How to Modernize Healthcare Data Security with AI

As the healthcare industry evolves, so too do the threats against it. With sensitive patient data spread across legacy systems, vendor networks, and shadow IT, securing protected health information (PHI) has become a formidable challenge for healthcare delivery organizations (HDOs). Modern architectures and artificial intelligence (AI) promise a way forward, yet implementation is fraught with complexity.

In a recent discussion, Amy Cardwell, former CISO at UnitedHealth Group and current CISO-in-Residence at Transcend, shed light on the realities of healthcare cybersecurity. Her insights highlight the risks posed by siloed systems, ineffective compliance approaches, and evolving AI technologies, while also providing a roadmap for building secure, patient-centric systems.

The Complexity of Healthcare Data Security

The Problem of Siloed, Legacy Systems

One of the greatest challenges in healthcare cybersecurity is the proliferation of siloed, outdated systems. Cardwell painted a vivid picture of what this looks like within large health organizations. Core systems such as electronic health records (EHRs), billing, pharmacy, and lab systems already operate in isolation. Add to this the complexity brought by frequent acquisitions, where each new entity brings its own unique systems, workflows, and data storage practices.

"Imagine acquiring two companies a month, each with its own EHR and billing system", Cardwell explained. "The pressure to maintain business continuity during these acquisitions means these systems rarely get consolidated quickly, creating a growing patchwork of disparate technologies." This chaotic expansion makes it nearly impossible to maintain full visibility and control over where PHI resides and who accesses it.

The Compliance vs. Security Gap

While regulatory mandates such as HIPAA provide a baseline for healthcare cybersecurity, they are inherently reactive. "Mandates codify what we knew yesterday", Cardwell noted, "but they don’t help with what’s threatening us tomorrow." Focusing solely on compliance creates a false sense of security, as it often leads to "privacy theater" - checking boxes to satisfy auditors without addressing the root causes of vulnerabilities.

For healthcare organizations, the challenge lies in moving beyond compliance to create proactive, security-first architectures. As Cardwell emphasized, "If you don't know where every piece of PHI lives and who touches it, no amount of regulation will protect it."

sbb-itb-535baee

Tackling the Unknown: Where to Begin?

Data Visibility: Knowing What You Don’t Know

A recurring theme in Cardwell’s insights is the importance of data visibility. "The biggest problem", she explained, "is not where the data is that you know about. It’s where the data is that you don’t know about." For example, she recounted an incident where 14 years of patient data were discovered in the finance team’s invoice folder. Such hidden caches of sensitive information are prime targets for cybercriminals, underscoring the importance of comprehensive data discovery tools.

The solution, according to Cardwell, includes a combination of centralized data warehousing, continuous scanning for PHI, and incremental decommissioning of underused systems. However, she cautioned against rushing into data warehouses without proper follow-through: "If you don’t decommission the old systems, you’ll end up with more data systems, not fewer."

Addressing Vendor Risks

Third-party vendor risks are another weak link in the healthcare cybersecurity chain. While contracts and certifications such as SOC 2 Type 2 can provide some assurance, they are often superficial. "You’re trusting the honesty of whoever filled out those audits", Cardwell explained. Vendors servicing multiple healthcare systems may face similar challenges with layered legacy systems. Yet, when a vendor suffers a breach, the healthcare organization - regardless of its own security posture - is left to deal with the fallout.

Organizations must establish rigorous vendor risk management practices, including real-time monitoring of vendor systems and automated red flags for anomalies.

Shadow IT and AI Risks

Shadow IT - unauthorized tools or systems used by employees - further complicates matters. For instance, tools like scheduling apps or file-sharing platforms can inadvertently expose patient data to external entities. Similarly, clinicians testing large language models (LLMs) like ChatGPT for diagnosis or data analysis risk uploading sensitive PHI, creating a governance nightmare.

While Cardwell acknowledged the potential of AI to revolutionize healthcare, she emphasized the risks of poor governance. "Once data is in an AI, you can’t delete it. It’s there permanently." However, she also noted that retrieving data from AI systems is often harder than retrieving it from traditional databases, which offers a sliver of hope for minimizing exposure.

The Role of AI in Modern Cybersecurity

When implemented correctly, AI can be a powerful ally in healthcare cybersecurity. Cardwell highlighted its potential for anomaly detection, discovering sensitive data, and automating responses to threats. Advanced tools can now redact sensitive information from AI prompts in real time, preventing accidental data leaks at the source.

However, organizations must tread carefully. "AI is just a tool", Cardwell said. "It can improve data discovery and threat detection, but only if the governance model is strong enough to support it."

Building a Modern Healthcare Security Architecture

For organizations looking to revamp their cybersecurity strategy, Cardwell outlined the key components of a modern architecture:

1. Unified Data Visibility: Create a single source of truth for all sensitive data, with visibility into how data flows and who accesses it.
2. Identity-Centric Security: Implement zero-trust principles, ensuring access is strictly limited to authorized users and that permissions are role-specific.
3. Real-Time Monitoring and Automated Response: Use AI-driven tools to detect anomalies, monitor endpoints, and respond to threats in real time.
4. Data Encryption Throughout the Lifecycle: Ensure that data remains encrypted both at rest and in transit, especially as interoperability increases.
5. Proactive Vendor Management: Monitor vendors continuously rather than relying solely on annual certifications or audits.

Strategic Outsourcing: Balancing Internal Capabilities with Third-Party Expertise

Cardwell advocated for a hybrid approach to cybersecurity, where core functions such as security architecture and risk management remain in-house, while specialized services like 24/7 security operations and advanced forensics are outsourced. This approach allows organizations to leverage third-party expertise without spreading internal teams too thin.

She also advised CISOs to negotiate aggressively with vendors. "Don’t accept the first price. Vendors expect you to negotiate, and you can often negotiate significant discounts."

Measuring Success: Metrics for Boards and Leaders

For boards and executives, Cardwell recommended tracking metrics that reflect both security posture and operational efficiency:

• Time to Remediate Critical Vulnerabilities: This measures how quickly the organization can patch known threats.
• Incident Detection and Response Times: How long does it take to discover and respond to security incidents?
• Mean Time to Recovery (MTTR): How quickly can operations resume after an incident?
• Security Debt Trends: Is the organization reducing its backlog of vulnerabilities, or is it growing?

These metrics provide actionable insights and ensure leadership remains informed about the organization's cybersecurity progress.

Key Takeaways

• Legacy Systems Compound Risk: Acquisitions, business continuity pressures, and siloed systems create significant vulnerabilities in healthcare networks.
• Visibility is Paramount: Effective cybersecurity starts with knowing where all PHI resides, including unknown or hidden data caches.
• Compliance ≠ Security: Regulations are necessary but insufficient; proactive, security-first architectures are essential.
• AI Has Dual Roles: While AI can support anomaly detection and real-time threat response, poor governance around AI usage can expose sensitive data.
• Vendor Risks are Significant: Third-party breaches can impact healthcare organizations even when their own systems are secure.
• Unified Data Models are Key: Centralized data visibility and real-time monitoring are critical for reducing complexity and improving security.
• Track the Right Metrics: Focus on measurable outcomes like patch cadence, detection and response times, and MTTR to assess the effectiveness of your cybersecurity strategy.
• Balance Outsourcing and In-House Expertise: Keep core capabilities internal, but don’t hesitate to leverage third-party services for specialized tasks.

Conclusion

Modernizing healthcare data security requires a multipronged approach, balancing technology, governance, and strategic planning. As Cardwell’s insights reveal, success lies in achieving unified visibility, adopting cutting-edge tools like AI responsibly, and fostering a culture of continuous improvement. For healthcare and cybersecurity leaders, the path forward is challenging but essential - not just for regulatory compliance, but to safeguard patient trust and ensure uninterrupted care delivery.

Source: "Modernizing Healthcare Data Security w/ Aimee Cardwell" - CareTalk: Healthcare. Unfiltered. Podcast, YouTube, Nov 21, 2025 - https://www.youtube.com/watch?v=Z7qNLyLm7Lg

Related Blog Posts

• AI Risks in HIPAA IT Compliance
• AI in Risk Assessments: Transforming Healthcare Cybersecurity
• AI Cyber Risk: When Your Smart Defense Becomes the Attack Vector
• The Medical AI Breach: When Healthcare Cyber Attacks Get Intelligent