John Riggi (Host): Healthcare organizations are connected to hundreds of third party suppliers from electronic health record integrations and pharmacy systems to imaging platforms, telehealth vendors, and AI tools. Most hospitals, CIOs and CISOs have only a partial picture of who they're actually sending data to and whether those connections are behaving normally.

That blind spot is where many breaches begin. Welcome to the AHA Preferred Providers Bringing Value Series from the American Hospital Association. In this series, we speak with AHA business partners and learn how they support AHA hospital and health system members. I'm John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association. And today, I'm here with my good friend and colleague, Vince Crisler, Chief Information Security Officer at Solarium.

Every time I speak about cybersecurity, I say that the largest risk we face in healthcare comes to us from third parties, insecure third parties. Join us as we explore why third party supplier visibility is one of the most pressing challenges in healthcare cybersecurity, and what hospitals should be doing now to strengthen their cybersecurity posture. Vince, welcome.

Vince Crisler: Thanks, John. It's great to see you again.

Host: Likewise, Vince. So Vince, tell me what's been going on. Why are third party suppliers some of the largest threats to healthcare? And how do we extend our security perimeter to account for this threat to healthcare?

Vince Crisler: Well, that's a great question, John. I think the perimeter that we used to think of is gone. Your attack surface now as a healthcare organization is every vendor plugged into your environment. And I can guarantee you that most hospitals can't tell you who all those vendors are right now, if you pinned them to the table.

 There's a TV show called The Pit. And they had this series of episodes where they were facing a cyber attack. The piece there that was really fascinating is when they move back to paper, what happens in the digital world is their perimeter shrinks, right? Their perimeter is now the walls of their hospital. When they move digital, their perimeter is now exposed to potentially hundreds of other companies. And attackers figured this out a long time ago. You know, why try to break down the front door of a hospital when you can walk in through a supplier that has a screen door.

The traditional way to manage this are BAAs, which are great on paper. They're legal documents, not security controls. Those don't stop the breach, they just tell you who to blame after the fact. And when you look at like recent HHS data, breach disclosures are up 40% year over year in 2025. And this isn't getting better on its own. And this is a gap that I continue to see over and over again. You know, hospitals have spent years and millions of dollars keeping the bad guys out, but almost nobody can tell you what data is leaving their network right now and if that's normal. And that outbound visibility is the blind spot that you mentioned.

Host: Vince, great reference to The Pit episode. Fortunately and unfortunately, that episode highlighted a very common issue, that threat we have of ransomware attacks. In healthcare, when I saw it, it was like reliving many of the moments or dealing with the many victims. I'm telling you, I've dealt with hundreds of ransomware hospital victims since I've been here at the AHA and previously when I was at the FBI. It was pretty accurate. And quite frankly, it didn't even show all the disruption that occurs.

But to your point, once the organization is forced to disconnect from the internet, it's disconnecting from all those mission-critical third party providers. It really causes significant disruption, especially for our younger folks, clinicians who may have never worked with paper or manual processes as highlighted on that episode.

So great, great reference, Vince. So, we talk a lot also in healthcare about shadow AI. Maybe you could explain that to our audience and how shadow AI is getting into our environments and how it's quickly and quietly expanding risk inside our healthcare environments.

Vince Crisler: Yeah. I mean, I call shadow AI shadow IT's more dangerous cousin. It's rooted in the fact of people trying to be more efficient, trying to be better at their jobs. They've seen these AI tools talked about everywhere. They may use them at home. They're just trying to find ways to be better at their jobs. You know, a transcription tool or summarization service. But these are tools that have never been vetted by your IT team. They're collecting sensitive data. And so, the problem here, you know, it's not intent. These people are trying to do something right. They're trying to do better at their job. The problem is that that PHI is getting pasted into external platforms with data retention policies that nobody ever reads, data processing policies that nobody really understands. That data is sitting outside of your control.

The stats around this are pretty stark. Over 80% of organizations show shadow AI activity. And the vast majority of it flies under the radar, because it looks like normal encrypted web traffic. This is all just going over 443 HTTPS, and that's what makes this so tricky. You know, a nurse using an AI tool to summarize discharge notes doesn't trigger alarms. It looks like somebody just browsing the internet. But PHI just left your building. And we're not going to solve this by locking everything down. Clinicians will just use their phones, their personal devices. You need two things. You have to give people approved tools that are actually good enough to use, and you have to have visibility into where that data's flowing so you can catch the stuff that slips through.

At Solarium, we're focused on these sorts of challenges as well. We caught exactly this at a hospital. Someone was using an unauthorized testing tool that was routing data to European Cloud servers. They didn't have a clue that it was happening. We saw it in the traffic patterns and shut it down that same-day. So, the bottom line here is, John, you know, AI adoption is happening in your hospital, whether you've blessed it or not. The only question is whether you can see it.

Host: Yeah, great points, Vince. To your point, it is there, it's in the environment. There's a lot of existing programs that are in hospitals applications that add on AI features. So, it's not as though somebody purchased it. It's totally new. And, you know, given the immense financial pressures in workforce shortages that healthcare and hospitals and health systems face, AI is being viewed as that shining city on the hill that will be the savior, the answer, for all of these problems. It'll make us more efficient. It'll help ease workforce shortages, and it will, but with it comes risk. The road to that shining city on the hill is perilous.

So, let's shift gears here just a little bit. And we talk a little bit about ransomware attacks and how we all know that the first step, one of the first steps, before encrypting an organization with their ransomware is they try to exfiltrate data. So, the double layered extortion method, very common. In fact, we don't see ransomware attacks there where this doesn't happen anymore. What early signs of data exfiltration should organizations be watching for before a ransomware attack occurs?

Vince Crisler: We get into a lot of discussions with hospital executives over this exact topic. And you know what I'm telling these executives today is if you think ransomware is about encryption, you're fighting the last war. Now, it's about data theft. Attackers steal your information, as you said first, and then they encrypt. Even if you've got great backups and you're all prepared for ransomware, they still have your records and your information. And so, the prevention here is, "Can you see that data walking out your door while it's happening?" And there are some big things to watch out for, and these seem obvious to be able to find. But if you don't have your systems instrumented correctly, you're never going to see them. You know, unusual outbound data, volume data going to destinations that you don't recognize. Big transfers happening at 2:00 AM on a Saturday when nobody's around or the midnight shift is on. Attackers love holiday weekends. They know you're running a skeleton crew and you're not going to see these things.

And so, one trend that also really worries me, and we've seen this in hospitals that we're working with today, attackers use legitimate cloud services to exfiltrate data. They'll use real backup platform or real file sharing service, and it looks completely normal in your logs if you have folks just monitoring a SIEM, those sorts of things. And that's by design. It's kind of an aging example, but it's a perfect example. Massive data transfers were happening and nobody had a way to flag it. I've heard directly from people who said if they had the ability to see those large outbound transfers in real-time, they would've caught move it.

And this is where the industry needs to go to early stage outbound blocking, catching exfiltration before the ransom note shows up. Once you see that note, the data's already gone and you're already hosed. And most hospitals actually have raw data in their firewall logs. The problem is nobody has the time to make sense of it. You know, a three to five person IT team isn't going to parse all those log entries. You need some form of automated analysis that surfaces that stuff that matters and ignores the noise.

And then also, here, speed matters too. These threats are changing minute by minute. If you're using block lists that are updating daily or weekly, you're already behind and you're never going to see this stuff.

Host: Okay, great points, Vince. And taking some of your points from the headlines even in recent attack we had at a major third party provider to healthcare and the adversaries use living off the land techniques to mask their activity through what appears to be normal technical activity to destroy data, not only to attempt to encrypt, but they actually destroyed data there.

So, masking that malicious activity through normal activity, our regular endpoint detection tools just aren't going to catch that. So, you need that visibility, as you said. So, let's talk a little bit more about third parties. Why is it so difficult to monitor vendor connections, especially those coming through VPNs or indirect integrations?

Vince Crisler: Well, let's be blunt. I think most hospitals have never had a complete picture of their vendor connections. These things change so quickly and so often, that visibility was just never built. You know, VPN tunnels, the cloud to cloud connections, the connections running through business associates that you didn't even know were there. It's a complete mess. It's been built up for years, and it's getting worse. The more and more we're trying to lean forward to more automated systems. And then, legacy systems in healthcare, make this 10 times harder. You've got systems running in the pharmacy or radiology or in the lab that are 15 years old. You've got PHI on them. You can install modern agents. And so, they just sit there as blind spots. These VPNs are a specific headache, because the whole point of A VPN is establishing trust. It basically creates this encrypted tunnel between two points. And once that tunnel's trusted, you're no longer looking at what's flowing through it. And that's where the attackers really sink their teeth in because they realize there's a tunnel that's trusted that they can use.

And what I've learned doing this work over the last 25 years is that the data's usually there, there's some sort of indication of what's going on in your logs. What's missing here is the intelligence layer, the visibility layer. There's a huge difference between just having logs and information sitting and actually knowing that your pharmacy system just sent a large amount of data to an IP that you've never seen before. The approach that actually works here is analyzing that traffic at a network boundary, not looking at the packet contents, just the metadata. Where's that going? How much? How often? Is it normal? We can catch a lot of bad stuff this way without even touching the PHI or exposing any sensitive information and without installing stuff on those individual machines.

And just to wrap up with a real example here, John, a rural hospital that we work with a small IT team, limited budget, within hours of getting this visibility turned on, they had their first ever complete view of outbound data flows across EHR imaging, everything they had. And they immediately found vendor connections nobody on the team knew existed and that's not unusual. That's the norm here. How we get visibility is the key question.

Host: Yeah, great points, Vince. And again, I think what you highlighted about the fact that for smaller teams, they're not going to be able to sift through and analyze all that data. So, adding your intelligence layer, your ability to see that activity is critical. We used to call this just baselining network activity, but what you all do is far more complex than that.

And again, the bad guys are shifting tactics, I believe as we become more efficient at identifying vulnerabilities and patching them, the technical vulnerabilities. Hopefully, Mythos will help that, the Claude program will help that, but we already see it. The bad guys are shifting their tactics, living off the land, not using malware, compromising credentials.

That's why what you guys do is so important to, that anomalous activity. Vince, finally, can you tell our CIO and CISO listeners how they can better communicate third party risk to their CEOs and in boards in a way that actually drives action?

Vince Crisler: This is a tough one. I'm actually on the board of a couple publicly traded companies and the discussions that they're having in the boardroom are different than what the CIOs and CISOs are having. And, you know, I get how proud you are of your technical knowledge and the insights you have into the technology stacks that you've built. But we need to stop talking like a CIO or a CISO in the boardroom. Nobody's going to act because you told them you need better SIEM or better threat intelligence or a zero trust architecture.

What we have to focus on in the boardroom are the things that keep them up at night, so patient harm, lawsuits, regulatory fines, their own names in headlines. And we have to treat this as a fiduciary issue. So, most regulatory penalties come down to you failed to protect patient data, period. Boards understand this. They understand liability. And we have to meet them there. we have to give them a number that creates urgency without being hysterical. You know, the healthcare sector discloses one to two breaches a day. And the average breach takes months, six months, nine months to detect.

So statistically, there's a real chance something is happening in your environment right now that you don't know about, and that gets attention. We've got to ditch the technical dashboards, and show risk by hospital, by department, by clinical system. When a board member sees there's a risk to NICU or pharmacy that's getting flagged, it stops being abstract. That's where it starts to become real. They can start to picture that problem overlaying on the environment that they know.

And so, the boards ultimately hate unsolvable problems. If you walk in and say, "I need $5 million in 18 months to fix this," that's not going to be helpful but if you talk about, "I need to find ways to get meaningful visibility so we can start to understand our risk and peel back the layers to manage this." That's where you can start to have a real discussion.

And I'll add just kind of a final piece here. Audit committees, board members are personally facing more regulatory scrutiny on cybersecurity than ever before. It's not just about protecting the institution, it's about protecting themselves. These people are very good at managing risk, and it's our job to help them see the risk in non-technical ways so we can manage it.

And my advice here is, you know, you got to bring a specific example from your own environment. Nothing moves a board, like, "Here's what we found when we actually looked." And in my experience, every hospital that looks finds something they didn't expect.

Host: Vince, excellent points. And I really want to hone in on one major point—you made a couple actually. One, we have a translation issue in the world of cybersecurity. We love our technical speak. And we want to talk about all these greatest tools that does not translate to the non-technical leadership, the folks you depend on for your job, for your funding.

And so, we need to, as you said, translate that risk into enterprise risk. It's a risk which impacts every function in the organization. It brings on liability, regulatory risk, financial risk, reputational harm; most importantly, a risk to patient care and safety, and a risk to the community. If you go offline from a ransomware attack and your ambulance is carrying stroke, heart attack, and trauma, patients are now being diverted, especially in a rural area, a hundred miles away, direct risk to patients and the community. That's what folks understand, and that's why cybersecurity is so important. Vince, thank you so much for joining the podcast today and sharing your insights.

Vince Crisler: Yeah. Thanks, John. Really happy and honored to be here. Solarium is honored to be a part of the Preferred Provider Program, and working with AHA and helping address these challenges.

Host: For our audience, if you would like to learn more about Solarium, please visit solarium.com. This has been an AHA Preferred Providers Bringing Value series brought to you by the American Hospital Association into all our frontline healthcare heroes. Thanks for what you do every day to defend networks, care for patients, and serve your communities. Stay safe, everyone.