AI Arms Race: Defense vs. Offense in Cybersecurity

Transcript 

[Greg]  

Welcome to Digital Transformers, the podcast where we uncover innovations and ideas shaping the future of health care.   

I’m your host, Greg, and today we’re tackling a critical topic in health care, cybersecurity, and the age of AI. As cyber security grows, cyber threats grow more sophisticated. So do the technologies used to defend against them.  

Investment in AI-driven security tools is no longer optional. It’s essential to protect sensitive patient data and intellectual property. The goddess does this important conversation.   

I’m thrilled to welcome George Pappas, the CEO of Intraprise Health. George is a high-tech executive with decades of experience leading venture-backed organizations across industries like health care, financial services, and national security. Under his leadership, Intraprise Health is pioneering compliance and cybersecurity solutions for health care backed by cutting-edge automation.  

George, welcome to the show.  

[George]  

Thanks, Greg. It’s a pleasure to be here.  

 [Greg]  

Now, George, I understand. Are you going to be at VIVE 25 this year, is that right?  

[George]  

Yes. Yes.  

[Greg]  

Also, are you going to be speaking or what’s your relationship at VIVE? Because I’m sure a lot of people want to hear what you have to say.  

[George]  

Well, we are part of Health Catalysts, Health Catalyst Inc. And so, I’m going to be there with the Health Catalyst team meeting a lot of our clients and discussing kind of their concerns and how they’re trying to address, you know, challenges as well as a lot of industry partners that we work with. So, you know, I mean, a lot of the speaking gigs are nice, but, you know, I tend to spend time with our clients, our industry partners to try and figure out how we can move the needle more effectively.  

 [Greg]  

That’s awesome to hear, and I mean, it’s such a great venue to do that, and you’re going to meet a lot of important people. So good luck and I hope it goes well. So, speaking around that, George, your career spans industries from national security, as we said, to health care.  

Can you start by sharing what inspired you to focus on cybersecurity and compliance, particularly in health care?  

[George]  

Yeah, sure, Greg, you know, my first healthcare technology role was back in 2015. I was the COO of Dr. First, which is the nation’s largest independent medication management provider. And so, medication management encompasses electronic prescribing, medication history, real-time price transparency, electronic prior authorization, all those things that interact around, you know, a prescribing event.  

And so, you know, by the time I left, we had 1,400 hospitals and 25,000 medical practices. So, you know, as COO, I was deeply involved in kind of the guts and the plumbing, the technological plumbing, the business model implications of making all that work. And the last year I was there, seven of my clients were hacked.  

And I realized, given this, we sort of call it the perfect storm that’s been brewing because health care has been consuming and deploying technology now for, you know, 20 years, over 20 years, but accelerated with the ARRA being passed in 2009 and meaningful use, which the federal government spent about $30 billion motivating the purchase of technology. And all these platforms grew up, cardiology, nephrology, you know, radiology around EHRs and EMRs. And so, you look at even a community hospital today, not even a regional or national one, they might have 300 software packages running because every fast, because health care is extremely complex.  

So, you’re trying to find ways to automate it. You also think about the back office of health care. How do you handle insurance claims and billing?  

That’s where revenue cycle management comes into play. So, look at all these packages. Look at all these different computing systems.  

Look at the thousands of people accessing them every day. And, you know, that’s what you call a very large attack surface in cybersecurity nomenclature, right? Yeah.  

[Greg]  

No, go ahead, George. I’m sorry.   

[George]  

Yeah. And so that leaves a lot of vulnerability. And as we saw this evolving, why do we call it a perfect storm?   

Well, you know, cybercriminals and a lot of the cybersecurity insurers call them cyber actors. I use a different word for the A, but I won’t use it here. You know, they realize that protected health information is very valuable on the black market, on the dark web.  

And that it was very easy to get. And so, they ratcheted up their attacks. That’s really what prompted me when I had the opportunity to join Intraprise Health to join and make a difference.  

[Greg]  

I think, you know, so many things you said are so, you know, indicative of what’s going on now, because when you talk about 20 years ago, that was really like the birth of healthcare as an industry that wasn’t really birthed around, you know, this kind of technology. So, when, as you said, the government started throwing money at everybody, get an ERMR and, you know, get it to meaningful use this or that, it will give you even more money. People got excited about that, but they didn’t realize the information they were collecting and what it meant, you know, like you said to those bad actors.  

So, you know.  

[George]  

And how it all worked together, by the way, right?   

[Greg]  

So, yeah, exactly. So, I have to ask you, AI, you know, its transforming cybersecurity, but it’s also being leveraged, as we’re saying, by bad actors to launch these more sophisticated attacks. What does this arms race between defense and offense look like in today’s healthcare environment, George?   

[George]  

Yeah, it’s going to be an arms race that’s going to accelerate what we do today without some AI methods and understanding what we should pay attention to. What should we not be distracted by? And a lot of people call that signal the real thing versus the noise.  

And when you think about the complexity of the healthcare network and the complexity of healthcare in general, there’s a lot of noise clouding a lot of signals. And so I’ll just give you a sort of one example, you know, on the kind of the bad news side, one of the ways that cyber attackers penetrate health systems is through phishing, where they send an email that looks like it’s from the CEO of the healthcare system saying, you know, drop $100,000 in my personal bank account. And it’s a Swiss bank, by the way, go send it there, right?  

Now I’m teasing a little bit, but the point is, these fake emails have gotten very sophisticated. Now AI can be even better tuned. So if you can see the profile, the person’s being sent to, and the AI can be smart enough to say, hey, from our meeting last week, by the way, I’d like you to take, give me access to this thing to follow up on the task we talked about.  

All of a sudden that fake email has a little more context. It’s harder to detect. So that’s one area where it can be a negative.  

On the positive, I’ll use the same example. You know, the internet and email, it’s this vast postal service where, you know, a message gets sent. There’s a national post office, you know, a state post office, a regional post office, a community post office, but a lot of fake emails, you’ll see it.  

And it looks like it’s being sent from the doctor who works in your healthcare system, but you see, wait a minute, the regional post office is in Beijing. And the national post office, you know, came through Chengdu. So, because all that’s hidden in the IP addressing data, all the metadata, we call it, these AI systems are getting better at filtering all that, understanding all that, and identifying fake emails more precisely.  

 So that’s kind of an example of, you know, measures and countermeasures that we see happening across the board. You know, another one I would give you, because it’s also very relevant to this is how do these criminals penetrate networks? You know, there’s been a lot of investment deploying a lot of tools done by some good companies that have great products that do endpoint detection and vulnerability management, where, you know, you have hundreds of thousands of internet accesses trying to penetrate your online systems every day.  

Well, how do you filter out all the noise from the things that are things you have to pay attention to? And these products have evolved fairly well, but using machine learning, they can only get so good. So now AI is going to let you get much more tailored because it is a very powerful technology when applied to specific problems to better identify, oh, this is a fake one, shut it down automatically, right?  

For example. Other things like that, you know, this problem of phishing, if I’m a payables clerk in a hospital system and I click on a phishing email and all of a sudden, they down wear malware, they can get inside the network. And if it was a hospital that was acquired by another hospital, my Microsoft Active Directory hasn’t been really fully security managed.  

They can get access to those credentials. All of a sudden, you know, they kind of laterally move and look for vulnerabilities and lock down the network. When they attack you, AI systems can detect those patterns better.  

So, I do see this kind of future of measures and countermeasures measures that will continue to escalate over time.  

[Greg]  

I mean, it’s amazing because like you said, it’s just about that foot the door if they can get in. And it’s about really protecting or stopping that toe getting in the door and making sure that those doors are slammed shut. So, George, with AI evolving so rapidly, what types of AI-driven security tools do you see as must-haves for protecting patient data and IP?   

[George]  

Yeah, well, I would say, first, you know, as endpoint detection systems and, you know, phishing and junk mail. Junk mail is not a, it’s not as appropriate a term these days because it’s much more about intelligent mail filtering. Get more advanced.  

That will be very, very important. You know, some of the things that we do around Gen AI for third-party risk assessment, so you can take those 300 applications and better understand what the risk profile of all these vendors is. And you can constantly assess what they’re doing.   

That’s going to be important. Another one is helping a security team correlate and look at the big picture of what all this noise means for their risk profile. Because if you’re a chief information security officer or a CIO, between endpoint detection, vulnerability management, identity management, phishing testing, you know, third-party penetration, you have so many different data sources that have correlations in them that help you understand what’s happening.  

AI can accelerate that understanding process. And that’s going to be very important down the road.  

[Greg]  

You made a huge point with those 300 platforms and being able to assess the security level of those platforms. A big thing that, you know, no one’s thinking about that stuff. So that’s huge.  

Wow. George, you’ve emphasized the need for investment in AI-driven security tools. How can healthcare organizations balance the cost of implementing these solutions with the risk of not having them?   

[George]  

Yeah, my fundamental answer would be it depends on your leadership team, your company’s economic situation. That would dictate how you sort of start. What I would say is, you know, if you need to start small, there are a lot of ways with narrowly focused problems, you can deploy some of these AI systems and understand what they’re doing and make some progress.   

If you need to, if you want to take a broader brush approach or apply it to more areas of your organization, you know, domain specificity is important here in AI. I’ll take a second here to explain what I mean. There’s a lot of, you know, attention in the press to this AGI, you know, general AI that’s going to be smarter than human beings.  

And I think, you know, at some point, you know, we’re likely to get there. Today’s AI is sort of like a very, very intelligent sort of bowl of Jello. We have to ask the right question within a narrow domain to get a more useful answer that we can rely upon more frequently.  

And so as long as you’re applying it to a specific problem and you’re working with a partner like ours or others who invest in the R&D to make sure it is going to work, you can reduce your manual effort by 60, 70, 80% and have a professionally usable result. And, you know, I personally think that AI is going to be the largest wave of innovation I’ve seen in my career. And I started in the mainframe era, Greg.  

Okay. So, I’ve seen a lot of ways. The work that we see in the press now and all these models is really the foundation, how those models will be used in applications in ages to solve problems is really where the action is going to be.  

And so for cybersecurity, whether it’s endpoint detection, you know, whether it’s fraudulent activity detection, whether it’s user authentication, whether it’s resilience, you know, monitoring, there’s going to be a lot of ways to do that with less human effort and fewer errors over time that will be really powerful offerings.  

 [Greg]  

You know, when you said that when you give the example of the Jell-O, I love it because it reminded me of, you know, when you have a child, you know, and there may be five or six or seven or eight years old and they come home from school and you ask them, how was school today? You know, they’re going to give you a generic answer, right? But you learn over time as a parent that you have to be very specific about what you ask.  

And yeah, such a great example there. I love that. Really helps, you know, a layperson understands what’s going on.  

So, George, what advice would you give to healthcare executives who are hesitant to adopt these AI-based tools due to budget or operational challenges?  

[George]  

The first piece of advice I would offer is that they are going to provide a much higher reward for the risk of using them than anything you have today. So it’s sort of important that you start to get some experience on what that looks like for your organization. And, you know, one of the things that we do with our clients, we actually work with the CISO or the CIO and in their annual or regular meetings with their board of directors or their board’s audit committee to help them understand what is the current cybersecurity posture, what is the evolving threat landscape, what are some of their errors that could use some more specific fixing or remediation is a fancy word we use about fixing things. And so, start some tailored approach to making that progress and getting some experience as a team.   

[Greg]  

Yeah, I mean, it sounds like you guys got to talk CEO, talk about that bottom dollar, and get them, you know, interested in how you can improve that. So that’s super, super important. George, Intraprise Health, it provides, you know, you guys provide a holistic view of compliance and security posture.   

Could you share a real-world example of how your approach helped a healthcare organization mitigate risks or recover from a cyber threat?  

[George]  

Yeah, one of our great clients, is in a regional health system. I don’t want to use his name.  

[Greg]  

Of course.  

[George]  

Our clients are less reluctant to talk about their cybersecurity remediations because it draws unwanted attention. But they’re in a large regional system, about 700-bed hospital system in a pretty affluent area. And before he started working with us, he had about 400 third-party packages.  

Today, he’s got them all risk assessed automatically. And as they’re moving into transitioning into a new environment, they had to do a whole new range of security risk assessments. They were able to do that with like one person in a matter of months because the automation was doing the leg, you know, the work really that the automation manages the process, which used to be manual so that their cybersecurity analysts can look at the results and manage the risks.  

[Greg]  

I mean, that’s huge. It sounds like a lot of these hospitals, even in a place that’s affluent like that, they’re just kind of operating with a lot of fog and they don’t even know it. So, wow, that’s awesome.  

[George]  

It’s, you know, it’s about Greg, it’s about realizing that they have to invest in this area because another thing that’s happened, this gets back to this compliance versus risk idea. You know, a lot of hospital systems think, well, really from a regulatory perspective, HIPAA is what we have to rely on. But HIPAA is not adequate, which is why cyber insurance carriers today will look at a NIST, it’s called a National Institute of Standards and Technology Assessment.  

And so, you know, a lot of CFOs are saying, you know, we’re going to kind of spend the least amount possible because we have so many other demands for our capital. But as cybersecurity tax is ramping up and regulatory standards are now going up big time in 2025 because HIPAA is now upgrading the regulations, the need to do this is going to be much more widespread and understood.  

[Greg]  

Now, it’s good to hear because, yeah, I mean, you know, people used to look at HIPAA as kind of like just a broad kind of, you know, we’re concerned kind of thing. But it’s nice to hear that it’s kind of getting a lot more granular there. But that’s huge.  

So George, as AI continues to advance, how do you see the balance between defense and offense shifting? Will the arms race ever slow down or is it destined to continue to escalate?  

[George]  

Yeah, I don’t think it’s going to slow down. I do think, as I mentioned, you’ll see more of these applications built on large language models, kind of offense and defense evolving. You know, one thing a lot of people don’t understand is that you know, on the dark web, these cybercriminals are sharing their tools and licensing their use to other criminals for a share of the theft.  

So I foresee that accelerating with AI, unfortunately. But you’ll see also the evolving use of applications using AI that help cyber defense and threat detection and threat mitigation to the point where they’ll be smart enough to kill a threat, you know, almost instantly when they see it. So I think we’re going to be in an arms race for a while because the attack surface that we talked about earlier is very broad, right?  

[Greg]  

Yeah.  

[George]  

And it’s very deep. And, you know, when I try to describe this to my friends who are not a health guy, I say, look, just imagine a world where 330 million patient records are surrounded by a moat that’s made of Swiss cheese with holes in it. And then imagine all these aggressive threat actors coming after, right?   

That’s more or less the circumstances we have today, Greg. So, you know, closing those holes and keep moving is the way it’s going to be for a while.  

[Greg]  

No, it makes sense. And unfortunately, the other side of the puzzle for us is that as long as you have economies where their dollar isn’t as strong as ours, there’s always going to be an incentive to go after those countries and find those, you know, veritable foot in the door. And as you said, this is a market where that information is just supremely valuable.  

So, George, in that case, what role do you see automation and predictive analytics playing in shaping the future of healthcare cybersecurity?  

[George]  

You know, I’ve covered some of those topics now. I guess one that I would add to the topic of the list is that it’s very frustrating to me to see these cyber criminals saying, you know, I’m Joe Blow from Romania. You know, I’ve got your system locked down.  

I’m going to present our information. Pay me a Bitcoin. I would like to see an AI system that identifies their location by real IP address, you know, targeted drone strike on their location.  

So, we’re not dealing with this anymore. You know, as long as we’re paying people and, you know, looking the other way, you know, it’s going to get worse, not better.  

[Greg]  

Yeah. Well, George, I just want to thank you so much because this has been such an enlightening conversation. Your insights into the intersection of AI cybersecurity and healthcare have been incredibly valuable to me, especially as a layperson.  

I mean, I never truly understood it. You know, when someone says cybersecurity, this seems like such a broad term, but it really makes sense when you talk about, you know, just they’re just looking for that foot in the door. And once they get in, it’s a whole nether game.  

And that’s what intra prizes out there to do is just make sure that even if they get in, it’s minimizing the entire engagement. So, it’s clear that Intraprise Health is making a significant impact in protecting patient data and reducing risk in this rapidly evolving landscape. George, was there anything else you’d like to say to end this little podcast we’ve had here?  

I mean, you’ve said so much, but I just want to make sure we didn’t leave anything on the table there.  

[George]  

No, I appreciate the time with you today, Greg. It’s a real pleasure to meet you. I would just say that try to look beyond the bright lights and think about practically what you can do in a stepwise fashion because you’re not going to solve it in one big shot.  

Just start the process, get better every day, and, you know, you will get better.  

[Greg]  

You know, that’s great advice, and I think you could almost apply that to anything in life, but absolutely within cybersecurity when it comes to patient information and protecting that. So, thanks again, George. And to our listeners, thank you so much for tuning in.   

Stay with us for more discussions about technologies and innovators transforming healthcare. I appreciate it. Thanks a lot, George.  

Have a great day. It was a pleasure.   

[George]  

Right. You’re welcome.