From the Floor at ViVE 2026: Healthcare Cybersecurity Leaders on What Actually Works

I've spent 30 years in healthcare security. Most programs fail in the same place: the gap between strategy and what actually happens on the ground. That's why I came to ViVE 2026, to hear from security leaders who've closed that gap.

Two sessions got specific about what's working. First, a panel on AI-era cyber resilience with CISOs from Baptist Health, Luminis Health, and Northeast Georgia Health System. Second, a fireside chat on continuous threat exposure management with Children's Surgery Centers and Black Talon Security.

What struck me wasn't the technology talk. It was the honesty about what's working, what isn't, and where gaps remain.

Session 1: Cyber Resilience in the Era of AI Threats

Jason Taule, CISO at Luminis Health, moderated. James Case from Baptist Health and Chris Paravate from Northeast Georgia Health System joined him. All three run security at billion-dollar health systems.

Taule opened by acknowledging the hype: "IBM's president, Thomas Watson, famously stated he believed there was a worldwide market for maybe five computers. Whether or not such statements are valid isn't the point. What such statements do is introduce our topic and point to the need for all of us to exercise great care as we navigate this transition."

AI as Attack Accelerant

No warm-up. When Taule asked what's changed because of AI, James Case didn't hesitate: "How hasn't it changed? From attacks, from governance, from data analysis, everywhere."

Phishing is still the top attack vector, but AI has changed the game. Case said email phishing is now "faster, more targeted, more customized" with higher success rates. Paravate added the social engineering angle: "It's not only attacks to our entity, but towards individuals in the way that they're pulling that social data."

Baptist Health's response? Remove external email from thousands of frontline staff. They call it "Safe Mail": internal-only mailboxes for nursing and clinical teams who don't need outside email. Sounds radical. Case put it bluntly: "If you can't get the email, you can't click on it. It's fundamental, foundational."

Containment Kept Coming Up

Paravate framed it around third-party risk: "How do I know that environment is appropriately managed and that data is contained and controlled when I have relinquished so much control?"

He described evaluating a SaaS contract management system that would hold "the keys to the kingdom" for his organization. Adopting these tools isn't optional; the business demands them. But how do you keep visibility and the ability to intervene when things go sideways?

Case was direct: "Everybody probably has too much access. In every organization, people have too much access." Baptist Health is limiting what employees can reach remotely. Simple logic: reduce the blast radius before an incident, not after.

When Paravate brought up BYOD and AI browser plugins recording virtual sessions and storing transcripts who-knows-where, the panel landed on the same answer: containment through virtual desktops and containerization. "I still have to contain that user's activity," Paravate said. "If we provide a BYOD solution, I've still got to protect it."

I've watched this shift for years. Security leaders have moved from "how do we keep attackers out" to "how do we contain the damage when they get in." Not defeatist. Realistic.

Session 2: Continuous Threat Exposure Management

Gary Salman of Black Talon Security and Andy Taylor, CIO of Children's Surgery Centers, tackled the same problem from another direction: how do you prioritize when attacks never stop?

Attacks Don't Follow Your Assessment Schedule

Salman opened with what every network defender knows: "Threat actors don't go in cycles. They're not scanning for vulnerabilities every three months. They are continuously attacking."

Taylor, who came from Silicon Valley before healthcare, described the pressure: "When I look at the firewall, when I look at the event logs, it is a constant level of attack that we are dealing with."

Salman's seen this play out in incident response. "We do these after-action reviews with the victims," he said. "And one of the things we always hear is, 'Well, we do quarterly vulnerability scanning' and 'Oh, we just did a pen test three months ago.'" Threats moved faster than their assessment cycles.

He shared a prediction: time from vulnerability disclosure to exploitation, currently around seven days, will likely drop to one day by year's end. "If you're not doing continuous vulnerability scanning, trying to figure out where you have KEVs, there will be a problem. That's the reality of it."

Detection Versus Prevention

Salman made a point I was nodding along to: "A lot of times the network defenders are focusing here… and then they slip through the back door over here because they had no visibility."

Then he went further: "They were relying on a tool set to detect an intrusion versus a tool set to prevent the intrusion. That's a mindset I've been trying to change for a couple years now. Everyone's relying on EDR, MDR, SIEM, SOC, everything to detect this stuff. But those tools are typically triggering when bad things happen."

I was nodding hard at this point. Continuous visibility into your exposure is valuable. Prioritizing vulnerabilities by exploitability and business impact matters. But detection tools, by definition, fire after the intrusion starts.

Taylor Calloni from SIH was sitting with me during part of this session. We exchanged a look. Visibility and prioritization matter. They're not enough. What's missing is enforcement: actually preventing lateral movement, not just spotting it after the fact.

What "Peace of Mind" Actually Takes

Andy Taylor explained why this matters for his organization: "Because of the patients we deal with, kids, pediatrics, I can't have downtime when I've got a kid under general anesthesia. I can't have that."

That's healthcare security. Stakes aren't abstract. When Taylor talked about CTEM giving him "peace of mind," I got it. But real peace of mind takes more than knowing where your risks are. You need the ability to enforce controls that keep threats from reaching critical systems in the first place.

What Both Sessions Pointed To

Both sessions showed the same pattern. Healthcare security leaders have moved past the old perimeter model. They're thinking containment, continuous monitoring, limited blast radius. They're making hard calls: killing external email, restricting remote access.

But a gap remains. Session one covered containment as a principle. Session two covered visibility as a foundation. Neither fully addressed enforcement: the mechanism that actually stops an attacker who's gained access from moving laterally to critical systems.

Detection tools tell you when bad things happen. Visibility tools show you where risks live. In healthcare, where systems can't go offline and patient care can't stop, you need something that actively blocks lateral movement without taking systems down.

Identity-based microsegmentation fills that gap. When an infusion pump can only talk to the specific systems it needs, nothing else, you've moved from detecting threats to stopping them from spreading.

What Comes Next

HIPAA's 2025 Security Rule updates make network segmentation mandatory. Cyber insurers increasingly require it. And as Salman made clear, the window between vulnerability disclosure and exploitation is collapsing.

Healthcare CISOs and CIOs at ViVE aren't waiting for perfect conditions. They're implementing what they can, as fast as they can, with what they have. For every healthcare security leader, the question isn't whether to pursue microsegmentation and continuous exposure management. It's how fast you can move from visibility to enforcement, before the next attack finds your gaps.

If you're ready to move from visibility to enforcement, our healthcare security experts can walk you through what that looks like. Schedule a conversation with us today.