HIStalk Interviews Ed Gaudet, CEO, Censinet

Ed Gaudet is founder and CEO of Censinet.

Tell me about yourself and the company.

I started Censinet in 2017 to help healthcare providers deal with the risk around their third-party providers whether they be vendors, technology vendors, consultants, or any type of third party that could introduce risks into a health system. We have recently extended into the enterprise side of risk management, those areas of risk that are internal to a health system.

What type of risks are associated with third-party relationships?

If you look at the data that the American Hospital Association has put out and the OCR wall of shame, where they post the breaches and the data around cyber incidents in healthcare, you find that about half or more of these incidents are related to third parties. These third parties could be software providers, hardware providers, medical device providers, API vendors, or consultants who have access to the network. Any type of third party that is critical, or maybe even non-critical, has access to the network, or is working with the clinical data and or administrative data. They may not have the type of controls that the hospital has or the maturity of cybersecurity, whether their processes aren’t up to date or they are not  implementing the right technical controls to protect against attacks, data breaches, or disruption to critical systems. These third parties represent risk to a health system.

Does that risk change with cloud adoption?

Yes. It changes with any type of technology adoption. Those become vectors to attack. Look at AI. AI exponentially changes the attack surface. It will be the next frontier for cybersecurity organizations, security professionals, and risk management professionals because it’s the wild, wild West out there with AI adoption. We’re at the top of the first inning and we’ve got the first batter at the plate as it relates to AI adoption. It’s really early days.

We think of ransomware when we hear the word cyberattack, but what are other common methods that may not even specifically involve malware?

You’ve got the deepfake issue, which could be audio or video. Phishing attacks are going to get better and more accurate. I think they will come at us exponentially. The scale of the attacks, given what you can do with AI, is going to be much greater. We have to leverage AI for defensive purposes, not just for clinical use or patient care cases. We also have to look at it from a risk management and cybersecurity perspective.

I was reading that someone has developed AI that can mask foreign accents, and I assume it can also mimic anyone’s voice, both of which would take away one red flag about social engineering attacks.

Is this really Mr. H that I’m talking to today, or is it somebody else on your team? I guess that’s the point. How will we know and how will we verify these things that have been easily verifiable from an analog perspective, but now are now digital or electronic? It’s going to get much harder.

Imagine that your spouse calls you and says they need money because they have been abducted or has a flat tire and needs to pay the AAA person money via Venmo. These attacks are going to get more personal, and we are largely not ready for it.

How are health systems collaborating to share their cyberattack experiences?

One of the ideas that we had, looking at the state of the art back in 2017, was that there were a lot of manual approaches to risk management. We felt like there was not only an opportunity to drive automation at the workflow level, but do it in a way that gave leverage to the community. This is the guiding principle of how I looked at solving the problem. How do I give leverage back to the community that is managing risk on both sides of the transaction, whether it be the provider, the health system, the CISO, the CISO’s team of risk analysts, but also those third parties that have to go through that process of a security risk assessment?

At the time, everything was a point-in-time approach to a risk assessment. We believe that risk has a heartbeat and a life cycle. All  points from cradle to grave and in between represent opportunities for risk. You can acquire a product or service and have a good sense of the out-of-the-box risk. But what happens when you technically integrate and configure that product internally? You will have different knobs and you will configure it in a way that is different from the next health system. Those have to be considered. 

Then what happens when upgrades, patches, or new functionality are introduced? If you look at AI as an example, everyone is thinking about AI coming into the organization from the front door. I think the bigger risk is it coming in through the window, through the back door, or through the basement. You have all of these technologies in play and being managed, and they are introducing AI into their products through upgrades, point releases, or patches. How can health systems and CISOs keep up with new risks that are introduced not just via adoption or acquisition, but also through the implementation, configuration, and usage?

We’ve seen plenty of scenarios where a product was acquired to solve a specific use case that did not require protected health information. Then users got their hands on the application and started leveraging it, maybe in ways it wasn’t designed to do, such as including PHI. All of a sudden you go from a non-business associate to a business associate relationship. You don’t have all of the protections that would be in place in terms of a BAA being signed, or any of the insurance obligations that a BAA might have to take on, because the initial intention was this different type of relationship.

What are the lessons learned from the breach of Change Healthcare? It was a critical supplier to health systems and a new acquisition for UnitedHealth Group, which said it found out afterward about Change’s security deficiencies.

It goes back to this lifecycle approach to risk versus a point in time. During the lifecycle, during the relationship that you have with a vendor and the product set, there are plenty of opportunities to introduce risk. One of those is ownership.

When I was at ViVE last year, I was speaking to a couple of customers as the breach was announced. They said, “We don’t use Change Healthcare, so we’re good.” Within 48 hours, they realized that they actually did use Change Healthcare through an acquired product that they relied on. 

There’s always danger of that introducing new risk. That risk is around concentration. You have a critical function in your organization, a business process that is directly linked to your ability to collect revenue. All of a sudden it shuts down and that spigot is turned off. Now you have operational disruption. You only have so much cash on hand. That was another big aha. We have to deal with all that disruption, but we also have limited cash on hand. We can only sustain operations for a certain number of weeks.

Complacency set in. We got comfortable relying on one vendor over time to do a very critical function. In fact, we may have created that scenario, because we may have signed up for exclusivity clauses and contracts. There may have been an exclusivity clause that required us to go all in with a particular vendor. That sounds good on paper until something like this happens. Where you haven’t built up a resiliency plan, you don’t have continuity in place. You haven’t thought about alternatives that you may need to activate in the event of an incident like Change Healthcare. A lot of lessons came out of this incident.

What advice would you give a hospital CEO about vendor and supply chain risk management?

People tend to confuse these two areas. Vendors tend to be supportive of a particular business process, whether it’s a critical clinical function, an administrative process, or an operational process. If you look at health systems today, every organization and every department leverages a technology-based business process. I can’t think of another function that isn’t relying on some technology to meet its goals and objectives in support of the company’s growth or other mission. You also realize that there are opportunities where you need to include certain components in the things that you create or deliver as a service. Think of them as ingredients. I think of a supply chain as those things that I need to create my end service or product. That’s how I think about the difference between those two things.

Do you see an opportunity to use AI to further develop your offerings?

Absolutely. In fact, we made a couple of announcements at ViVE. We’ve been working with AI for the last couple of years. We took a conservative, responsible approach to it because we’re a risk management company. We have to put security first for our customers.

For us, it was all about identifying those use cases where we could drive efficiency of process.  There’s a lot of process automation and solutions that AI can enable through making things faster, better, cheaper.Then there’s the whole data aspect of AI. What things can we learn from the data? What insights can we gather that we couldn’t because we didn’t have these language models that would enable this in a way that was truly, truly scalable? 

We’re applying it in those two ways, generally speaking. We also took a step back and thought about how we would apply it to our product sets.The first thing we did was create Censinet AI, which is a foundational set of services that are secure, proprietary, and native. We don’t rely on ChatGPT or any open API language models. They are all built on the AWS stack. We went all in with AWS, Bedrock, and Anthropic Claude and their models. 

That architecture enables secure capabilities that can be turned on by demand by customers. Customers can opt in to choosing to activate to turn on those capabilities or not. They can do it based on their appetite and also their timeline. We have some customers that are ahead of everyone else, and they want to jump right in with AI. They trust us to protect the infrastructure, so they are going to turn them on quickly. Other customers will go slowly and turn them on over time as their governance processes mature.

Vendors are coming out and saying, hey, we have a solution, and it’s all AI based. We think that’s a failed approach, and people are going to get into trouble. We think that  the approach to be more prescriptive and controllable by the end users is the way to go.

How do you expect the federal government’s role in healthcare cybersecurity to change under new leadership?

Censinet has been at the forefront of working the HHS 405(d)  initiative and with the Health Sector Coordinating Council on things like the landscape analysis that we worked on in conjunction with CMS to create the cybersecurity performance goals, which came out of CISA. We thought those would be the foundation for a standard that health systems could actually adopt. I called it Meaningful Protection, analogous to Meaningful Use. Can we create this level or threshold of protection that we can all agree on. that is affordable, and could move the needle on patient safety?

That all was heading in the right direction. They realized last year that because the Cybersecurity Performance Goals were voluntary, they couldn’t be turned into laws. They needed another vehicle, so HIPAA was opened up. A comment period was started based on a HIPAA proposal a new rule that was generated. The administration change risks that being slowed down significantly or being canceled altogether. We’ll have to wait and see how it plays out.

But to your point, there’s a lot of movement in all of the different agencies. CISA lost a lot of their leaders and also risks being completely shut down, which I think would be a disaster. HHS has lost a lot of great leaders like Micky Tripathi and Nitin Natarajan. Between CISA and and the people at the HHS, we’re taking a wait and see approach. We’re going to continue to move the process towards the extension of HIPAA to include the CPGs or the intention of the CPGs.

What factors will be important parts of the company’s strategy over the next few years?

We continue to evolve the platform. We have over 50,000 vendors and products on one side of the network. We have a couple hundred providers on the other side of the network. We continue to build the product to address new use cases.

AI is a particular area. Not only are we have invested in our infrastructure and our product set to bring these AI features to market, managing the risks of AI as core to the product as well.  We have capabilities that enable AI governance through workflows and through content curation. On the vendor side of the network, we leverage the data in a way that enables these third parties to assess their protections and their security in an AI context.

We will continue to move the needle for our customers, both the third parties as well as the providers. We are also excited about agentic AI and what that can bring to the table in the longer term. We recognize that there’s a lot of unknowns there and there’s a lot of risks associated with agents going off and not only identifying relevant data, but then turning that into action and conducting the action on behalf of humans. We think that is coming and we need to do it in a secure and a responsible way.