AI is transforming healthcare, but without proper oversight, it introduces serious risks to patient safety, data security, and operational resilience. In this episode, Lee Kim, Senior Principal of Cybersecurity and Privacy at HIMSS, joins Sean Martin and Marco Ciappelli to discuss the urgent need for governance, proactive security strategies, and a balanced approach to innovation in healthcare.
The intersection of cybersecurity and healthcare is more critical than ever, as technology continues to shape the way patient care is delivered. At HIMSS 2025 in Las Vegas, we sat down with Lee Kim, Senior Principal of Cybersecurity and Privacy at HIMSS, to discuss the pressing security challenges facing healthcare organizations, the role of artificial intelligence, and the balance between innovation and risk.
AI in Healthcare: Promise and Peril
Artificial intelligence is rapidly being adopted across the healthcare sector, yet many organizations still lack structured governance around its use. Kim highlights the “wild west” nature of AI adoption, where policies are either non-existent or underdeveloped, creating risks related to privacy, data security, and patient outcomes. While AI-powered diagnostic tools, like those used in radiology, have the potential to improve patient care by identifying critical conditions early, blind trust in AI-generated results presents serious risks. Without proper oversight, reliance on AI could lead to incorrect medical decisions, putting patient safety in jeopardy.
Cybersecurity Gaps in Healthcare Organizations
One of the biggest concerns in healthcare cybersecurity is the over-reliance on security tools without a clear strategy. Many organizations invest in the latest technology but neglect foundational security practices, such as governance, policy development, and staff training. Kim points out that less than half of cybersecurity budgets are allocated to governance, leading to disorganized security programs.
Another persistent challenge is the human factor. Social engineering and phishing attacks remain the top attack vectors, exploiting the inherent culture of healthcare professionals who are trained to help and trust others. Organizations must focus on proactive security measures, such as regular training and simulated attacks, to reduce human error and strengthen defenses.
The Financial and Operational Reality
Budget constraints continue to be a challenge, particularly for smaller hospitals and community healthcare providers. While larger organizations may have more resources, cybersecurity spending often focuses on acquiring new tools rather than optimizing existing defenses. Kim stresses the importance of a balanced approach—investing in both technology and governance to ensure long-term resilience.
Another concern is the increasing dependence on third-party services and cloud-based AI tools. If these services become too expensive or go offline, healthcare organizations may face operational disruptions. The lack of contingency planning, such as backup vendors or alternative systems, leaves many institutions vulnerable to supply chain risks.
Building a More Resilient Healthcare Security Model
As technology continues to drive innovation in healthcare, organizations must adopt a proactive cybersecurity stance. Business impact analyses, vendor risk assessments, and tabletop exercises should be standard practice to prepare for disruptions. Kim also raises the idea of cyber mutual aid—a model similar to emergency medical mutual aid, where healthcare organizations collaborate to support each other in times of crisis.
HIMSS 2025 provides a forum for these critical conversations, bringing together global healthcare leaders to share insights, challenges, and solutions. For those interested in diving deeper, the HIMSS Cybersecurity Survey is available online, offering a comprehensive look at the current state of healthcare security.
To hear the full discussion on these topics and more, listen to the episode featuring Lee Kim, Sean Martin, and Marco Ciappelli from HIMSS 2025 On Location.
Guest: Lee Kim, Senior Principal of Cybersecurity and Privacy at HIMSS | On LinkedIn: https://www.linkedin.com/in/leekim/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
HITRUST: https://itspm.ag/itsphitweb
____________________________
Resources
Learn more and catch more stories from HIMSS 2025 coverage: https://www.itspmagazine.com/himss-2025-health-technology-and-cybersecurity-event-coverage-las-vegas
HIMSS 2024 Cybersecurity Report: https://www.himss.org/resources/himss-healthcare-cybersecurity-survey/
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
Sean Martin: [00:00:00] Marco.
Marco Ciappelli: Sean.
Sean Martin: I'm gonna, I'm gonna twist your arm until you give in.
Marco Ciappelli: Give it a go.
Sean Martin: Thank you. Give it a go, see if I'm successful. No, I think I've been to hymns. I think you need to experience. What it is.
Marco Ciappelli: Well, like I said in the prior conversation about the coverage, I will try my best to go there until then we're doing some pre event conversations.
And those are really cool as well. So if then I go there, you'll see me.
Sean Martin: All right. All right. But I'm thrilled for this. And I want to I don't want to leave it for the other. Um, one of the things when we spoke to Ali on the kickoff episode, I noted that I, I really appreciate that. Hims, which is a, a healthcare tech, uh, driven event, uh, has a whole or dedicated to cyber [00:01:00] security and, and not just tracks, but they actually do research as well.
And we have Lee Kim on from HIMSS Lee. How are you?
Lee Kim: I'm doing well. How are you?
Sean Martin: Very good. Thanks for joining us, and Lee is presenting a trends, cybersecurity trends report. During the event, and we're going to touch on some of the some of the highlights here and some of the trends that she and the team think will impact healthcare and technology and ultimately patient care and the health of society.
So appreciate you joining us. Lee and uh, excited to uh, learn more about what you work on and actually let's, let's start there, um, your role at HIMSS and some of the things you do.
Lee Kim: Well, I am Senior Principal of Cybersecurity and Privacy at HIMSS, the Healthcare Information Management Systems Society.
I've been in this role since 2013, um, And [00:02:00] so it's, it's, it's been a while. Um, my role essentially is external facing anything that relates to coverage as it relates to healthcare, privacy and cyber matters. Nowadays, a bit of AI and things like that. Um, I essentially cover, I don't do essentially the hands on technical stuff.
Although I do liaise with our IT and security teams here at HIMSS, uh, that's not necessarily central. The member facing component, though, is someone who's an SME on the content side, that was more my focus.
Marco Ciappelli: Very cool. So, in this report, I was going through it and I see about everything from AI to zero trust to ransomware, geopolitical cyber warfare.
So what if you had to pick a few [00:03:00] of the most relevant? Uh, at this particular time, would you put them all at the same level? Or maybe you do have some that are worrying you a little bit more or that you want the people that participate to to know about it?
Lee Kim: Yeah, definitely. I think that as it relates to artificial intelligence, I'm just very surprised that Over a year out of uh, Chachapitis and other things being released into the world.
Um, a lot of healthcare organizations don't have policies or really a, a really good governance structure around AI. It's kind of like the wild, wild west. Um, and uh, that, that of course is a bit antithetical to keeping information private and keeping it information secure. Especially in the day and age of, uh, large language models, I can run amok, um, the concerns about data [00:04:00] leaks and other misuses of information.
And frankly, if this information is also used, by doctors, nurses or others. If there's blind trust, as with any kind of new technology, how do you know that the analysis and the result is actually actually correct? And bam, there's someone's life. Uh, You know, in, in one's hands and it's only as good as the data and the analysis, especially if someone relies on this result,
Sean Martin: it's interesting. I mean, you can get away from the AI being part of the conversation, which is good. And as long as we talk about it in whole, including, including the risk, not just the opportunity. Um, but I want to touch on maybe some of the things you see as Potentials, game changers for AI, um, where, when it respects [00:05:00] privacy and when it respects, uh, security of the systems that it's connected to and the information that it is connected to.
Are you seeing hardware, software, automation? What are you seeing that you think could really open up better care for patients?
Lee Kim: Well, I think that it's everything from in the operating room, you've got. HVACs that are obviously computerized, that are computer controlled, and so from that, that respect in terms of ensuring that operating rooms are Um, of a safe and reasonable, um, environment in that way is set by industrial controls.
That's certainly a major thing. Um, patient transport, smart elevators, other things that can certainly improve speed and speed of transport in terms of patients. But I think that I would be amiss if I didn't say that radiologists. [00:06:00] have essentially been at the forefront of AI adoption for quite a while.
And the fact that, with artificial intelligence, you see the artificial intelligence, a computer, isn't of course limited by what one can physically see with their own eyes, which is To some extent, it could be inaccurate, but if you look at a radiology image from an analytical perspective, you can certainly quote unquote program, um, an AI agent, let's say, to look at a radiology image and look at a person's heart.
And it might, for example, depict certain voxels being lit up and it may say, Oh, this patient is going to have a pretty bad myocardial infarction. You need to intervene here. You need to put this patient on a path to try to avoid this kind of. [00:07:00] Catastrophe. I think I think that's amazing. Um, the point is, as you eloquently put that, Sean, the fact that I can extend our senses and our ability to judge and discern when it's trained properly and when it's Programmed appropriately to analyze and and such.
Um, I think that's a that's a wonderful thing. I mean, in our lifetimes, I'm pretty sure that health care outcomes will will improve thanks to essentially automation and what we now understand to be a on
Marco Ciappelli: well, if there is one. Industry. Let's call it industry or a segment of society that could benefit a lot from technology has been benefiting a lot from technology is definitely the health care.
But there's always that double edge sword, right? It's one of those things. But also, you know, the use of robotics in in the operating room and virtual [00:08:00] reality augmented reality. So on one side, you want to Bring as much technology because it could help us of life on the other one. Maybe you want to apply a Zero trust model, but if there is an area where is really conflicting.
I feel like it's it's in the health care I love your your opinion on this and And how this came out, maybe throughout the report, this conflict of innovate, but hold on.
Lee Kim: Yeah, that's totally true. I mean, we have to move forward in terms of what we're able to do. Um, let's, let's look at the state of the healthcare industry, for example.
Whether you're dealing with cybersecurity teams that, uh, lack hands on deck, or even just generally staffing within healthcare organizations. Um, smaller hospitals in the countryside or smaller cities or community hospitals, um, or [00:09:00] hospitals that are in countries where perhaps they don't have such large budgets or perhaps where they don't have as many resources as we do.
That's a reality. But we still need to move forward in terms of what we can
And so there is that. I mean, we have to keep moving forward. The point, though, is that to what extent do we allow Any kind of technology, including a I to just simply walk on its own, like the time like imagine a toddler walking on its own. No guardrails. That's kind of a disaster. So where are we letting something that is automated walk on its own without guardrails within many of our health care organizations.
Um, I, I, I do think that that lack of human intervention and that lack of judgment. In terms of the [00:10:00] various processes and tasks that A. I may be tasked with. Um, the lack of supervision to me is sort of troubling. And I feel like just like in terms of, uh, just any good parent and, uh, child that's learning to walk.
Um, we need to guide it at least somewhat for a while.
Sean Martin: So having built, um, many, many products, there's always a triangle of time, money and resources. Yes, you get to pick two, and the third one's usually stable or I forget how you look at it, but I guess the point is when it comes down to making decisions.
Making trade off looking at the risk. Um, because in the report, it speaks to kind of money. Money matters. But if you don't allocate enough money for all, all the areas only for development, not necessarily risk management, you kind of missed the mark [00:11:00] there. So I'm wondering, did you uncover anything that kind of speaks to.
How money is allocated and how budgets are defined. Obviously, there's never enough money. There's never enough time. We never never enough people. But but from a from a budgetary perspective, what are those conversations look like? And anything from the report that you can highlight to kind of give us hope?
Perhaps
Lee Kim: absolutely in terms of budgets and what people are spending on. I think that there is a tendency and we've seen the stats spread this out, there's a tendency to spend on tools. And I think that that's built out of the tradition of security primarily being seen as this thing involving technology and computers.
So, fix it. Fix it with money. Fix it with the latest tools. Um, et cetera, et cetera. But we've seen, um, cybersecurity tools diversify and, and specialize. A [00:12:00] lot of startup companies that are claiming to be this newfangled thing thanks to AI to be faster, better, stronger, and yet it's so expensive. So, there needs to be a limit on that.
Because I feel like even though we do need adequate money, um, that's true of, uh, anything in life, I think that the bottom line is we need to also understand whether we're being wasteful in terms of spending, whether security solutions are duplicative or conflicting or not. And, um, what's more in terms of the environment as well, I could say, even if you're an academic medical center where, um, academic freedom is definitely respected and that's a wonderful thing.
Um, you still need guardrails around things because things like even relevant to, uh, students personal data under FERPA or otherwise. Um, you [00:13:00] need to make sure that, uh, certain things about whether it's academic performance or student health or otherwise is very much safeguarded. Um, there, there needs to be a kind of balancing act, if you will, between innovation and progress and respect, respecting the privacy and security of, of the data.
Um, I think also in terms of cyber security budgets, what we're seeing is if the emphasis isn't on tools, it's also a bit in terms of staff, but less than 50%, I believe, um, budgets are being used towards, um, governance and policies and things like that. And if you aren't organized. You can imagine what it's like to run an unorganized cyber program.
That's not really cool.
Marco Ciappelli: It's not cool at all. Um, so it makes me think, I kind of mentioned at the beginning, like the zero trust model, but you know, you need to [00:14:00] let technology in. So when you look at, at least for me, if I think of the healthcare, we know that now being proactive is better than reactive when you take care of your health.
Um, I feel like obviously it's the same thing for cyber security. Would it help, in your opinion, or to actually optimize the budget if instead of a reactive approach, you have a proactive approach?
Lee Kim: Oh, absolutely. I think that that's foundational. Um, you, just like, uh, an analogy is, uh, cleaning out one's closet.
You gotta understand what you have. What's duplicative, what's, what's junk, what's, um, old and doesn't need to be supported anymore. And I could say that this is likely more done in, uh, let's say countries or situations in which the budget isn't so much. Um, [00:15:00] my, my counterparts in Europe, for example, they tend to have, um, sometimes as, as little as one fifth of what we have in the U.
S. in terms of a, Cybersecurity budget or overall IT budget. Um, there may not necessarily be a dedicated personnel like a CIO or CISO or that kind of structure. But still, they, they, they make do with what they have, they make do with things like open source tools and technology where you can leverage things that are free, and, um, also, unfortunately, we don't have this here.
But the European Commission just set out guidance on January 15th of 2025 saying that we'll have a network of Chief Information Security Officers and we'll have resources available for you to help guide you in terms of better security and everything else because Essentially throwing money at the problem will not [00:16:00] get you necessarily more, more secure.
And what we saw from the report is time and time again, just like, um, year in year out we see with the headlines, social engineering and in particular phishing is king in terms of being able to get in. So even though we might use tools to some success to, um, to, to mitigate the impact of someone clicking on a poison link or opening up a poison detachment, it's still a balanced equation in that you also need to ensure that your staff is clicking less instead of clicking on everything and not necessarily responding to Everything under the sun, even though culturally within healthcare, we're prone to, um, say yes, or we're more prone to help people because that's essentially our mission.
We're essentially charged with taking care of people.
Sean Martin: I'm going to throw a big question out here. [00:17:00] Um, let's see where, see where it goes. It's been something that's on my mind. It's really coalescing in my mind at the moment. Um, resilience has been a topic, um, a lot in the last 12 months for, at least for me and my show.
Um, are we in a position where we're relying, becoming reliant upon a technology that's going to be tapped into a ton of automation, a ton of services we provide, a ton of interaction between partners and patients and whatnot, where if the, those services go offline, And or if those services, this is the more interesting point for me, from my perspective, those services get really expensive to use.
Um, and now we're forced to, I mean, if we build on top of Windows or if we build on top of Linux, we're kind of safe in that respect, right? [00:18:00] Um, and there's Kubernetes to kind of shield us from, from the underlying infrastructure. I'm just wondering if we're going to end up in a place where. Organizations, particularly health organizations, are building AI into things, and the resilience becomes a question, um, because we can't, we can't swap it, and we can't afford it, and, and, or it goes down.
I don't know. It's a big question, um, your, your thoughts on that.
Lee Kim: Yeah, I, I gotcha. I think that we saw that in, in, in, you know, the past year with, um, certain disruptions that really took us down in terms of people being able to fill prescriptions, or even just generate money within their, their hospitals in terms of being paid for claims.
Um, but notwithstanding that, the answer is yes. The solution to that is simply, number one, um, [00:19:00] very few organizations Even though they should, very few organizations do a business impact analysis and they don't have a retainer, for example, a backup service or something that's a mainline service like that.
They should. Um, how many of us within hospitals that are working with our quote unquote buyers or purchasing departments say, Okay, it's good that we have this vendor in, but can we have this other vendor as a backup and or if they were to go bankrupt or, uh, go out of business or whatever, who's, who's the other, uh, entity we work with and what's more, um, in terms of our hoarding legacy technology, um, what are we going to do in terms of, uh, the moment that we procure a product or service, Are we thinking about already about the timeline for that product or service and the replacement?
Do we have that at the ready? So [00:20:00] these are some things that we need to think about. And I think that the other thing that, that, um, I'd like to say I find is kind of eroding, and I think that you're touching upon this, Sean. Is that with computers, no matter what it is, it could be AI, it could be just something that we view as, um, of course it works.
It's just like turning on, um, my water faucet in the kitchen, hypothetically. Um, basically we always assume we'll have electricity, we'll always assume we have water, we'll always assume that Vendor X will always be up. Um, but it's computers, it's technology. All these things can change with the physical disaster, with the unexpected man made fill in the blank.
Um, all kinds of things can happen to upset the apple cart. And what I don't see organizations drilling enough on, [00:21:00] and one thing that we touch upon in the report as well, is tabletop exercises to test your incident response. Um, I can't tell you how valuable it is. To just simply have a little bit of fun, draft a scenario or two or several and see how staff react, see how they react to situation X, Y, or Z.
Get your vendor in there, that critical mainline vendor, and see how the communications go with them. Are they competent? Are they doing a good job? Do you need to fine tune something? You might as well figure that out while You're still kind of pontificating about it, and it's still in the land of fiction, as opposed to fact, when, um, you're, you don't want that to be the first time you test your, your plan, essentially, is what I mean to say.
Um, so I think that's true, whether we're dealing with a vendor, or AI, or anything else, um, we have to [00:22:00] understand that all these things are, Fungible, fragile, um, and nothing, unfortunately, is going to be 100 percent reliable or permanent.
Sean Martin: That's fantastic. I love that.
Marco Ciappelli: Make me think, like, you almost need, like, you know, you have a generator, if there is a storm or something and there's a blackout.
You almost need another hospital like a twin so that one goes down you need that you have another one but then you're really talking about budget right but definitely like I agree with you if you create this tabletop and create scenarios and you see how people react of course you can mitigate um, you can prevent If you can, and then you can mitigate if something really does happen, which I think is key as well, instead of scrambling at that point.
Lee Kim: Absolutely. And Marco, I think that you touched on something very important, which is [00:23:00] something that I've tried to at least. Um, sometimes you're in, you're out, but I sure hope that someone who has the power to effectuate change will do that. And that is, as you know, we have mutual aid, right? Um, in your community, maybe the ambulances that we're by, maybe they say so and so mutual aid.
Um, so we have that kind of system set up physically to help each other when things happen. But, in terms of that cyber incident, could we also have cyber mutual aid that way with cyber colleagues at nearby hospitals or even companies that are there that, you know, maybe they know a thing or two about cyber and they could help us out?
What's, and what's to stop us other than Maybe a contract and an obligation or two.
Marco Ciappelli: I like that.
Sean Martin: Yeah. I think we, we've heard of stories of, I think it was L. A., L. A. City had a, had a security [00:24:00] program that was available to the broad, broader community.
Marco Ciappelli: Yeah, the, the, the lab. That was a few years ago. I don't know what happened to it.
Sean Martin: I don't know what happened to it. But, I mean, it's a great idea. Yeah, I think it'd be great to see it implemented properly. Um, so as we wrap up here, uh, here's this next week, 3rd through the 6th. And, uh, well, next week, it's this week if you're listening this, well, through the, through this next, but, uh, it's in Las Vegas, and you, you have the opportunity to share more details from the report in at least a few settings there.
Can you maybe give some folks an idea of where they can find you at the, at the conference if they have more questions and want to partake in what you're presenting? And chatting with other members about.
Lee Kim: Yeah, absolutely. So, uh, first thing Monday, I'll be at the global leaders exchange and we'll be talking about all things cyber security.
Um, [00:25:00] there will be cyber leaders, I. T. leaders from literally all over the world. At the HIMSS conference, for those of you that haven't been there yet, we have attendees from hundreds of countries all over the world, all kinds of different health systems. Sometimes they're government run, sometimes they're private.
But it's all good because again, we're in the business of helping each other and we all help each other figure this out with, uh, common challenges. Our thing happens to be technology and also information, but, um, that's essentially, um, where it's at. We also have an all day cybersecurity forum, which is a an optional pre conference forum, but it's all dedicated to cyber to help educate and network with our peers.
On the exhibit floor, we have the Cybersecurity Command Center with all kinds of exhibits and booth spaces. Um, but really, it really [00:26:00] is, um, a wonderful confluence of pretty much everyone in industry that, that will be there. Uh, 30, 000, sometimes 40, 000, um, of your colleagues and best friends, so it, it, it truly is a wonderful dynamic of, uh, people that you may never meet in life, suddenly they're all there, and all the information and knowledge is there, and they, they always say knowledge is power, I have to say the, The fact that people are nice and willing to help each other and, um, even challenge each other in terms of things and even opposite ideas, I think, is a, is a wonderful empowerment thing.
Marco Ciappelli: Couldn't have said that myself better. It's a great way to end this. That was beautiful.
Sean Martin: It was. I agree. And, uh, yeah, so, IMS Global Conference in Las Vegas, 3rd through the 6th. Uh, I encourage everybody to attend. I believe there's some virtual stuff as well. Of course, the [00:27:00] report is available online. We can, we can include a link to that so people can have a Have a gander at that before they meet Lee in person in, in Las Vegas for the conference.
Uh, security is important. We know that, uh, if you're in the security space, I love it. I'll say it again. I love that HIMSS has cybersecurity as part of the health tech, uh, world. Bring that conversation directly to the heart of all the innovation. Everything that's driving better patient care. So I applaud you all for that.
And Lee, thank you very much for joining us today and uh, with you a great week.
Lee Kim: Hey, thank you very much. And for that survey, um, it could be accessed at www. hims. org slash cyber survey. Um, totally one word. So anyone can pull, download it and everything. There's no, no salesperson will call you.
Sean Martin: There's no, I can confirm that.
And, uh, yep. So [00:28:00] definitely take a look at that and everybody listening, watching. Thank you for joining us here on location with Sean Martin, Marco Ciappelli, more coming from him. And, uh, of course, other conferences throughout the world. We appreciate you staying with us. Please do subscribe and share with your friends and we'll see you at the next location.