Health Officials Shift Cybersecurity Toward Proactive Resilience

Cybersecurity leaders in federal healthcare said this week that the industry is entering a new phase of resilience: using AI as a force multiplier, upgrading training and continuing interagency collaboration to better protect patient data and critical systems against cyber threats. 

While healthcare remains a major target for ransomware and cyberattacks, federal health agencies and healthcare providers are shifting from reactive defense to proactive resilience, according to Servio Medina, director of risk management, oversight and reporting at the Navy Bureau of Medicine and Surgery. 

“You have to bake the privacy, the healthcare, the clinician, the legal into your cybersecurity business, so that way, as it’s being planned, not reactively, it is taking into account the multidisciplinary requirements to include the patient’s needs as it rolls out. That makes it a stronger rollout,” he said at the AFCEA Health IT Summit in Bethesda, Maryland. 

AI Is Becoming a Force Multiplier for Cyber Defense 

Maureen Falvella, acting director and CIO at NIH, said AI tools have allowed the cybersecurity team at the agency to remain small but mighty.  

“Our traditional vulnerability management, you run AI tools on them, they’re catching way more than the traditional kind of vulnerabilities solution. So, I think within the next year or two, we’re going to see tremendous capabilities that are really going to force multiply,” she said. 

Experts said AI-powered analytics are helping organizations detect unusual activity, process large volumes of data, identify unauthorized access attempts and suspicious download requests in ways that would have been difficult just a few years ago. Additionally, behavioral analytics tools can now establish normal patterns for employees and identify anomalies in real time. 

“If there’s some detection of, ‘Why is this person downloading 10,000 records that hasn’t done that ever?’” Medina said. “So detecting and then following up to see patterns or trends of that individual against the person’s work in line with what they are actually expected to do, we now have tools that can better do that.” 

AI tools are also helping security teams uncover weaknesses faster and more comprehensively than traditional scanning methods. At the same time, panelists stressed the importance of maintaining a “human in the loop” in cybersecurity decision-making. While AI can rapidly process information and identify risks, they said people must remain responsible for evaluating mission priorities and making final judgments. 

“AI does not remove the culpability, the decision, the ownership, the agency of decision,” Medina said.  

Organizations Are Rethinking Cybersecurity Training 

Federal health agencies are rethinking traditional cybersecurity training courses that sometimes only amounted to an hour of training per year for employees. Instead, agencies are adopting “microlearning” strategies that deliver short, targeted lessons directly within employees’ workflows.  

CMS is shifting toward role-based and on-demand education models. Instead of assigning lengthy generic modules, the agency is creating short videos focused on a specific topic, said Acting Deputy CISO Leslie Nettles. 

“I have an 18-part series, but it’s not all at one time, it’s as you get to those different things,” Nettles said. “That way it’s coming as the person is looking for that particular topic right now, it’s coming up for them, and so it’s bringing that training to the people in the jobs that they need it, versus giving them a bunch of training that they will never use.” 

Falvella said NIH is sprinkling “little bits of security broccoli” into the more popular AI training sessions, allowing employees to learn cybersecurity concepts while engaging with topics they are already interested in. 

The goal is to make cybersecurity part of everyday decision-making rather than an isolated compliance exercise.  

Interagency Collaboration Aids in Healthcare Cybersecurity 

Federal agencies are increasingly sharing threat intelligence with partners such as the FBI and CISA to identify risks earlier and coordinate responses more effectively. 

“A lot of times we will be working the weekend, and we’ll start to see, oh, we’re having global outage in one major vendor,” Falvella said.  “We’ll pick up the phone and call the FBI field office. What do you know about it? Call CISA, what are they seeing early on? Those partnerships allow us to really take early warning signs from other organizations and react in real time.” 

Nettles added that CMS is operating a CISA-directed Bug Bounty Program, which has been a “game changer.” The initiative is part of the agency’s vulnerability disclosure program that rewards external security researchers for discovering and reporting valid vulnerabilities on CMS public-facing websites.