Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Claroty: Cyber Risk Mitigation in Healthcare Environments

Claroty
07/06/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Good. How are you? Good. Thanks for joining me. So I want to talk about risk management, risk mitigation, but I want to start off with a question about complexity. And just I'm curious, in your position, your experience, how do you characterize the complexity either in your environment or in a typical hospital clinical environment? Yeah. Complexity is very difficult, right? So right, I'll explain it like this, right, in a normal office environment, right? The complexity is very low, right? You have desktop computers, you have copiers, right? That's all you generally have. In a hospital, you have all of that plus all the equipment that I manage. So all the medical devices, right? Usually IT will standardize the type of computer and copier that you have. So maybe you have five or six different makes and models. In the medical device world, right, because of the different types of equipment we have, there are hundreds of thousands of makes, models, and manufacturers, right? So that's the medical equipment. And then on top of that, you have all the OT stuff, right? The card readers, the security cameras, right? All of that kind of stuff. So from a complexity perspective, I would go low from an IT, medium from a medical equipment, and then we add all the OT stuff, which just makes it really, really complicated. I was going to say, medical stuff's probably not too far off from OT in terms of a whole picture. It is, but the maturity of how we handle it is probably further along, right? I think most hospitals have developed programs to try and understand exactly what they are and try and start garnering how to manage them. I'll say OT is so far behind a lot of organizations, whether you're in a hospital or not a hospital, still don't have mature programs around managing them. So the risk is still very different or higher, I guess, right? For OT stuff than it is for medical devices. So I guess that's my next natural question is like the impact of that complexity on risk on healthcare organizations, et cetera. Yeah, so it's very interesting when you talk about risk because you can talk about risk from about like five different perspectives, right? You know, your enterprise risk management team has one view of risk and that's a holistic, you know, enterprise vision of risk. And they care about every risk there is and they want to measure and mitigate everything that's out there, right? Our organization looks at risk in a very different way, right? So we look at risk from something called a materiality perspective, right? I care about things that are going to shut my hospital down, right? So I look at workflows that keep my doors open, right? So anything tied to that workflow then is something I really want to make sure is highly available, is up and running, right? I'm patching vulnerabilities on, right? I'm making sure that that function continues to run. Now, if that function has OT assets, if it has medical device assets, if it has IT assets, all of those have to be highly available, highly reliable, up to date, all that fun stuff. So it's more on a function versus specific device. Correct, correct. So we don't look at a vulnerability, right? And care about that particular vulnerability regardless of what that vulnerability impacts. We look at it from a functional perspective. So from a risk management perspective, I guess you start with the assessments first. How often, how intense are they, and are we talking about, in addition to the known frameworks, bringing in pen tests, red teams, et cetera? Yeah, so GRC assessments occur all the time, right? We all have so many different assessments that go on. Obviously, there are different assessments based on the type of things that are coming across your desk, right? You know, if it's wholly owned within the organization, it's one level of risk because I manage it. If it's a third party, it's a different kind of assessment because I don't necessarily manage all of that. So the risk is very different. You know, if it's AI, oh my God, that's a whole other level of risk. And we've got a whole different type of risk assessment around that. All of those different levels indicate exactly then what you're talking about, the follow-up, right? So do I do a reoccurring assessment? Do I require a pen test? Do I require, right, any additional level of scrutiny, right, based on the risk and complexity of what we're actually implementing? You can't do the nth degree for everything that crosses your desk. We just don't have enough resources to do that. So when you get that shiny new thing like AI, how painful is that for you to kind of just go through all the machinations of just kind of assessing the risk? It is. So most organizations have stood up, you know, an AI governance group to try and understand exactly what's coming in. Because AI is changing so quickly. A lot of us are even still trying to get our hands around exactly how to govern, right, the AI that's coming in. And, right, it's not just physicians. It's any AI that's coming through at this point. We need to make sure it's safe, right? And to do that, all of the guardrails that we need to put in place continue to change. And the pace of that innovation, right, is very hard to keep up with. And so it takes a village to make sure that we're all doing it successfully. And in terms of communicating risk to your population, whether it's staff, whether it's on the clinical side or the business side, how adept have you become at those conversations? I can imagine they're very different. Oh, and they have to be very different. So that's the one thing I think CISOs and IT organizations and biomeds have to understand is that the language that you use, the lexicon that you use has to change based on who you're talking to, right? If I'm talking about risk to my clinical teams, right, and I'm trying to explain why we're putting together downtime plans for whatever it is, right, whatever device that we're working on, they need to understand, right, the impact to them, right? If I take this system offline, here's what's going to have to happen. I need to understand their workflow so that I can talk in their language, right? That risk conversation is very tactical, very operational, right? But when I go to my enterprise risk management committees and teams, right, they don't want to know about tactics. They want to know about exposure. They want to know about much larger types of conversations. And so I think part of the change in leadership, right, that has to be made for those individuals running the IT, the CISO level type thing is you have to become very adept at having risk discussions at very different levels with very different people, right? And do they get it? Like, how do you know they get it? So you'll know they've gotten it when they've signed on to your, right, your plan, right, whatever you're trying to implement from an action perspective. And they can talk through exactly what needs to happen and why. So not just what you're doing, but the actual reason behind it, right? So trying to change the culture of your organization really means making security understandable to everyone. So it's not just about, hey, I'm implementing this, you know, mitigation because it's right for the organization. It's because we're doing A, B, and C. Because we're, right, trying to increase reliability. Because we're trying to increase uptime. Because, right, whatever those 15 things are, if you can enunciate that and your end user can articulate that back to you, right, they're really buying in then to the culture of safety. So in terms of risk mitigation, I always like to ask folks in healthcare security about patching and just kind of like, I would imagine there are prolonged windows of exposures that require compensating controls, et cetera. But just, is this the bane of your existence, kind of this whole dynamic around patching and the FDA's involvement, et cetera? What's the reality? Patching is abhorrent at this point, right? And a lot of places will point to patching as the solution, right? And we write them in our SLAs, right? You know, you must patch a critical vulnerability, right, within one day and write mediums within 15 days. I laugh. We don't have patches for months and years in some instances. And medical device manufacturers may never generate a patch. Your only option, right, is a compensating control. And fundamentally, some medical device manufacturers may not even get you that compensating control for three to six months. And so you're taking on a lot of risk without really knowing, right, when you're going to be able to mitigate. And so you have to take the accountability and responsibility to say, I'm going to implement compensating controls that aren't validated by the manufacturer. And so that's microsegmentation, right? That's a lot of network level controls that a lot of us have moved to because patching is not a panacea. We can't operationalize it fast enough. And I think the OT world is seeing that exact same thing, right? And I think a lot of the same tools are going to be very applicable on the OT side that they are on the medical device side. Has this whole patching dilemma kind of fed this ransomware epidemic across the industry? Is there that exposure that they're leveraging? So most of the ways that threat actors get into systems actually aren't through medical devices. And so we're not necessarily the threat vector by which we get in. Now, we are a vector by which they move laterally throughout our organization. And so I'm not going to say that, right, it's not a problem because it is a problem. But we're normally not, right, the public facing on the internet, right, point of breach. But I will say, right, fundamentally, patching is a tool and we need to be able to leverage it. And so, right, continued pressure to the vendors to go ahead and produce patches in a timely manner absolutely needs to happen. How bad is the ransomware problem? I'm sure you meet with your peers all the time and other hospitals. Is this what kind of keeps you guys up at night? Yeah. And it's not just ransomware for our organization. It's ransomware for our third parties, right? Anything that's going to impact my organization, right? So there was a stat earlier today that Mandian showed us, right, that 46% of organizations have had a third party breach this year, right? That's one out of two. So if I haven't been hit personally, right, I probably have been hit by a third party breach. And so we have to be prepared, right? The theme of this entire session has been resiliency. And it's because we're going to get hit over and over and over again. We just have to become resilient. How hard is it to get visibility into what your partners are doing around security? It depends on the partner. You know, and there are partners who have been very transparent about exactly what needs to happen and exactly what's happening. And then there are partners that are very much, you know, a black box. Sure. And that can be frustrating, obviously. You know, when you're trying to secure an entire enterprise, and even from our perspective, when it's a critical part of our enterprise, right, that we want to make sure we're resilient towards, black boxes are very problematic for us. You know, and it becomes very difficult for us to try and manage our way around. Yeah. All right. So last question, from a risk mitigation standpoint, how important is it to empower users around security? And is it more than just awareness training? Yeah, it's critical to make sure that your end users are definitely part of your security training. Now, there's a lot of research out there that says security training isn't necessarily as effective, right? We have a lot of AI that's now coming out that, you know, emails are not as easy to understand and identify as, you know, malware. So I'm not going to say that we should all throw away our security awareness training. We do need to have it. But I think creating a culture of security awareness is actually much more important, right? Even if it's as simple as empowering your front end users, right? To stop the line when something happens, right? If a vendor brings in a piece of equipment that has something that hooks to the network, right? Empowering them to say no until they've called IT and IT has gone ahead and looked at it. That's incredibly important in your organization. And I think that empowerment actually helps secure, right? Your environment much more, right? Than just relying on IT to be the only point of failure. Right. Perfect. All right. Thanks, Sam. Thank you very much.

TL;DR

  • Healthcare environments manage exponentially greater complexity than standard IT, with hundreds of thousands of medical device makes and models plus OT systems, while medical device security maturity significantly exceeds OT programs
  • McLaren Health Care prioritizes risk mitigation through a materiality lens, focusing on workflows that keep hospitals operational rather than treating all vulnerabilities equally, with tiered assessments based on asset type and emerging technology governance
  • Medical device patching remains severely problematic with manufacturers taking months or years to release patches, forcing organizations to implement unvalidated compensating controls like microsegmentation rather than relying on traditional patch management
  • Third-party breaches represent a critical threat vector with 46% of organizations experiencing partner-related incidents, while ransomware resilience has become the primary focus rather than prevention alone
  • Effective security culture requires empowering frontline staff to stop workflows when anomalies occur, moving beyond traditional awareness training to create organizational accountability for security decisions

Technology Complexity in Healthcare

Healthcare environments face exponentially greater complexity than typical office settings. While standard IT environments might manage five or six standardized computer and copier models, hospitals must contend with hundreds of thousands of medical device makes, models, and manufacturers. This complexity extends beyond medical equipment to encompass operational technology including card readers, security cameras, and building systems. Jacques emphasizes that while hospitals have developed relatively mature programs for managing medical devices, OT security programs remain significantly behind, creating elevated risk profiles across the healthcare sector.

Risk Assessment and Materiality Focus

McLaren Health Care approaches risk management through a materiality lens, prioritizing workflows that keep hospital doors open rather than attempting to address every vulnerability equally. This function-based approach evaluates risk across IT, medical devices, and OT assets holistically, focusing on high-availability requirements for critical workflows. The organization employs tiered risk assessments based on asset ownership, third-party involvement, and emerging technologies like AI, which now requires dedicated governance structures. Jacques stresses that resource constraints necessitate this prioritized approach rather than applying maximum scrutiny to every system.

Patching Challenges and Compensating Controls

The patching landscape in healthcare presents severe operational challenges, with medical device manufacturers often taking months or years to release patches—or never releasing them at all. Traditional SLA requirements calling for critical vulnerability patches within one day prove unrealistic in healthcare environments. Jacques reports that organizations must implement compensating controls like microsegmentation and network-level protections without waiting for manufacturer validation. While medical devices typically aren't the initial breach vector, they do facilitate lateral movement during attacks. This reality has driven healthcare organizations toward network segmentation strategies similar to those emerging in OT security.

Chapters

0:00 - Introduction
0:13 - Healthcare Technology Complexity
2:03 - Risk Management Approaches
3:16 - Risk Assessment Frameworks
4:36 - AI Governance Challenges
5:12 - Communicating Risk Across Audiences
7:37 - Patching and Vulnerability Management
9:54 - Ransomware and Third-Party Risk
11:19 - Empowering Users for Security

Key Quotes

1:00 "In the medical device world, right, because of the different types of equipment we have, there are hundreds of thousands of makes, models, and manufacturers, right? ..."
2:32 "We look at risk from something called a materiality perspective, right? I care about things that are going to shut my hospital down, right? ..."
8:18 "We don't have patches for months and years in some instances. And medical device manufacturers may never generate a patch."
8:44 "You have to take the accountability and responsibility to say, I'm going to implement compensating controls that aren't validated by the manufacturer."
10:15 "... 46% of organizations have had a third party breach this year, right? That's one out of two."

FAQ

Why is patching so difficult in healthcare environments compared to traditional IT?

Medical device manufacturers often take months or years to release patches, and in many cases never produce patches at all. Healthcare organizations cannot wait for vendor-validated solutions, forcing them to implement compensating controls like microsegmentation without manufacturer approval. Traditional SLA requirements for patching critical vulnerabilities within one day are unrealistic in healthcare settings.

How should healthcare organizations prioritize cybersecurity risk mitigation given limited resources?

Focus on materiality—workflows that keep hospital doors open. Evaluate risk from a functional perspective rather than device-by-device, ensuring high availability for critical workflows regardless of whether they involve IT, medical devices, or OT assets. Apply tiered risk assessments based on asset ownership, third-party involvement, and technology type rather than attempting maximum scrutiny for everything.


Categories:
  • » Cybersecurity » Compliance & GRC
  • » Data Protection
Channels:
News:
Events:
Tags:
  • OT
  • IoT Security
  • Compliance & Governance
  • Security Operations
  • Best Practices
  • Executive Briefing
  • Healthcare Cybersecurity
  • Medical Device Security
  • OT Security
  • Risk Management
  • Vulnerability Management
  • Patch Management
  • Compensating Controls
  • Third-Party Risk
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Claroty: Cyber Risk Mitigation in Healthcare Environments

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Level Security Team for Unmatched Defense Success
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-level-security-team-for-unmatched-defense-success/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Innovations in Data Privacy and Digital Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-innovations-in-data-privacy-and-digital-protection/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting a Championship-Level Security Team for Unmatched Defense Success

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in AI Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        21

                        HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

                        07/21/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version