Readers Write: Innovate Responsibly – Cutting Through the Hype of Generative AI in Healthcare

Innovate Responsibly – Cutting Through the Hype of Generative AI in Healthcare
By Holly Urban, MD

Holly Urban, MD, MBA is VP of business development for Wolters Kluwer Health.

In the fast-moving world of generative AI (GenAI), it’s easy to get caught up in the allure of shiny new technologies in healthcare. But we can’t let hype alone outpace responsibility. GenAI’s strengths quickly turn into weaknesses if we deploy GenAI in clinical care without carefully vetting it first.

The Shiny Object Dilemma

The healthcare technology market has become flooded with flashy new tools and solutions. According to Deloitte, 75% of leading healthcare companies are already experimenting with GenAI, and our research shows that nearly three-quarters of healthcare professionals recognize the potential of technology like GenAI in aiding professional development, clinical training, and efficiency.

Still, experimentation doesn’t always equate to readiness. What we should be looking at — and answering — is whether GenAI is capable of solving today’s most pressing challenges.

The key to healthcare innovation starts with creating impactful technology and fostering an environment for clinicians and their patients to thrive. That’s only possible by aligning technology with the real needs of healthcare professionals, the patients they’re serving, and demonstrating the return on investment (ROI) in clinical and financial outcomes.

Rolling out new GenAI should be about matching the problems with the right technology. For example, 60% of healthcare professionals believe that GenAI can improve the patient experience, and 41% think that ambient listening capabilities will enrich patient-provider relationships.

Ambient documentation is a prime example of where GenAI is making a significant impact by alleviating one of healthcare’s biggest challenges in a low-risk domain. It can save clinicians hours each week by creating clear and actionable patient summaries, and there’s an incredible opportunity to integrate clinical decision support and revenue cycle into these workflows.

Balancing Hype with Safety

As GenAI gains traction throughout healthcare, risks persist, particularly as GenAI approaches the actual patient and directly impacts their care. One area of concern among healthcare professionals is the overreliance on GenAI. In fact, a preliminary study from MIT explored how GenAI alters the brain’s ability to process information, leading to impaired learning and retention.  

As great as GenAI is at generating content and creating patient summaries in seconds, it’s also capable of hallucinating with complete confidence in the same amount of time. What’s more problematic is the inability to distinguish hallucinations from reality. One study found that up to 45% of residents do not detect hallucinations accurately.

The likes of ChatGPT may perform well on a medical exam or when diagnosing textbook clinical vignettes, but real-world patient care can be far more complex and unpredictable. Patients expect their clinicians to make error-free decisions using trustworthy evidence, not guesswork, to ensure the best possible outcomes.

It’s easy for LLMs to be unaware of clinical context and fail to ask important questions before delivering diagnostic and treatment recommendations when they aren’t held to a gold standard of evidence. LLMs can fail to admit they’re wrong and may lead a clinician down the wrong path if it’s not caught early on.

For example, if you’re treating a patient with a urinary tract infection who is allergic to penicillin, an LLM will likely recommend prescribing fluoroquinolones, which is typically the right course of action. However, if it is not trained to ask if the patient is pregnant, fluoroquinolones could cause a harmful drug reaction in the patient and the fetus.

Real-world concerns can come with severe consequences. GenAI must be fully ready for every clinical application and grounded in rigorously reviewed evidence-based content before doctors rely on it to aid in clinical decision-making.

Making GenAI Responsible for Healthcare

Organizations are beginning to take the lead in building robust AI governance to ensure the safe and responsible use of GenAI at their institutions, as the technology is currently advancing faster than the oversight.

It’s important to learn to walk before you sprint. We’re seeing benefits from gradual rollouts, pilot programs, and industry consortiums offering quality assurance resources for clinical AI. Collaborations are crucial to working towards the same goal of seamless integration and avoiding disruptions or costly errors.

Ultimately, the most effective GenAI tools in healthcare will remove, not add, another layer of complexity to practicing medicine. Our efforts should be grounded in restoring joy to healthcare through the simplification of processes. Patient encounters should focus on care, not on clinicians spending valuable time searching for information.

GenAI offers an incredible opportunity to eliminate friction and accelerate access to the right information at the right time, when clinicians need it. At the end of the day, technology should be an enabler, not a barrier, to delivering the best possible care.

Readers Write: Healthcare Search Strategy Needs a Reboot

Healthcare Search Strategy Needs a Reboot
By Harsh Bhatt

Harsh Bhatt is  executive director of AI and analytics at Praia Health.

With policy changes out of Washington impacting reimbursements, the need for health systems to attract and retain commercially insured patients will become critical. These patients are not only the most profitable, but also the most digitally savvy and the most likely to comparison shop for care.

Health systems have invested years and millions of dollars building digital front doors and acquisition funnels to capture these patients. Unfortunately, those once-proven funnels are quietly eroding beneath the surface, disrupted by something few health systems have yet to account for: AI-powered search.

Despite continued investment in SEO and content creation, leading health systems are seeing a 10% or greater decline in search traffic, even while maintaining high search rankings. AI-powered answers and summaries are increasingly satisfying patient questions at the top of the results page, leaving no need for them to click through to their local health system’s website.

Patients are still searching, but fewer are actually reaching a health system’s digital front door. Since the launch of these AI-powered features, click-through rates from search have dropped by more than 30% across industries.

The problem isn’t just visibility; it’s redistribution. Generative AI tools are favoring national brands like Cleveland Clinic, Mayo Clinic, and Johns Hopkins, as well as commercial providers like Amazon and Teladoc. These entities aren’t winning traffic solely because of name recognition. They are winning because their content is structured for machine readability and optimized for citation by generative algorithms.

This is a fundamental shift. Most patients no longer begin their digital care journey on a health system home page or even a service line page. Increasingly, they begin, and often end, their journey with a generative answer.

To stay competitive, health systems must reimagine not just how they drive traffic, but how they capture and convert it. Traditional SEO is no longer enough. The new frontier is Answer Engine Optimization (AEO) and Generative Engine Optimization (GEO), strategies that organize content in conversational Q&A formats, use structured data and schema markup, and position information to be picked up by AI-driven search experiences.

But even if that click is won, the digital journey can’t end at a static landing page. Unless the next step is personalized, immediate, and intuitive, the opportunity to engage that patient disappears. Health systems need to have intuitive consumer identity and experience on-ramps embedded throughout their digital properties.

Every visitor is more valuable than ever. Health systems must deliver personalized, logged-in experiences that build loyalty and drive retention. When a patient lands on a site, the experience should adapt to who they are, what they need, and how they prefer to engage. Guided navigation, tailored service recommendations, and contextual digital support aren’t just nice-to-haves – they are required to reduce friction and move people closer to care.

Search isn’t dying, but the way patients use it is changing fast. The digital strategies that worked even two years ago are no longer sufficient. Health systems must pivot quickly to remain discoverable, credible, and competitive in the AI-shaped search landscape.

Readers Write: Self-Service in Health IT: More than a Fancy Kiosk

Self-Service in Health IT: More than a Fancy Kiosk
By Sriram Devarakonda

Sriram Devarakonda, MSEE is CTO at Cardamom.

Self-service first emerged in the consumer space, where it was designed to offer a frictionless, user-controlled experience. Whether buying a soda from a vending machine, ordering a burger at a kiosk, or depositing a check via mobile app, self-service is no longer a novelty — it’s an expectation.

The goal? Empower customers with speed and convenience, while still providing the right guardrails.

In health IT, self-service started gaining traction in the early 1990s, as support demand quickly outpaced available resources. Early implementations focused on handling low-complexity tasks like password resets, login issues, and access to knowledge articles.

Today, self-service goes far beyond troubleshooting. Users expect more sophisticated, cognitive tasks, such as exploring data, generating ad-hoc reports, and deriving meaningful insights, all without having to file a ticket. Yet despite the strategic focus placed on self-service across industries, sustainable, impactful adoption in healthcare remains rare.

What separates organizations that succeed with self-service from those that struggle?

Let’s go back to the burger analogy. Why might a customer avoid using a self-service kiosk?

• The interface isn’t intuitive.
• It doesn’t allow for customization (no pickles, extra cheese?).
• It doesn’t support their preferred payment method.
• Most importantly: if the kiosk gets the order wrong, that customer probably won’t use it again. If the burger itself is bad, they may never return to the restaurant, which is a different, but equally important, problem.

Now, apply that thinking to self-service reporting in healthcare. The stakes are higher, and the choices are rarely as simple as picking from a preset menu. Success requires more than just implementing a tool. It demands the right mix of people, processes, and technologies to ensure that the information that is being served is accurate, actionable, and tailored to the user.

Here’s what that takes:

A deep understanding of users and use cases.

A care manager may need a quick list of patients for outreach. An ED director may be focused on real-time throughput. These are vastly different needs, both in purpose and in technical complexity. And that’s just two personas. Most healthcare systems support dozens more, each with their own complexities and needs.

Strong data governance

Certified, approved definitions help avoid inconsistent or misleading data. It’s the difference between ordering a Big Mac and ending up with a plain hamburger.

Rigorous validation processes

Just as restaurants test new menu items before launch, healthcare solutions should be reviewed by cross-functional teams — including clinical, technical, and operational experts — to ensure accuracy and trust.

A long-term mindset

Self-service is not a one-and-done implementation. It’s a journey that evolves with user maturity, system capabilities, and data maturity.

Robust user enablement

Even the best tools fall flat without support. Users need training, ongoing coaching, and a clear path for feedback and escalation.

Clear, meaningful measurement

Success should be tracked through real adoption, demonstrated value, and a measurable reduction in support tickets for routine issues.

Accessible, intuitive technology
The best self-service tools are invisible — seamless, simple, and always available when users need them. 

When executed effectively, self-service doesn’t just reduce dependency on IT teams. It empowers frontline users to make faster, more informed decisions. It builds trust. It turns skeptics into advocates.
But success isn’t a matter of flashy platforms. It requires a service-oriented mindset, one that is grounded in empathy, clarity, and commitment to getting it right.

Readers Write: Innovating the Consumer Experience Beyond the EMR with Open Standards

Innovating the Consumer Experience Beyond the EMR with Open Standards
By Robin Monks

Robin Monks is EVP of technology at Praia Health

Patients – and potential patients — expect seamless digital experiences. They’re getting them every day from their social media, retail, and banking apps. The difference in user experience between viewing a credit card statement and a healthcare bill is obvious – and shocking. At the same time, the costs of fragmented, proprietary systems for health systems are becoming unsustainable.

While we’ve seen progress in allowing patients access to more of their data, we’re just scratching the surface on data access and have yet to make inroads into data actionability. The lack of open standard adoption inflates integration costs, stifles innovation, and limits the true potential of digital health.

This challenge was the focus of our recent HIStalk webinar, “Innovating the Consumer Experience Beyond the EMR with Open Standards,” where fellow industry leaders and I explored the transformative power of open standards in healthcare. I was joined by Ryan Howells, principal at Leavitt Partners and program manager of The CARIN Alliance; David LaBine, vice president of software engineering at Providence 4SITE; and Kristen Valdes, CEO of b.well Connected Health.

We emphasized that open standards — such as OIDC (OpenID Connect) and HL7 FHIR (Fast Healthcare Interoperability Resources) — along with broader open technology requirements are creating dramatic ROI where they’ve been deployed. They are strategic enablers that can dramatically reduce the burdens associated with integrations, data migrations, and workflow adjustments across the healthcare ecosystem.

These standards offer more than just future flexibility. They deliver immediate ROI by accelerating development timelines, minimizing rework, and significantly lowering long-term maintenance expenses. Every closed integration implemented today represents a missed opportunity to operate with greater speed, intelligence, and efficiency.

A key takeaway from our discussion was the critical role of open standards in fostering a truly patient-centric approach. The current landscape often forces individuals to navigate a labyrinth of disparate patient portals, each with its own login and limited data access. This creates significant friction and can even impede access to life-saving information, particularly for those managing complex or rare diseases. By adopting open standards for identity and data exchange, health systems can streamline patient access, improve engagement, and build stronger, more trusting relationships.

Our conversation also delved into the tangible business case for open standards, moving beyond mere compliance. By standardizing data exchange and identity management, organizations can reduce technology costs, automate manual tasks, and unlock entirely new business models. Examples shared included double-digit increases in lab completion rates and cash collection for health systems that have embraced open identity solutions. The ability to connect disparate data sources, from clinical notes to wearable device data, allows for a more holistic view of the patient that enables proactive care and improved outcomes.

We underscored the importance of leveraging established global standards from other industries. The financial sector, for instance, has long utilized open standards for seamless and secure transactions, demonstrating that these are solved problems that healthcare can readily adopt. This approach avoids the costly and inefficient creation of bespoke solutions, allowing resources to be redirected towards actual patient care and innovation.

For healthcare executives and developers who are looking to initiate this transition, the advice is clear. Identify areas where fragmented patient experiences and data silos create friction and cost. Assess how many applications are isolated due to proprietary identity systems.

The potential for double-digit increases in patient engagement and operational efficiency makes a compelling argument for investment. Advocates for this shift are often found among chief digital officers and transformation leaders who recognize the need for a broader, integrated ecosystem of applications.

A practical roadmap for open standards implementation involves a strategic, incremental approach. This includes auditing systems to understand existing data flows and identity challenges, developing a clear vision for interoperability, and creating cross-functional teams dedicated to this transformation.

Open standards are available for immediate adoption. Organizations do not need to wait for mandates or rely on proprietary vendor roadmaps. But adoption requires that vendors be held to open standards when evaluating solutions and during each renewal cycle. By actively engaging with collaborative initiatives and embracing these open frameworks, healthcare stakeholders can collectively drive innovation, enhance patient loyalty, and build a more efficient and effective system for everyone.

The time to act is now. The industry must move from business-to-business data exchange to truly individual-centered care.

Readers Write: The Multi-Million Dollar Transformation Opportunity Healthcare Loves to Hate: Application Rationalization

The Multi-Million Dollar Transformation Opportunity Healthcare Loves to Hate: Application Rationalization
By Amy Penning

Amy Penning is senior application analyst at CereCore.

Rationalize your applications, they say. It will lead to cost savings, streamline your portfolio, and release resources for innovation and technological advancement.

So why do we groan at the idea of starting an application rationalization effort? Immediate reactions to AppRat, as it is commonly called, are often due to the complexity of the work and lack of employee bandwidth to complete the work thoroughly. AppRat is often deemed a “not now, but maybe later” task that is driven by bigger strategic moves like M&A, cloud migration, and EHR implementations, further complicating these mission imperatives, adding to their timelines, and increasing their cost.

Consider these points about all there is to gain from having full visibility into your application portfolio before, rather than during, another strategic undertaking at your organization.

Application Sprawl is Expensive and Risky

Over time, even the most well-managed IT environments accumulate technical debt. Siloed purchasing, legacy systems, and shadow IT can create a bloated application portfolio that could:

• Drain IT support resources.
• Increase cybersecurity risk.
• Inflate licensing and maintenance costs.
• Complicate integration and data governance.
• Impact patient safety.

Application sprawl quietly erodes operational efficiency and financial flexibility, with the most significant impact observed at small to mid-sized hospital systems. However, application rationalization as a strategic lever introduces efficiencies through the elimination of overspending on resources and duplicated functionality.

Why AppRat Is a Strategic Lever, Not Just Cleanup

Too often, we think of AppRat as a “someday” project, something to tackle after the dust settles from a major initiative. But done right, it can:

• Fund transformation by freeing up capital that is tied to redundant or underused systems.
• Accelerate innovation by simplifying the IT landscape and enabling faster adoption of technology.
• Improve clinician experience by reducing system fragmentation and login fatigue.
• Streamline training and support by setting up your organization with enterprise standards versus siloed applications.
• Strengthen security posture by eliminating outdated or unsupported applications.

AppRat’s Anticipated Impact on Operations

I have led programs that decommissioned as many as 30% of an organization’s applications over five years, resulting in savings of as much as $70M. Given the value of resources that can be redirected to patient care, staff development, and digital innovation, the potential impact of an AppRat initiative is even higher.

Timing Is Everything, But So Is Framing the Purpose and Value of AppRat

Timing matters. No one wants to launch AppRat during a go-live or construction phase. But waiting for the perfect time often means that it never happens. 

Instead, organizations should reframe AppRat as a foundational part of transformation, not a follow-up act. AppRat should be a thoughtful, repeatable process that is embedded in the planning phase of any major initiative, not left for the post-project cleanup crew. 

Use Industry Tools Instead of Devising Your Own AppRat Approach

Leverage the findings and tools of those who have done the work before you. The CIO Council’s The Application Rationalization Playbook is available as a free download. It’s a great starting point to understanding methodology

Final Thought: Rationalization Is Essential

Application rationalization should become a regularly performed assessment of your overall application portfolio. It is never finished, but it is foundational. Start your organization’s next major technology innovation or change with full transparency into your organization’s IT costs and cost of ownership by conducting AppRat before it even starts.

Readers Write: Modernizing Healthcare’s Third-Party Risk Approach

Modernizing Healthcare’s Third-Party Risk Approach
By Ryan Redman, JD

Ryan Redman, JD is product manager of marketing at Onspring.

Oracle Health’s announcement of its second data cyber incident in March of this year shocked healthcare providers and customers. Even more alarming was the specific data was impacted that is housed in its legacy cloud infrastructure.

According to publicly available information, approximately 6 million records containing protected health information (PHI) were likely compromised despite Oracle’s attempts to downplay the severity of the potential compromise. The repercussions left hospitals struggling to identify exposed data as the incident reminded compliance officers of the challenge of considering all data outside of centralized oversight, including legacy infrastructures, when accounting for third-party risk.

Many of these healthcare compliance professionals must rely on third-party risk strategies with limited visibility into the many networks of contractors, partners, and hosted environments that they are tasked with managing. Beyond compromising legacy infrastructure data, Oracle’s cyber incidents exposed the damaging compliance gap in how healthcare organizations manage third-party relationships. Healthcare compliance teams must adopt real-time, integrated GRC tools that boost visibility, reduce manual work, and enable proactive risk response to close this gap and protect their data.

The Hidden Dangers of Legacy Infrastructure and Outdated Third-Party Risk Strategies

It’s easy for legacy systems to fall by the wayside within healthcare’s intricate network of active systems that span internal platforms, external platforms, and cloud-hosted data. Using third parties only heightens critical risks. In Oracle’s case, the servers had not yet fully migrated to the company’s new environment, leading attackers to exploit compromised credentials to access those systems. Teams overlooked what appeared to be outdated, dormant infrastructures. Bad actors accessed sensitive data, and traditional assessment methods were unable to detect this risk.

Healthcare organizations face serious compliance consequences when third parties fail to safeguard patient data, whether due to misconfigured access, missed vulnerabilities, or neglected systems. In 2024, the healthcare sector emerged as the most targeted industry for data breaches, proving that third-party risk assessments are not cutting it. Often only conducted periodically and involving emailed surveys, spreadsheets, and disconnected records, these assessments result in hours of manual work and provide a limited, static view of risk. Outdated methods fail to catch emerging vulnerabilities in legacy systems over time. Risks often materialize by the time the next scheduled compliance review comes, meaning sensitive data has already been exposed.

Five Essential Steps to Improve Compliance Oversight

Healthcare organizations must take action to strengthen their third-party risk posture, and the following actions can help turn policy into practice.

• Create a single source of truth for evidence and documentation. A secure, centralized repository ensures that materials that are relevant to organizational compliance are version-controlled and always accessible.
• Track and classify third-party integrations and engagements. Different use cases with the same third parties can carry varying levels of risk. A clear inventory with engagement-level context supports more accurate classification and visibility.
• Automate risk scoring and review cycles. Configurable scoring models based on regulatory frameworks allow compliance professionals to consistently assess third-party risk without manual intake processes.
• Move from periodic reviews to continuous oversight. Periodic reviews leave critical gaps in risk oversight. Real-time alerts through continuous monitoring flag when risk scores increase with new findings.
• Develop response plans for third-party risk. Organizations must regularly test even the most comprehensive risk programs through tabletop exercises or simulations.

Ultimately, maintaining trust is vital to compliance, and losing it comes at too high a cost.

Readers Write: Beyond Self-Scheduling: Analysis Shines Spotlight on The Future of Patient-Driven Access

Beyond Self-Scheduling: Analysis Shines Spotlight on The Future of Patient-Driven Access
By David Dyke

David Dyke is chief product officer at Relatient.

“Access to care” has become a central theme in healthcare leadership discussions. While the term “access” can mean many different things in healthcare, it begins with the patient.

A new nationwide analysis of self-scheduling tool usage underscores a shift occurring in the industry that provider organizations must acknowledge and act on to stay relevant: patient-driven access. Findings across more than 150 million patient bookings reveal a 30% year-over-year uptick in patients who booked appointments through digital self-scheduling options from 2023 to 2024.

Patient interest in self-scheduling is likewise driving adoption from healthcare organizations. The analysis further revealed a 53% increase in implementations of self-scheduling tools across a wide variety of healthcare organizations and specialties.

Self-scheduling has evolved into an essential access tool for today’s practices that are striving to meet rising patient expectations. The key is making the right investments upfront to ensure that organizations reap the full benefits of patient-driven access. Early adopters stand to not only delight patients, but also to realize significant operational value and bottom-line impact – such as 24/7 patient access and new patient acquisition — faster.

Understanding Increased Adoption of Self-Scheduling

Patients increasingly prefer digital self-scheduling options, with an overwhelming desire for improved digital self-service. As the first touchpoint in the patient journey, scheduling has a critical impact on overall patient experience.

Consumerism trends point to the need for greater convenience and empowerment. This means manual processes that require having to call multiple times or wait on the phone to schedule an appointment are quickly being replaced with digital solutions by today’s healthcare organizations.

Healthcare leaders value the patient experience advantages of self-scheduling. They also gain operational efficiencies and greater revenue opportunities. Data uncovered from the analysis revealed:

• A 50% decrease in no-show rates for self-scheduled appointments.
• A 21% reduction in cancellations when self-scheduling is used. The reduction was 30% for established patients.
• Two-thirds of appointments that are booked through online self-scheduling are for new patients.

These numbers significantly highlight ongoing industry opportunities to improve no-show rates and appointment cancellations.

Expanding the Impact of Self-Scheduling

Putting patients in the driver’s seat is a start, but the future of self-scheduling optimization relies on more intelligence and integration across the entire patient journey. Organizations can expand the impact of these tools by:

• Integrating full-service scheduling APIs to meet patients where they are. These open scheduling APIs provide flexibility for healthcare organizations to scale access points across diverse channels, automating key scheduling functions across a variety of new and existing patient touchpoints, including virtual agents, AI-assisted chatbots, third-party apps, financial clearance processes, and virtual care platforms. By supporting a self-service, multi-touch model, these tools empower patients to take control of their care journey. Many organizations struggle to deliver this model due to disconnected systems, but tightly linked, multi-channel functionality allows patients to bypass long phone queues and enjoy a more seamless experience, while providers gain better system interoperability and operational efficiency.
• Transforming staff and patient experiences by automating common appointment management tasks with AI-driven voice solutions. New Voice AI tools integrate seamlessly with existing scheduling systems, taking on repetitive, high-volume inquiries, such as appointment rescheduling and cancellations, so that staff can focus on more complex patient needs. By deflecting calls and reducing hold times, these tools not only ease operational strain, but also enhance the patient experience with immediate, conversational support that is available 24/7.
• Driving action and education with integrated scheduling across the patient journey. Digital patient communication should not only inform —  it should drive action. By embedding scheduling functionality into key communication touchpoints, such as appointment reminders, referral activation, and rescheduling workflows, organizations can support patients with timely next steps. This creates a more seamless and scalable access model.

Whether booking a single primary care visit or managing ongoing specialty care, patients benefit from convenience and autonomy, while providers see increased appointment adherence and streamlined operations. Consequently, providers should think beyond traditional scheduling within the call center by embracing self-scheduling and the scalable infrastructures that are needed to support success for the long-term.

As the future of patient access continues to unfold, with more and more power placed in hands of the patient, a single self-service touchpoint won’t be enough. Savvy patients will come to expect a seamless, interconnected experience at every step of the way.

Expanding patient self-service functionality now allows organizations not just to keep up, but to actively fulfill the future of patient access, leading the pack in both patient access performance and operational efficiency.

Readers Write: “The Illusion of Thinking”: Implications for Healthcare

“The Illusion of Thinking”: Implications for Healthcare
By Vikas Chowdhry

Vikas Chowdhry, MS, MBA is founder and CEO of TraumaCare.ai.

If you are even moderately interested in AI, I am sure you have by now at least seen various comments and responses in social media to Apple’s paper titled “The Illusion of Thinking.” But in case you have been under the AI rock, here’s a brief summary.

In this paper, the authors show that today’s large reasoning models (LRMs such as OpenAI o3-mini, DeepSeek-R1, Claude 3.7 Sonnet-Thinking) — systems that explicitly generate long chains-of-thought — really do think more, but not necessarily better. On carefully designed puzzle tasks, they beat ordinary LLMs only in a narrow middle band of difficulty and then collapse outright as problems grow harder.

As expected, the comments span the gamut, from “the sky is falling” to “not a big deal, they will figure out a way to overcome or fix this.” While I am not in the “sky is falling” camp, I do think that this paper raises some important questions with special implications for healthcare. Any healthcare organization (or vendor) that is using or developing a product that is based on LLMs/LRMs will need to think deeply about these issues and have a strategy to run their own similar evaluations and hopefully share them publicly.

Here are four key findings from the paper and my take on the implication of each finding for healthcare.

#1. Impact of complexity on reasoning performance

The authors identify three performance regimes as problem complexity rises:

• Low complexity: standard LLMs are more accurate and efficient than LRMs.
• Medium complexity: LRMs pull ahead.
• High complexity: both collapse to zero.

Performance of LRMs (solid lines) and LLMs (dotted lines) across low, medium and high complexity puzzles (figure from the Apple paper).

Healthcare implications:

• How will you define complexity thresholds in your workflow?
• Does your system dynamically choose between an LLM and an LRM based on a case’s difficulty?
• Can it detect when a case crosses a threshold and alert the clinician instead of forging ahead with low-quality output?

#2. Token-effort collapse

LRMs spend more tokens as tasks get more complex until a critical point, after which, they give up and begin to reduce their reasoning effort despite increasing problem difficulty. This behavior suggests a fundamental scaling limitation in the thinking capabilities of current reasoning models relative to problem complexity.

Healthcare implications:

Let’s say your product helps detect malignant tumors, or, transcribes ambient conversations using LLMs/LRMs.

• In operational mode, does it have mechanisms to detect that the case has crossed a complexity threshold and that it is giving up, and that at that point, humans need to stop using it for that case?
• What happens if the AI product was sold as a tool to make your apps take on more primary care responsibilities, and now that the product has given up, what’s your recommendation for the NP who was relying on your product?
• What if your product doesn’t even have the awareness that it has given up and the NP continues to rely on its output? Who owns the risk for a misdiagnosis?

#3. Over-thinking & self-correction limits

For simpler problems, reasoning models often find the correct solution early in thinking, but then continue exploring incorrect solutions (overthinking). As problems become moderately more complex, this trend reverses: correct answers appear only late. For hard tasks they never appear (“collapse” as discussed earlier).

Healthcare implications:

• Over-thinking wastes compute and drives up cost.
• Yet aggressively pruning the chain of thought might remove the only path to a correct answer on tougher cases.
• Your system therefore needs complexity-aware throttling, not a one-size-fits-all token limit.

#4. No benefit from explicit algorithms

Prompting with a known algorithm to solve the problem does not improve the performance. This indicates weaknesses in faithfully executing step-by-step logic, not just in discovering it.

Healthcare implications:

A healthcare organization may have explicit clinical guidelines for certain use cases and would want the AI product to follow them when those guidelines are met. However, the results of this paper show that an LLM/LRM based on AI product may not be able to execute an algorithm based on those guidelines even when explicitly programmed into the system.

• Embedding clinical guidelines verbatim is not enough.
• You must verify that the model can faithfully execute those step-by-step protocols under real-world complexity.

Final Thoughts

AI progress is breathtaking, yet deploying it in high-risk domains like healthcare demands transparent, domain-specific safety testing. This paper is a timely reminder that such work takes time, expertise, and openness. Sharing evaluation results will accelerate safe adoption for the entire industry.

Readers Write: The Future of Member Support: How Intelligent Search Can Transform VAB Delivery

The Future of Member Support: How Intelligent Search Can Transform VAB Delivery
By  Andi Gillentine

Andi Gillentine, MS is VP of national accounts at Findhelp.

Value-added benefits (VABs) are services that are offered by Medicaid managed care plans above and beyond required Medicaid state plan services. They are extremely popular –  Medicaid plans in at least 48 states offer VABs — and historically poorly promoted and utilized.

How do we ensure improved utilization of VABs, which have the power to impact quality measures, quality of care, and overall health? By maximizing intelligent searching via closed-loop referral systems to surface the right programs to the right person at the right time, for both care managers navigating on a member’s behalf and members who are self-navigating.

About VABs 

While VABs are typically non-medical, they are often related to member wellbeing. Examples of VABs are car seats and bike helmets for children, extended dental and vision services, over-the-counter medication funding, and carpet cleaning. More and more commonly, these services are used to address health-related social needs (HRSNs).

In Ohio, for example, VABs are allowed for dental, vision, transportation, health and wellness programs (includes housing supports and medical meals), incentives to strengthen health and wellbeing (includes rewards for seeking preventative care), prenatal and postpartum incentives, application services, telehealth, and 24-hour medical advice lines. Each of the seven Medicaid plans in Ohio offers at least 30 VABs, with one plan offering nearly 50.

This wealth of benefits can help Medicaid members achieve improved health outcomes and quality of care that is measurable in HEDIS and other health quality measures, if the members are aware of the benefit and know how to access it, and if administering it is easy on the health plan. Unfortunately, this is often not the case.

Improving VABs Access and Awareness

Today, in most states, a Medicaid member seeking support would have to spend hours researching their health plan website or reading their plan’s member handbook. As any health plan member can attest, this is a challenging, time-consuming task, frequently made more challenging by engaging solely through a smart phone. Accessing VABs usually requires a call to a customer service representative, with potentially long wait times, and then a waiting period to receive the goods or services.

This high administrative effort to find and access benefits results in high costs for health plans. Many Medicaid members miss important preventive care appointments due to transportation issues, use the ED for non-emergent needs because they can’t afford medications, or lose housing or utilities. VABs can provide the resources and support to prevent these occurrences, but it’s not enough for support to just be available. Members need relevant recommendations and easy access.

In an ideal world, a Medicaid member would be able to go to one place, validate their insurance coverage, search for services that address their needs, and receive intelligent results that provide resources tailored to their specific situation, with the ability to self-refer to access these goods and services. This intelligent search needs to include all available resources from their community, county, state, and health plan’s VABs. No more hunting through multiple sites or staying on the phone for long periods of time just to put food on the table, get a ride to an appointment, or find a car seat.

Intelligent Search is the Answer

There are no technological hurdles to solving this problem. We have already solved it. We simply need to integrate these workflows at the right time and in the right place for navigators and Medicaid members, using interoperable social care platforms with intelligent search capabilities. Where a patient can walk in the doors of a safety net hospital and, because of the integrated social care information in their medical chart, tailored recommendations, including VABs, are automatically presented to  care teams. The care team may refer or recommend some of these resources to the patient and encourage the patient to self-navigate for additional benefits and support. Or where a health plan care manager, engaging with a chronically-ill, dual-eligible member, can assess need and eligibility for VABs and other integrated social care support and, with consent, directly refer the member to services.

One personalized, intelligent search for all services, in easy-to-access workflows for navigators and members. The future is already here. Let’s make the most of it.

Readers Write: The End of “Good Enough”: A Personal Journey to Better Healthcare IT Application Support

The End of “Good Enough”: A Personal Journey to Better Healthcare IT Application Support
By Jody Buchman

Jody Buchman, MBA is SVP of continuous services at Healthcare IT Leaders.

I never imagined that my most powerful lesson in healthcare IT application support would come from a hospital bed.

During my third pregnancy, I was given only a 30% chance of carrying to term. It was a high-risk situation that kept me on bed rest, working remotely for Cerner Corporation from a hospital room while continuing to support clients. For the first time, I was experiencing the healthcare system not just as a professional, but as a patient. And in that moment, I saw the real impact of the Women’s Health Solution we were implementing. Not on a screen, but in the care I was receiving when every decision mattered.

My son Jake was born early, just four pounds. But thanks to an incredible team of clinicians and the systems that empowered them, he went home just three days later. Today, he’s a healthy high school baseball player and a daily reminder of why this work matters so deeply to me.

That experience shaped everything about the way I lead today. Lying in that hospital bed, experiencing the system not as a technologist but as a mother, I came to understand what excellence in healthcare IT truly means. Behind every system alert and resolved ticket is a human story, a moment where things either go right … or don’t.

It’s why I’ve dedicated my career to building support organizations that are more than just reactive help desks. The traditional managed services model — transactional, after-the-fact, and satisfied with “good enough” — simply isn’t good enough. Not when every delay, every overlooked alert, every closed-but-not-solved ticket can directly impact care. I’ve seen the fallout firsthand: burned-out IT teams, clinicians wrestling with tools instead of treating patients, and families caught in the middle.

Healthcare doesn’t stop after hours, and neither can we.

Why the Old Way of Application Support No Longer Works

When you’ve managed global application support at scale, with thousands of clients and millions of incidents a year, you start to notice patterns. For too long, we tolerated a model that measured success by closed tickets, not real solutions.

I’ve seen the consequences: the physician who can’t get help after hours, the nurse who hesitates to open a ticket because it rarely leads to resolution, the IT manager who knows what’s broken but lacks the resources to fix it.

In healthcare, where time, accuracy, and availability are non-negotiable, that model simply doesn’t hold up.

What a Continuous Services Model Looks Like

Healthcare runs around the clock and technology continues to evolve. It’s time our application support models did, too.

What’s needed now is a continuous services approach, one that’s proactive, connected, and designed to prevent problems before they impact care.

Here’s what that means in practice.

First, real-time system monitoring should be the norm. Just as clinicians monitor patient vitals, IT support teams should track system health in real time. Application performance lags, interface errors, error pop-up messages, and failed jobs should be spotted early and addressed before users ever notice.

Second, automation needs to take on more of the routine work. Routine fixes like restarting ops job, failed interface transactions, or real-time data cleansing don’t have to require manual effort or have time constraints. Smart automation can handle these tasks, freeing up IT resources for higher-value work and providing an always-on and available resource around the clock.

Third, the tools and teams supporting the system need to be connected. Too often, monitoring tools don’t talk to ticketing platforms. Analysts don’t have access to context or history. A continuous model links everything together so that support is both faster and more informed.

Fourth, expertise matters. In a continuous services model, clinical and technical support analysts are experts empowered to do more than respond to tickets. They understand clinical workflows, governance and IT business processes to work as an extension of the IT team solving problems at the root.

Finally, the model has to scale. As organizations grow, the support structure should adapt with them. Intelligent automation makes that possible by creating a flexible operations model that evolves as needs change without drastically impacting cost.

What We Gain When Support Gets Smarter

The benefits go well beyond reducing tickets. Internal IT teams finally get room to focus on long-term projects instead of reacting to daily disruptions. Clinicians spend more time on care and less time wrestling with technology. Most importantly, patients receive care backed by systems that are reliable and responsive.

A Final Thought

After a career in healthcare IT support, I’ve learned that service excellence isn’t about heroics, it’s about making a difference. It’s about providing world-class support designed to ensure the technology is no longer a barrier for clinicians to provide quality care.

Status quo isn’t an option when lives are on the line like Jake’s. The real heroes are the nurses and caregivers. Our job is to make sure the systems behind them are just as ready and dependable.

That’s the kind of continuous support healthcare needs now. One that runs quietly in the background, and when it works well, it saves lives. It is entirely within reach.

Readers Write: Access to Care Isn’t Just Technology, It’s Human Connection

Access to Care Isn’t Just Technology, It’s Human Connection
By Cheryl Dalton-Norman

Cheryl Dalton-Norman, RN, MBA is president and co-founder of Conduit Health Partners.

Every year, a new priority dominates conversations among hospital C-suites. The current buzz phrase is “access to care.” It’s certainly a priority that all stakeholders can rally around. While technology will be front and center as a critical enabler of better access, it must be paired with something just as critical: real human connection.

As healthcare leaders, we don’t just shape patient care, we experience it ourselves. I was reminded of this all too clearly during a recent family medical crisis.

It was a Saturday at 3 p.m. My father-in-law was in pain. His wound looked worse, and a rash had developed. None of these issues were new, but my mother-in-law was exhausted, my husband was worried, and our only option was an emergency room visit, one that would drain my father-in-law even further and send us down an all-too-familiar path. The cycle was grueling: hospital, rehab, ER, hospital, assisted living, ER, hospital, skilled nursing, assisted living, ER. Again and again.

Many healthcare organizations are making significant strides in using technology to improve access. That’s important. But at that moment, what I needed wasn’t just technology. I needed someone to talk to me. Someone who could listen, review my father-in-law’s medical record, understand where we were in the process, and help determine the best next step. That resource wasn’t available, so the cycle of fear, fatigue, and poor outcomes continued.

I’ve spent my entire career in healthcare, from bedside nursing to administrative leadership. Yet even with my experience, my own family struggled to navigate a system that too often leaves patients and caregivers feeling lost.

Access means different things to different people. For me, it’s knowing that when someone reaches out for help, whether at 3 p.m. on a Saturday or 2 a.m. on a Tuesday, they aren’t met with barriers, but with immediate connection.

This is why nurse triage is a vital first touch point for ensuring timely, appropriate patient access. The reality is that all healthcare settings are ripe for after-hours nurse triage services that can be used as a backend and backup clinical resource. These models work by ensuring 24/7 access to a registered nurse who listens, assesses the situation, and provides guidance using best-practice protocols. This way, patients avoid unnecessary ER visits while still ensuring they get the right care. More than that, that human touch point provides peace of mind, continuity, and true access to care.

While some healthcare work is easy to quantify, some is mission driven. It has value for communities, but might be difficult to define in dollars and cents. It’s one thing to do the math on a value proposition for healthcare revenue cycle. For example, “Here’s how much we collect on average. Here’s our rate of point-of-service collections year over year.” 

How do you measure the value of building trust and connection with patients? How do you capture improved access to care for underserved or rural populations from a telephone call after hours? These are new ways of looking at value, and the value proposition of nurse triage to the patient and clinician experience is just as important as the number of avoided ED visits. 

Additionally, the clinician mass exodus from healthcare continues at alarming rates. From nursing teams to ED staff and emergency medical services workers, health care professionals are overburdened and overextended. Alleviating even some of this burden would make a difference, especially when it comes to 24/7, 365-day coverage.

Health systems, FQHCs, medical groups, and payers need solutions, not buzzwords. We must commit to better patient outcomes while supporting caregivers and ensuring no one has to navigate the system alone.

Readers Write: Happy Customers Don’t Just Pay Their Bills!

Happy Customers Don’t Just Pay Their Bills!
By Dean Kaufman

Dean Kaufman, MS is founder and CEO of Healthcare Service Consultants of Millburn, NJ.

“The purpose of a business is to create a customer who creates customers.” Those are the words of Shiv Singh, chief executive officer at Savvy Matters, a business growth consulting firm, and author of “Savvy: Navigating Fake Companies, Fake Leaders and Fake News in the Post-Trust Era.”

The problem is that many company leaders are short-sighted when it comes to customer relationships and don’t make the most of satisfied customers in the long term. Singh’s sentiments, however, ring especially true in the healthcare IT and health tech markets, where ongoing customer success and relationship building are ultimately critical to long-term business success.

Indeed, this long-game approach is an absolute must-have for continued growth. This rings even more true for cloud-based SaaS companies since turning off the spigot is as easy as turning it on.

As such, healthcare IT company leaders must remember that happy customers can do more than simply pay their bills. They can evolve into strategic assets that fuel business growth in more ways than one might think.

The unfortunate reality, however, is that early stage healthcare IT companies are often pressured to focus on near-term customer acquisition and rapid top line revenue growth. This is often necessary to show investors they can solve a pressing problem and acquire paying customers. Company leaders, however, must look beyond these immediate concerns and realize that enduring success requires a people-first approach that nurtures trust and long-term customer relationships that extend beyond the initial sale and out-of-the-gates technology implementation.

Customer Success as a Product Commercialization Strategy

Concentrating on these relationships is crucial, because healthcare IT buyers at provider organizations typically are risk-averse and make fact-based buying decisions. For this reason, acquiring new customers hinges on the company’s ability to substantiate the accuracy of product claims. The best way to accomplish this is to provide quantified evidence via existing customers. This is why successfully nurturing long-term customer relationships is so incredibly important.

Happy customers are not “just” satisfied when a vendor solves their pressing problem. These customers will often vouch for the benefits their organization has realized by using the company’s products. Optimally, they will eventually see beyond their unique clinical or operational workflows and understand how a technology company’s solution can be applied broadly across the market.

If done well, a delighted customer will not only buy more from the company. They will become sales agents as well. By evangelizing the problems solved and benefits realized by healthcare IT products, happy customers attract others with similar needs. This creates new leads and leapfrogs these new prospects further along the sales process as interest and credibility are already established.

Happy Customers Drive Sales

Unfortunately, most early-stage companies are under pressure to complete an implementation as quickly as possible and move on to the next one so revenue recognition can begin. As a result, when an IT company walks away after implementation, the company is likely to miss a growth opportunity.

Truly successful companies are those that continue to satisfy customers’ needs while seeking new ones. Ensuring existing customers are taken care of by solving their problems as they arise, taking an interest in their ongoing needs, and identifying legitimate opportunities to sell more to them are three successful sales strategies. This ongoing relationship-nurturing process is especially important in healthcare, where continuous customer and technical support is required.

A happy customer is more likely to be willing to:

• Contribute to case studies, webinars, and other forms of thought leadership content.
• Provide favorable verbal and written testimonials.
• Support reference calls, site visits, trade shows and introductions to others.

Such evidence-based product marketing content is invaluable for building confidence and eliminating the fear, uncertainty, and doubt necessary to drive the business forward.

Relationship Building Starts at the Top

The role of company leadership, particularly the CEO, is pivotal in fostering a culture focused on long-term customer success. CEOs who focus too much on technology or near-term revenue generation risk overlooking the importance of long-term personal relationships. After all, people buy from people, even in this day and age. No matter how sexy the technology, trust that another human will do what they say and solve a problem they say they can solve is the foundation for business success, not just in health tech and IT.

When company leadership is people-focused, other teams follow suit and are more likely to build customer trust through meaningful interactions that foster a richer understanding of the client’s business challenges and pain points. This benefits sales and support, leading to better products and a deeper understanding of market needs.

Customer Success as a Strategic Philosophy

Satisfied and engaged customers are a competitive advantage and a prerequisite for long-term business growth. Unfortunately, not every CEO gets the memo. There are plenty of companies that seem to care little about their customers and erroneously believe that “if we build it, they will come.”

When company leaders stay informed about customer journeys and optimize processes that ensure ongoing success, customers are apt to become fantastic allies. Remember, the reverse is also true. Unhappy customers are not always able to stop paying and switch vendors, even if they want to. When this happens, they can expose the soft underbelly of a company or product in unexpected ways, such as around interfacing and workflow issues that may not be a core expertise. They can hurt a technology company’s reputation through direct conversation, social media, and the rumor mill. As such, these customers might be doing just the opposite of what company leaders want them to do: Creating customers for competitors.

Readers Write: The End of “Good Enough”: A Personal Journey to Better Healthcare IT Application Support

The End of “Good Enough:” A Personal Journey to Better Healthcare IT Application Support
By Jody Buchman

Jody Buchman, MBA is SVP of continuous services at Healthcare IT Leaders.

I never imagined that my most powerful lesson in healthcare IT application support would come from a hospital bed.

During my third pregnancy, I was given only a 30% chance of carrying to term. It was a high-risk situation that kept me on bed rest. I worked remotely for Cerner from a hospital room while continuing to support clients. For the first time, I experienced the healthcare system not just as a professional, but as a patient. And in that moment, I saw the real impact of the women’s health solution we were implementing – not on a screen, but in the care I was receiving when every decision mattered.

My son Jake was born early, just four pounds. But thanks to an incredible team of clinicians and the systems that empowered them, he went home just three days later. Today, he’s a healthy high school baseball player and a daily reminder of why this work matters so deeply to me.

That experience shaped everything about the way I lead today. Lying in that hospital bed and experiencing the system not as a technologist, but as a mother, I came to understand what excellence in healthcare IT truly means. Behind every system alert and resolved ticket is a human story, a moment where things either go right … or don’t.

It’s why I’ve dedicated my career to building support organizations that are more than just reactive help desks. The traditional Managed Services model – transactional, after-the-fact, and satisfied with “good enough”- simply isn’t good enough. Not when every delay, every overlooked alert, every closed-but-not-solved ticket can directly impact care. I’ve seen the fallout firsthand: burned-out IT teams, clinicians wrestling with tools instead of treating patients, and families caught in the middle.

Healthcare doesn’t stop after hours, and neither can we.

Why the Old Way of Application Support No Longer Works

When you’ve managed global application support at scale, with thousands of customers and millions of incidents a year, you start to notice patterns. For too long, we tolerated a model that measured success by closed tickets, not real solutions.

I’ve seen the consequences: the physician who can’t get help after hours, the nurse who hesitates to open a ticket because it rarely leads to resolution, the IT manager who knows what’s broken but lacks the resources to fix it.

In healthcare, where time, accuracy, and availability are non-negotiable, that model simply doesn’t hold up.

What a Continuous Services Model Looks Like

Healthcare runs around the clock and technology continues to evolve. It’s time our application support models did, too.

What’s needed now is a continuous services approach, one that’s proactive, connected, and designed to prevent problems before they impact care.

Here’s what that means in practice:

First, real-time system monitoring should be the norm. Just as clinicians monitor patient vitals, IT support teams should track system health in real time. Application performance lags, interface errors, error pop-up messages, and failed jobs should be spotted early and addressed before users ever notice.

Second, automation needs to take on more of the routine work. Routine fixes like restarting ops job, failed interface transactions, or real-time data cleansing don’t have to require manual effort or have time constraints. Smart automation can handle these tasks, freeing up IT resources for higher-value work and providing an always-on and available resource around the clock.

Third, the tools and teams supporting the system need to be connected. Too often, monitoring tools don’t talk to ticketing platforms. Analysts don’t have access to context or history. A continuous model links everything together so that support is both faster and more informed.

Fourth, expertise matters. In a continuous services model, clinical and technical support analysts are experts empowered to do more than respond to tickets. They understand clinical workflows, governance, and IT business processes to work as an extension of the IT team solving problems at the root.

Finally, the model has to scale. As organizations grow, the support structure should adapt with them. Intelligent automation makes that possible, creating a flexible operations model that evolves as needs change without drastically impacting cost.

What We Gain When Support Gets Smarter

The benefits go well beyond reducing tickets. Internal IT teams finally get room to focus on long-term projects instead of reacting to daily disruptions. Clinicians spend more time on care and less time wrestling with technology. And most importantly, patients receive care backed by systems that are reliable and responsive.

A Final Thought

After a career in healthcare IT support, I’ve learned that service excellence isn’t about heroics, it’s about making a difference. It’s about providing world-class support designed to ensure the technology is no longer a barrier for clinicians to provide quality care.

Status quo isn’t an option when lives like Jake’s are on the line. The real heroes are the nurses and caregivers. Our job is to make sure the systems behind them are just as ready and dependable.

That’s the kind of continuous support healthcare needs now. One that runs quietly in the background, and when it works well, it saves lives. And it’s entirely within reach.

Readers Write: Healthcare Cyber Resilience in 2025: Why “Good” Isn’t Good Enough

Healthcare Cyber Resilience in 2025: Why “Good” Isn’t Good Enough
By Chad Alessi

Chad Alessi, MS, MBA is managing director of cybersecurity at CTG.

Ninety-two percent of healthcare organizations have experienced at least one cyberattack in the past year. More than half saw disruptions to patient care, and nearly a third reported increased mortality rates as a result. These aren’t just statistics, they’re a wake-up call for the entire industry. The healthcare sector is under siege, and the stakes are nothing less than patient safety, operational continuity, and public trust.

Yet despite the relentless barrage of ransomware, phishing, and supply chain attacks, many healthcare leaders still describe their organizations’ cyber resilience as merely “good” or “average.” An April 2025 CHIME Executive Member Survey, representing 42 healthcare organizations across the US, reveals a sector that is investing more and learning fast. But they are still struggling to keep pace with increasingly sophisticated adversaries who continuously adapt and exploit new vulnerabilities.

While healthcare organizations are dedicating more resources to cybersecurity than ever before, increased spending does not always translate to greater protection. The data shows a sector that is reactive, not proactive, with stronger confidence in threat detection than vital capabilities in response and recovery.

Key findings from the CHIME survey include:

• Most organizations consider their cyber resilience as “good,” but few report achieving excellence. A significant minority still self-identify as average or below average, especially in recovery capabilities.
• Confidence is highest in IT teams’ 24×7 threat detection but drops sharply for non-IT staff and business leaders. This gap is critical when rapid, cross-functional response is needed.
• Investment priorities are clear — AI-driven threat detection, incident response playbooks, modern Security Operations Centers (SOCs), employee training, and supply chain risk management.

Technology alone is not enough to secure healthcare’s digital front lines. The survey highlights how internal barriers, most notably persistent budget constraints, continue to hinder progress, even as the cost of cyber incidents rises.

Executive support and understanding of cybersecurity are often lacking, making it difficult to establish the governance and strategic direction that are needed for resilience. Many organizations also face a shortage of skilled cybersecurity professionals, and legacy IT infrastructure further complicates efforts to modernize defenses.

The complexity of healthcare systems and associated data adds another layer of difficulty, as organizations try to keep up with a rapidly evolving threat landscape. Ultimately, these human and organizational factors can be just as critical as any technical vulnerability.

The future impact of these human vulnerabilities is impossible to assess as bad actors continue to evolve their attacks and new technologies create new opportunities for disruption. This uncertainty was top-of-mind for survey respondents who pointed to a new breed of threats that are rapidly gaining ground.

AI-powered cyberattacks — including deepfakes, generative phishing, and sophisticated social engineering — have emerged as top concerns, as attackers use artificial intelligence to automate and personalize their tactics. Supply chain vulnerabilities are also front and center, with organizations increasingly dependent on third-party vendors that may not have robust security measures in place.

Ransomware continues to be a major concern, especially as attackers shift to encryption-less tactics that threaten to expose sensitive data rather than simply lock it down. Meanwhile, advanced phishing attacks that are capable of bypassing even multi-factor authentication are making it harder than ever to protect critical systems and patient information.

The consequences of these attacks are not confined to the IT department. When hospital systems go down, the effects ripple through every aspect of care delivery. Delays in procedures and tests become common, and critical patient information can become inaccessible at the worst possible moment. The survey and supporting research show just how serious these impacts can be:

• 69% of affect organizations reported disruption to patient care.
• More than 50% saw delays in procedures and tests, while 25% linked attacks to increased patient mortality.
• Supply chain attacks were most likely to disrupt care, with 82% of those affected reporting direct patient impact.

These results underscore the dire need for healthcare organizations to conduct more training to prepare all staff, not just IT, in the event of a disruption. While many organizations deliver basic training or tabletop exercises, few extend these programs beyond IT staff. This is a missed opportunity, as rapid, coordinated response across all departments is essential for minimizing the impact of attacks on patient care.

The survey also found ample opportunity to improve communications during disruptions, which also has a direct impact on restoring patient care. Confidence in incident response communications, both for staff and patients, is mixed, with many organizations expressing uncertainty about whether their plans are up to date, comprehensive, tested, and validated under real-world conditions.

What should healthcare leaders prioritize when it comes to addressing the potential impact of cyber disruptions on patient care?

• Elevate cyber resilience to a board-level priority. Executive leaders must drive strategy, governance, and response readiness across the organization.
• Invest in both technology and talent. AI-driven defenses and modern SOCs are critical, but so are skilled personnel and a culture of cyber awareness.
• Expand training and incident response exercises to all staff, not just IT. Everyone has a role to play in defending patient safety.

Healthcare’s cyber battle will continue to escalate. While the sector is making progress, “good” is no longer good enough. To safeguard patients, protect data, and ensure operational continuity, organizations must adopt a proactive mindset and prioritize both technical innovation and human expertise to create truly resilient operations.

Readers Write: Virtual CISOs Bring New Hope to Orgs Without Dedicated Cybersecurity Officials

Virtual CISOs Bring New Hope to Orgs Without Dedicated Cybersecurity Officials
By Ryan Finlay

Ryan Finlay is principal chief information security officer, advisory services, at CereCore.

Healthcare CIOs are grappling with tight budgets, leading 71% of them to report their intent to seek alternative labor solutions for top priorities such as cybersecurity services. Virtual chief information security officers (VCISOs) offer a pragmatic solution for organizations that are seeking to enhance their cybersecurity resilience strategy.

VCISOs provide organizations with access to high-level cybersecurity expertise without the need to add a full-time executive to the payroll. This fractional leadership model is particularly beneficial for healthcare organizations that often struggle with limited resources and can also be leveraged in an advisory capacity to extend the resources of healthcare IT leaders. A VCISO brings specialized knowledge and strategic direction, helping to assess current security programs, define improvement strategies, and build resilience against cyber threats.

Organizations that lack a full-time dedicated security official could have growing cybersecurity concerns based on limited internal expertise and governance directed by a leadership team with competing priorities. Engaging a VCISO on a part-time basis introduces collaboration with various internal teams, such as a security council and IT security committee, to assess cybersecurity posture and develop a strategic plan for improvement.

A VCISO can help evaluate the effectiveness of existing security protocols, advising on compliance with HIPAA security rules, and implementing resilience-building measures. By leveraging VCISO expertise, organizations can enhance their cybersecurity posture, mitigate risks, and ensure ongoing readiness for future threats.

The value of VCISOs is further underscored by recent survey results of CHIME (College of Health Information Executives) CIOs. The survey highlights cybersecurity as the top IT priority for healthcare CIOs, with 30% of respondents identifying it as their primary focus. This consistent emphasis on cybersecurity reflects the growing recognition of the importance of robust security measures in protecting sensitive data and maintaining operational integrity.

Additionally, the survey revealed a trend towards adopting fractional and virtual strategies for IT leadership. With tight budgets and limited resources, many CIOs are turning to partnerships and outsourcing to address staffing challenges and enhance cybersecurity capabilities. This approach allows organizations to access specialized skills and expertise without the financial burden of full-time hires.

VCISOs can strengthen cybersecurity resilience and bring new confidence to cyber strategies with these best practices:

• Conduct regular security assessments. Regularly evaluate the effectiveness of current security measures, identify areas for improvement and options for addressing them.
  Develop comprehensive security programs. Create detailed action plans that address identified gaps and align with industry standards and regulatory requirements.
• Foster collaboration. Encourage collaboration between VCISOs and internal teams to ensure a cohesive approach to cybersecurity.
• Stay informed on threat trends. Keep abreast of the latest cybersecurity threats and trends to proactively address emerging risks.
• Implement continuous improvement. Regularly update and refine security protocols to adapt to the evolving threat landscape.
• Assist during recovery efforts. In the event of an incident, healthcare leaders can need extra hands to prioritize what needs to be done and make informed recovery decisions.

By providing strategic direction, expertise, and capacity, VCISOs can enable organizations to navigate the complexities of cybersecurity without the need for a full-time executive.

Readers Write: The New Reality of Ransomware: Why Your Epic Environment Needs an Isolated Recovery Plan

The New Reality of Ransomware: Why Your Epic Environment Needs an Isolated Recovery Plan
By Bill Smith

Bill Smith is director of Epic practice at Cordea Consulting.

In early 2024, one of the nation’s largest healthcare payment and revenue cycle platforms was hit by one of the most disruptive cyberattacks in US healthcare history. For weeks, the industry watched as claims processing, pharmacy operations, and revenue cycle management were paralyzed. Providers couldn’t get paid. Patients couldn’t fill prescriptions. Some health systems resorted to writing down billing info on sticky notes while scrambling to find workarounds.

This attack was a wake-up call, not just for rev cycle teams, but for every CIO, CISO, and CTO who is responsible for keeping clinical systems online. If ransomware can take down a national clearinghouse for weeks, what could it do to your Epic environment?

“We Have DR,” They Said. “It’ll Be Fine,” They Said.

In 2024, over 180 confirmed ransomware attacks targeted healthcare providers, compromising more than 25 million records. Backups are encrypted. Disaster recovery (DR) plans fall apart. IT teams scramble for answers. The clock ticks, and patient care suffers. Hospitals and health systems limp through outages for weeks, rebuilding from scratch. We’ve seen it happen too many times.

For healthcare IT leaders, the stakes are higher than ever. When an attack disrupts access to Epic on prem, clinicians lose access to patient records, and operations grind to a halt. The organization also loses patient trust and revenue  to the tune of $1.9 million for every day of downtime, on average.

The truth is, traditional DR wasn’t built for ransomware, and it can’t guarantee Epic will come back online quickly or at all. It was designed for hardware failures, natural disasters, and short-term interruptions, not for sophisticated cyberattacks that can quietly compromise your environment, your production systems and backups, over weeks or months before detonating.

We’re long past the point where traditional backup and DR strategies are sufficient. This isn’t about fear, it’s about preparation. The rules of disaster recovery have changed, and the most resilient healthcare organizations are already adapting by setting up isolated recovery environments (IREs) that can keep them running when everything else grinds to a halt.

Enter the Isolated Recovery Environment

Think of an IRE as an Epic safety vault, completely separated from the turmoil outside. It’s encrypted, dormant until you need it, and updated in near real time with mirrored Epic data. When activated, it gives your organization rapid access to Epic Hyperspace via a public URL to enable basic electronic documentation. With standalone deployments of Interconnect and managed services like Kuiper all segregated in the IRE, this version of Epic is protected from the attack.

An IRE isn’t just another backup system. It’s a fully functional, secure replica of your Epic environment that’s cut off from production and the broader network, purpose-built to remain untouched during a ransomware attack. When (not if) ransomware hits, you can keep delivering patient care, even when your production environment is down.

Why AWS: The Business Case Beyond IT

Many organizations are turning to AWS as the platform of choice for Epic IRE, and with good reason. This isn’t just an infrastructure upgrade, it’s a strategic investment in business continuity and patient safety. For Epic on-prem systems, here’s how an IRE on AWS changes the game:

• Rapid recovery. Switch over to a functional Epic environment in minutes, not days.
• Real-time access to Epic. Clinicians retain access to schedules, notes, and secure chat, even mid-incident.
• Immutable data protection. Advanced network isolation capabilities with air-gapped, encrypted backups shielded from tampering or deletion.
• Operational continuity. Maintain patient care workflows and reduce revenue loss.
• Limited read/write access. Secure logging of patient data even during an attack
• Lower risk profile. A stronger recovery plan can lead to lower cyber insurance premiums.

You also get a cloud-native architecture that scales without breaking your budget, along with AWS’ unmatched security and compliance (146+ HIPAA-eligible services and HITRUST CSF-certified environments). Pay-as-you-go pricing minimizes upfront costs, and deployment is fast (you can go from zero to IRE in as little as 10 weeks)

An IRE on AWS doesn’t just protect data. It safeguards continuity of care. It provides your team with confidence and a sense of stability during a period of chaos when peace of mind is hard to find.

If your recovery strategy still relies on assumptions that backups will be accessible and that downtime will be minimal, it’s time to rethink that strategy. IREs aren’t the future, they’re what forward-thinking healthcare organizations are implementing right now because they’re tired of rolling the dice.

If ransomware’s coming for you (and it is), meet it with a tested, isolated copy of Epic in a fortified cloud bunker. An Epic IRE on AWS offers a proven, practical way to build ransomware resilience into your core IT operations. Because in today’s threat landscape, continuity isn’t just about recovering systems, it’s about preserving trust, safety, and care delivery under pressure.

Readers Write: Early Innovation Matters: What I Learned Building a Glucose Sensor in High School

Early Innovation Matters: What I Learned Building a Glucose Sensor in High School
By Max Kopp

Max Kopp is a high school researcher who is focused on biomedical engineering and non-invasive sensing systems. He is also the founder and CEO of VitaSense.

Diabetes is one of the most widespread chronic diseases in the world. But continuous glucose monitoring remains inaccessible to many patients due to pain, cost, and complexity. While various needle-based solutions exist, they present a barrier to consistent use and adherence, particularly for people with type 2 diabetes who are less likely to be prescribed real-time monitors.

In high school, I began exploring whether a painless and affordable alternative could be possible using light and advanced nanomaterials. What started as a science fair project evolved into a deep investigation into photoplethysmography (PPG) and the semiconductor properties of Germanium Selenide (GeSe) as a potential medium for glucose sensing.

This work eventually became the foundation of a novel approach to non-invasive glucose monitoring that combines flexible, inkjet-printable electronics with wavelength-specific light analysis to estimate glucose concentration in the interstitial fluid beneath the skin. Because the design avoids the need for subdermal sensors or adhesives, it offers potential for broader, long-term adoption.

During the process, I encountered a range of challenges, both scientific and practical. Signal noise, calibration variability, and the need for robust motion filtering were early hurdles. Overcoming them required collaboration with academic mentors, iterative prototyping, and long nights debugging sensor arrays that were built on flexible polymers.

The research was eventually peer-reviewed and published in a scientific journal. It has also earned recognition from national youth science competitions that are focused on applied physics and health innovation. More importantly, it showed that with the right support, young researchers can meaningfully contribute to solving real healthcare problems.

This experience reinforced something critical: the innovation pipeline needs to start much earlier. Most efforts in health technology originate in universities or corporate R&D labs. But students, when given access to tools and mentorship, can identify overlooked patient needs and generate fresh ideas with remarkable speed.

Healthcare leaders should consider how to foster those early-stage ideas. Partnering with student-led projects or offering access to clinical mentors, sensor labs, or data modeling tools can help cultivate innovation from new angles. The barriers to entry are high in regulated health environments, but creating more low-risk educational bridges could lead to high-reward outcomes.

Innovation in chronic disease care will only accelerate if the ecosystem welcomes bold questions from unexpected places. Investing in curiosity, even from classrooms, might help us solve the next billion-dollar problem before it costs patients another dollar.