sushi together, and we were talking about this idea and having a framework. If I want to look at an organization that's public today, I can go to Edgar, I can go to their investor portal, and I can pull down their 10Q to 10Ks, I can pull down their 8aks, I can pull down all of these different forms and filings to make a decision about the organization's financial posture or risk.

      Ed Gaudet:
      When I do an S1 for a public offering, there's a huge risk section.

      Ed Gaudet:
      And, and usually, cyber security is in there as a, as a Line item gets spared. But there's all these other risks, right, that help me really understand whether or not this is a good investment long term or not.

      Ed Gaudet:
      Wouldn't it be nice if we had a standard way to communicate risk and a standard way to drive the accounting, if you will, of risk and cybersecurity across all industries? That's what GAPC is about.

      Rachael Lyon:
      It's interesting.

      Jonathan Knepher:
      I like where you're going with this. And how do you then, like, how do you pull in like the outputs of like a SOC audit and everything else to get it to the level that needs to be disclosed, right? Because right now, like to your point, like you look at the filings and you don't get that data companies don't necessarily want to give out their SOC 2 reports, other than, hey, look, we, we passed, right? Like, what do you envision that output being? Like what level of detail?

      Ed Gaudet:
      Yeah, it's a great point. I mean, I think that that's the journey, right? We'd have to go, we'd have to get together, we'd have to run it through a process to get to a level of understanding and reliability, and predictability.

      Ed Gaudet:
      And repeatability across the industry, and that, you know, that takes time. So it doesn't really matter what I think; it matters like what's possible. But the areas that I identified in the article, you know, they're all the standard areas that we talk about. Identity and access management, threat detection, incident response, and recovery. And I think there's a way to again represent some level of detail that gives you an idea of where that organization is and understanding the processes, procedures, protocols, people, right, that are involved in the back, you know, in the back office, if you will, doing the jobs, right? So you could have, you could have a credit like score for all those different categories, and that would be an indicator of, wow, everything is 600 where it should be 750 or 800. Now we understand the detail behind that. It's just not an arbitrarily number. So all of that has to be published.

      Ed Gaudet:
      The algorithms, the approach to getting the score, what the score means, right? All of that has to be transparent. And with that transparency, then we have understanding, and then we get repeatability, and then you get GAAP and you get non-GAAP, right? So even in finance and treatments of finance and auditing, and how you reconcile revenue and how you treat expenses, right, you have a gap number, and then you have a non-GAAP number. You could have a non-gap, the cybersecurity view of the world, too, right? So, but I think, you know, Gap C took time to get to, I'm sorry, Gap took time to to get to where it is today. It wasn't just out of the box. We learned a lot, we made some changes.

      Ed Gaudet:
      It was a journey, but it was backed by a process and a set of procedures and a third-party approach, if you will, that managed the overall framework and the requirements to support it. Which is why you get non-GAAP, because people like, well, we want to treat it differently. Okay, great, you can treat it differently, but you have to, you have to report it as non-GAAP accounting.

      Ed Gaudet:
      And I think that's a good way to think about it because then you get the best of both worlds. But there's a lot of upfront work and I'm sure, you know, you get two cecils in a room, you're going to have, you're going to have agreements, you're going to have disagreements, you're going to have arguments about things that are important, not important, et cetera. Which is, you know, which is why I love, I love this space so much. It's so rapidly evolving, changing. There's so much opportunity to, to make a difference today. And wouldn't it be great in, in five years if we had a GAPSI that we could report on and every public company reported on it?

      Jonathan Knepher:
      I love it.

      Ed Gaudet:
      Amazing. And then, and then you, you did your regular updates on it too, just like you do with your quarterly reports. You have your financial section, you have your gap C section. I could look at the cybersecurity reports. So anyway, that's the vision.

       

      [23:53] Leadership's Role in Cybersecurity 

      Rachael Lyon:
      I love it. Kind of thinking all these changes too. When you talk about evolving, kind of coming back to leadership, it's always an interesting conversation. It's not if it's when an accountable leadership. And now we're seeing boards of directors having fiduciary responsibility if something happens. I mean, as you look kind of ahead at leadership roles evolving and certain skill sets being required and how do we need to be thinking about these leaders and particularly those who can drive in this world of so many unknowns, but where security is just so critical and so many cracks in the system, it'd be very difficult to navigate, I think as a business leader or a board of directors. What are your thoughts on that ahead in terms of, of that evolving?

      Ed Gaudet:
      Yeah.

      Jonathan Knepher:
      Wow.

      Ed Gaudet:
      Was that one question or like five?

      Rachael Lyon:
      I think it was like five.

      Ed Gaudet:
      Yeah. You know, someone recently, on this topic of transformation, someone, someone recently said transformation requires leadership.

      Rachael Lyon:
      Yes.

      Ed Gaudet:
      And so, and leadership is hard. Right. There's books, and you know, consultants, and you got McKinsey and all these different consultants that, that are always thinking about leadership and always writing about leadership. And, and so, you know, the first step is to acknowledge the problem, right? So you can't recover unless you acknowledge as an issue, right? And so the first thing is, and you know, it's like anything, you know, there's so many things that boards and directors have to manage today. The last thing they want to do is take on more, right? So there's this natural friction between doing the right thing long term for the business and industry, and then doing what we can do based on those things that are in front of us. So it does take this forward-looking approach in leadership to really drive change. And you know, I just think things would be more transparent. We might actually start to level off the trend line of breaches and ransomware events, and other events over time, if we collectively collaborated in a way that we could truly be stronger together.

      Ed Gaudet:
      But that takes leadership, right? And so no individual is going to say, oh, pick me up, right? So the government has a role there. The government, through regulation, can drive that change, which is good. We're in a, you know, we're in, we've just changed administrations, right? And this administration is anti-regulation. So there was a change underfoot to modernize the HIPAA rule to include a lot of these things that we've been working on collectively through the private and public partnerships of HHS and CISA, and others. And I've been part of that with other leaders at different health systems, and we were getting close to making a pretty significant change. And then the administration changed, and you know, we're sort of delayed, right? So we're on hold. Which, again, just to change even a regulation like HIPAA is like moving a mountain. It really is, and it exists, right? So, so imagine trying to take that same level of accountability and drive change at the board level or at the.

      Jonathan Knepher:
      Senior leadership or executive level.

      Ed Gaudet:
      Really hard to do. And no one. You know, I used to say this early on when I first got into cybersecurity. One of the learnings is nobody wants to be the most secure. It's unfortunate, but nobody really, they're going to do enough to check the box and to do what they need to do to get back. Because it's human nature, right? It's like there's some of us that are dreamers and some of us, but, but then there's everybody else, right? Everyone else is gonna go like, I got so many other things I gotta do. Let me just get through this. And, and, and so that, that notion of checking the box is so critical because you could have a great idea, but the market says, yeah, that's a great idea, but I don't need that to solve this problem.

      Ed Gaudet:
      I just need to check the box.

      Ed Gaudet:
      So I mean, would be, wouldn't be a great idea if we put security controls around data.

      Ed Gaudet:
      That would be great.

      Ed Gaudet:
      I did that, you know, back in 2002, 2004, and then SOC, the, the, the, the, the Sarbanes Oxley and the California CASB law came out around data protection back in, I think it was 2022 or 2023, July of that year. And I thought, oh wow, this could be great, great driver for my business. And then it's like, yeah, checkbox is full disk encryption. That's how we're going to solve it. Doesn't really solve it, but it checks the box.

      Rachael Lyon:
      Right, exactly.

      Jonathan Knepher:
      Yeah.

      Ed Gaudet:
      So these things aren't always aligned.

      Jonathan Knepher:
      Right.

      Ed Gaudet:
      So I don't know. I think that the problem is big enough, though, and I think that people are trying to solve the problem to their advantage through their lens.

      Jonathan Knepher:
      Right.

      Ed Gaudet:
      The UL label is one good example of that.

      Ed Gaudet:
      There's a whole people believe that they can just, you know, create a certificate or a UL rating or something that's going to solve. Sorry folks, it's not going to work. Risk is too porous. It's just not, it's not as binary. It's going to change. So that'll be a checkbox, and you won't solve the problem.

      Ed Gaudet:
      And so if you look at the data, the data is still up and to the right with breaches and attacks and everything else. And now with AI and I, I've been saying this, I'll say it again, it's been eerily quiet on the western front, if you will of, of data breaches and attacks. Now we're, we're seeing some interesting things. We just saw the end the npm, the, the packaging vulnerability that just hit. And so, you know, we're going to see things like that at the supply chain level. But I think this is what I posit, I think the bad folks that have been organizing over the last five years or so, that's been the big change there. Hackers were independent, some were kids, some were, you know, a little more nefarious. The last five years they've organized, they become organized criminals, they become mafioso, if you will, electronically.

       

      [30:38] Anticipating Future Cyber Threats

      Ed Gaudet:
      That changed the paradigm, that changed the attack surface, that changed the way that they, they hit folks, they changed, they, they became microservices if you will.

      Ed Gaudet:
      I'll create the worm, I'll go collect the money, the bitcoin. I'll do this, I'll do that, versus one person doing all things. So now you get scale. Okay. The other thing that's changed is AI. So to the point, quiet what's going on. There's going to be something big, I think, because it's been too quiet and the level of change, technology technologically, is such that you would expect more attacks right now, you're not seeing it. So that, that, that says there might be some organization, organized organization going on here, and you know, they're getting ready, and at some point it's going to be bigger than we've ever seen.

      Ed Gaudet:
      So we'll see. Hopefully I'm wrong. I, I hope, I hope I'm wrong.

      Jonathan Knepher:
      Do you have a theory on what that risk is like? Like, I'm concerned about embedded things in some of these AI models being trained where we can't see it. And you don't know what are the things that are keeping you up at night.

      Ed Gaudet:
      I, I think the risks that hit, hit so like a Change Healthcare hit 80% of the health, health industry and, and the big. And it was interesting because there's this, there's this software bill of materials concept where I've got software and I have a bunch of supporting elements, libraries, and such that come from third parties. And that's risky. And we've seen events happen at that level. Log 4J is an example of that.

      Ed Gaudet:
      And that affects many, you know, that's a one-to-many effect. That's a nice blast surface for the bad, the bad guys. Then you've got the vendor bill of materials, which is a concept that, that me and another mother guy at dinner created, where it's like a software bill of materials, but it's about the vendor and the vendor's concentration of products and technologies. And so the example of change is, oh wow, we just saw that change got hit, and we don't use that product, so we're good. And then two days later, oh damn, we do use that product. They acquired it, we didn't know that it's part of change. We're in trouble. And then like a day later, and this is the big aha.

      Ed Gaudet:
      We only have so much money on the balance sheet. We only have so much working capital; we only have so much money to keep operations going for a couple of weeks, not months.

      Ed Gaudet:
      So you know, you talk about that safety, you know, money that you have as an individual, you want a couple months of money in case something bad happens. Like many of these health systems had weeks of capital to operate, and that becomes a big wake-up call. So that blast hit a lot of people quickly. Now we reconciled, it recovered fast, which is good. But, you know, I don't know, I mean, I think about the infrastructure, I think all of the different infrastructures, there's like, I think 16 of them. Like, you know, you got the, you got the water supply, you have the energy infrastructure. Those are the things I worry about. And if it hits it in a way that, I mean, healthcare is bad.

      Ed Gaudet:
      If you, if a hospital gets hit, that's bad. If it can recover quickly, great. But if it can't recover quickly, or worse, you're in the ambulance on the way to the hospital, and they shut down. And now you're diverted, but you're diverted, you're having a heart attack, and your diversion is like 70 miles, 80 miles out. You're not, it's not good.

      Ed Gaudet:
      And those things have happened. That's part of the survey that we ran. We saw that diversion was affected, care was affected, labs were affected.

      Ed Gaudet:
      So, but it's, but it's that one hospital. If it's from a, from a ransomware perspective, it's a multi-hospital attack and shuts down multiple hospitals. That's bad.

      Ed Gaudet:
      So those are the things I worry about. And I know that they got to be organizing, right? They got to be doing something. And it's just, I mean, have you noticed how quiet, I mean, things happening. But it's been pretty quiet, hasn't it? Given this, given the technology that's out there and available now.

      Jonathan Knepher:
      Eerily quiet.

      Jonathan Knepher:
      Yeah.

      Ed Gaudet:
      Yeah. So not to scare anybody.

      Jonathan Knepher:
      So, you know, we're already scared.

      Ed Gaudet:
      I think that, I think the costume this year for Halloween will be the AI robot. I think that'll be the, the scary thing. Oh, no, it's AI. Give it the candy and get out of here. Sorry.

      Rachael Lyon:
      No, no, it's so true.

      Ed Gaudet:
      Yeah, it won't, it won't be the politician mask. It'll be this ro. Oh, no, it's a robot. No, get out of your AI.

      Jonathan Knepher:
      Yeah.

      Ed Gaudet:
      Oh, here's the Reese's peanut butter cup. Yeah, I know, it's always my favorite. It's like those are the houses you want to go to or the houses that gave you the full big bar, like the big Snickers bar. Not the little mini. Oh, those are the greatest ones.

      Rachael Lyon:
      Yeah, the houses with fruit. No thanks.

      Ed Gaudet:
      Oh, my gosh.

      Jonathan Knepher:
      Fruit. Yeah.

      Ed Gaudet:
      Or the toothbrush. They would be. Try to be sarcastic.

      Rachael Lyon:
      Exactly, Exactly.

      Ed Gaudet:
      Get rid of this toothbrush.

      Rachael Lyon:
      Ed, thank you so much for joining us today. I love this conversation. This has been a lot of fun, but also incredibly insightful because, I mean, these are really, really critical themes that need to be discussed, explored, and particularly around healthcare. I think, as we talked about earlier, and I'm just so glad that we're able to have folks like you on the podcast too. To be able to drive these conversations and get people thinking and also aware of what's out there and available, and charting a path forward. So thank you. Appreciate it.

      Ed Gaudet:
      You're welcome. Thanks for having me.

      Jonathan Knepher:
      Yeah, thanks, Ed.

      Rachael Lyon:
      And John, you know what I'm going to say next to all of our listeners out there, be sure you smash that subscribe button.

      Ed Gaudet:
      Subscribe, subscribe, smash it.

      Rachael Lyon:
      And you get a fresh episode every single Tuesday. So until next time, everybody stay secure. 

       

      About Our Guest

      Ed_Gaudet_Square-Headshot.png

      Ed has more than 25 years of software experience across various product, marketing, and sales leadership roles. From 2010 – 2013, Ed was CMO at Imprivata where he drove the product, market strategy, and brand transformation into healthcare; from 2013 -2017, he served as business unit GM and created Imprivata Cortext, a best-in-KLAS, cloud-based clinical communications platform. Prior to Imprivata, Ed was the Senior Vice President of Corporate Development, Sales and Marketing for Liquid Machines (acquired by CheckPoint Software). An executive founder, Ed created and led Liquid Machines’ widely-acclaimed go-to-market and product strategy. Ed has held senior executive-level roles in various start-up and public software companies including IONA Technologies, Rational Software, and SQA, Inc. Ed holds patents for mobile and quorum-based authentication, secure content sharing, and managing data objects in a distributed context (20130145420; 20130291056; 20140123237; 7587749) and is an industry speaker on the topics of leadership, healthcare, and regulatory compliance.

      In addition to serving as the Founder and CEO of Censinet, Ed is a proud member of the Forbes Technology Council. You can read his articles here: Ed Gaudet Forbes Technology Council.