Imagine the LED lights are on, clinicians are ready, and every screen goes dark. That’s the moment when governance—not gadgets—keeps care moving. We sit down with healthcare IT leader and board veteran Richard Helppie to chart a practical path for hospital boards to own cybersecurity as a top strategic risk, not a backend tech chore.

We start by separating governance from operations and translating cyber into the risk language directors already use. Rich shares how to make cybersecurity a standing board item, recruit at least one cyber-comfortable director, and ask the questions that matter: what are our biggest threats, how are we mitigating them, how will we know when we’re breached, and how fast can we recover? Dan adds a simple framing that works: present cyber with the same dashboards and cadence as finance and patient safety so leaders can weigh tradeoffs with clarity.

Then we get real about downtime. Many clinicians have never practiced on paper, and backups are now a prime target. We cover ransomware pressures, insurance posture, recovery objectives, and third-party risk—from supply chains to physician groups and patient portals. Human factors dominate the breach path, with phishing and help desk vishing exploiting speed-focused KPIs. The fix is cultural and operational: slow down where it counts, verify identities, harden processes, and measure cyber like hospital-acquired infections.

AI threads through the conversation as both opportunity and attack surface. Waiting to “see what happens” is not a strategy. We outline the early governance questions boards should ask about data leakage, model access, and monitoring, and how to pair innovation with guardrails. To win investment and attention, Rich offers a three-point board briefing—why cyber matters, what program is in place, and what’s needed to close gaps—and explains why tabletop exercises with executives, vendors, and select directors consistently shift mindsets from denial to readiness.

If you care about resilient care delivery, boardroom clarity, and practical defenses that work when systems fail, you’ll find a usable playbook here. Subscribe, share with a colleague who presents to boards, and leave a review with the one question you want every hospital board to ask about cybersecurity.

Cyber Survivor host Dan Dodson interviews Axel Wirth, chief security strategist at MedCrypt, about the rising cyber risks facing medical devices and what that means for patient care. Wirth explains that he began as a hardware electrical engineer in the medical device and health IT world before moving into cybersecurity in 2008, eventually focusing exclusively on medical device security and helping manufacturers both improve their products and meet evolving global regulatory expectations. Over the last decade, he has seen clear maturation: regulators like the FDA and international counterparts now explicitly require cybersecurity as part of market approval, and some devices are even being rejected solely for cybersecurity shortcomings, prompting manufacturers to strengthen designs and documentation.

Dodson and Wirth then dig into the massive challenge of legacy devices: millions of clinically functional but aging devices—CT and MRI scanners, infusion pumps, and more—remain deployed in hospitals, often with serious vulnerabilities and enormous replacement costs. They note that healthcare operates on tight or negative margins, making large-scale replacement difficult, and that any change introduces disruption, retraining needs, and operational risk. Wirth points to industry efforts, such as detailed guidance on legacy devices, but questions whether the sector can move fast enough given the growing sophistication of attackers and the broad attack surface created by all these connected systems.

They explore the threat landscape, emphasizing that risk has increased significantly. Attackers have not yet commonly launched deliberate, patient‑harming attacks on medical devices themselves; instead, devices often become collateral damage when they run unpatched commercial operating systems targeted by generic malware, as illustrated by the WannaCry incident that crippled the UK’s NHS and disrupted care. Wirth also cites evidence of criminal groups that intentionally use medical devices as entry points into hospital networks, as well as the economic incentives behind ransomware campaigns that seek to disrupt care, raising pressure on hospitals to pay ransoms to restore operations quickly.

Looking ahead, they discuss how AI and geopolitics will accelerate and intensify threats. Wirth notes that AI already enables cheaper, highly targeted attacks, with some campaigns now largely executed by automated tools, and he expects that trend to grow. At the same time, more nation‑state and hacktivist actors are likely to see healthcare as a strategic target. While there has been real progress—better tooling for manufacturers and hospitals, improved device architectures, stronger inventory visibility, network segmentation, and clearer regulatory pressure—Wirth is skeptical that defenders are improving faster than attackers. He worries that a large, catalytic event, similar to WannaCry but perhaps even more severe in healthcare, may be what finally forces the scale of investment and coordination needed.

The conversation also highlights operational friction between hospitals and manufacturers. Dodson raises the frustration many CISOs feel: patch cycles are slow and complex, responsibility is fragmented across IT, biomed/clinical engineering, third‑party servicers, and cybersecurity teams, and hospitals often end up “holding the bag” after an incident. Wirth agrees that patching is inherently complex—vulnerabilities must be verified, patches developed and tested, then deployed without compromising clinical operations—and that delays occur on both sides. However, he stresses that both manufacturers and providers are getting better: post‑market security responsibilities are more widely accepted, tooling is improving for patch development and deployment, and hospitals are investing in visibility and governance over who owns medical device security decisions. Despite his concerns, Wirth ends on a cautiously optimistic note. He contrasts today’s collaborative climate with the adversarial posture he saw around 2008, when early medical‑device hack research was met with legal threats and blame‑shifting rather than constructive dialogue. Now, regulators, manufacturers, service providers, and healthcare organizations are far more willing to acknowledge problems and work together on solutions. Dodson closes by underscoring that this kind of collaboration among “the good guys” will be essential if defenders are to keep pace with rapidly evolving adversaries and protect what ultimately matters most: safe, reliable care for patients.

A cyberattack on a vendor shouldn’t be the moment a hospital learns how interconnected its world really is. We sit down with Greg Surla, Chief Information Security Officer at FinThrive, to unpack how third‑party risk, revenue cycle platforms, and frontline care are woven together—and why resilience depends on planning with partners before the crisis hits. From joint tabletop exercises that include critical vendors to pre-approved workarounds like VDI access and hardened loaner devices, we map the moves that keep care running when networks go dark.

Greg shares blunt lessons from breaches and acquisitions: forgotten cloud servers, weak asset inventories, and the relentless toll of a three‑week ransomware fight. The takeaway isn’t fear; it’s preparation. We dig into ransomware‑specific drills, cyber insurance that funds expert responders, and the automation needed to triage the daily flood of vulnerabilities. We also explore culture as a control, showing how life‑first security education—holiday scams, tax fraud, device safety—builds habits that protect both home and hospital, and creates the groundswell that gets C‑suite support.

As AI supercharges attackers and budget pressures squeeze providers, cybersecurity has to be framed as a business enabler. Secure revenue cycle equals payroll, access to care, and community trust. Greg explains how to translate risk for boards, align controls to clinical and financial goals, and replace reflexive “no” with “yes, if” to stay part of the conversation that shapes strategy. The result is a practical, human playbook for healthcare security: automate the routine, practice the hard days with partners, invest in asset visibility, and collaborate across the industry. Subscribe, share with a colleague who handles vendor risk, and leave a review with your top resilience tactic—we’ll feature the best ideas in a future show.