Healthcare cybersecurity stands at an inflection point. Traditional compliance frameworks are proving inadequate in the face of sophisticated threats targeting patient data, clinical operations, and connected medical devices. Robert Eikel, CISO at P-n-T Data Corp., brings unique expertise from government service, financial services, and pediatric healthcare to discuss how leading organizations are evolving beyond checklist security. We'll explore the new frontlines of healthcare cyber defense—identity, integrity, and interoperability—while examining how emerging technologies like AI and quantum computing are reshaping the threat landscape.
Robert Eikel, Chief Information Security Officer, P-n-T Data Corp.
Megan Antonelli, Founder & CEO, HealthIMPACT Live
[0:01] Intro: Welcome to Digital Health Talks. Each week we meet with healthcare leaders making an immeasurable difference in equity, access, and quality. Hear about what tech is worth investing in and what isn't as we focus on the innovations that deliver. Join Megan Antonelli, Janae Sharp, and Shahid Shah for a weekly no BS deep dive on what's really making an impact in healthcare.
[0:30] Megan Antonelli: Hi everybody. Welcome to Digital Health Talks. This is Megan Antonelli, CEO of Health Impact Live. Healthcare cybersecurity has reached a critical juncture where traditional compliance approaches are failing to protect organizations from escalating threats. Today, we're joined by Robert Eikel, CISO at PNT Data Corp. He brings a unique perspective from government service, financial services, and pediatric healthcare to discuss how leading organizations are transforming security risk into a strategic advantage. Hi Robert, how are you today?
[1:04] Robert Eikel: Great, Megan, it's so good to be on the program with you. Thank you so much. Thanks for having me.
[1:08] Megan Antonelli: Yeah, excited to talk to you and hear about, you know, you've really had a unique career journey so far in software development and as I mentioned, on the government side of things, working at financial at Webster Bank, and then Connecticut Children's. And now, of course, as CISO of PNT Data Corp. Tell me a little bit about how that background has shaped your approach to healthcare cybersecurity and how that aligns with PNT's mission.
[1:35] Robert Eikel: I've had a sort of an interesting and pretty varied journey within the IT space and within information security. I've taken lessons along the road from a lot of different places. From working in the government environment, I really learned a healthy paranoia. Foreign adversaries really are out to recruit our citizens and steal our secrets every day. And that is something I've tried to bring with me into the private sector, and sometimes it takes a little convincing to tell people that, no, really criminals are out to get us. People think, oh, it couldn't happen here, those hackers will go after somebody else, but the paranoia is for a security professional like me, a healthy state of mind.
[2:24] Robert Eikel: Working in the provider space really drove home to me that in healthcare and in the provider space particularly, cybersecurity is life safety. It's patient safety, it really matters. It's not just privacy, although it's that too, there really can be health and lives on the line.
[2:48] Robert Eikel: And you asked about our mission at PNT Data—as far as cybersecurity goes, really our mission is to avoid holding data wherever we can. That's a new approach for the company. The company's been around for about 20 years and for most of that time, I think we've done what a lot of companies do, which is to hold data kind of by default. And I really credit our executive team for recognizing that data without business value is just risk, and we're holding on to years and years of pure risk. So we've just started the work of getting those data holdings down to zero. It's a long road, but that is absolutely our goal.
[3:31] Robert Eikel: And as we've done that, I found that security as a function—myself as a security professional—need to help people through that change. It's uncomfortable. People sort of expect that the data will always be there and when it's a risk and when it needs to go away, and when it's not there, people need to become comfortable with that.
[3:53] Megan Antonelli: Yeah, so explain that a little bit, you know, I mean, in terms of what data was usually kept and what does that mean that you no longer hold that data.
[4:04] Robert Eikel: So we move healthcare transactional data, that's our core business—between providers, payers, and other parties who need EDI data or clinical data to do their workflows, do their business, get paid. And we, unlike a lot of others in our space, we are not a data analytics company. We are not trying to monetize our customers' data, we are not trying to feed it into an AI model, we're not trying to resell it to somebody else. We are the professionals at solving those data integration challenges, and that's it. So for us, once the data has gone from A to B and it's been safely delivered, we no longer need it more than FedEx needs a copy of your package after they put it on your door.
[4:55] Megan Antonelli: Got it, got it. Well I imagine having come, you know, as you said, working in government gives you a fair sense of paranoia and then financial services and healthcare, which are often compared, you know, I think financial services certainly saw a lot of digital transformation early on and then you hear about comparisons of healthcare, how we have been slower. Although recently, you know, perhaps catching up a bit. Tell us a little bit as you look at how healthcare's cybersecurity challenges are unique and different and why are some of the traditional compliance approaches, you know, less effective in healthcare.
[5:34] Robert Eikel: So healthcare is one of the highest consequence sectors when it comes to cybersecurity. As I said a few minutes ago, there are privacy implications and there are potentially safety implications. So outside of areas like maybe aviation, we are one of the riskiest places to practice cybersecurity. And in terms of compliance, at least here in the United States, the regulatory framework is pretty weak. The HIPAA security rule is a lot weaker than the HIPAA privacy rule. It doesn't have a lot of teeth, it doesn't have a lot of specifics. I was heartened to see the NPRM that came out from HHS in January proposing to strengthen, update, and put some real specifics into the HIPAA security rule. We'll see where that goes.
[6:28] Megan Antonelli: A high risk area, you know, and the consequences are high, and we saw that, right? We saw that very much with the Change Healthcare disruptions, you know, and the inability to literally practice medicine, you know, from that side of things. What, and I do think those sort of silver lining, if you will, some of those incidents were that now leadership is paying attention. It is no longer a hey, pay attention to security. It is a must have across organizations. Are you seeing that and as you're, you know, sort of talking about how PNT does not hold the data, you know, are there sort of a deeper understanding of the strategic consequences that the executives now understand?
[7:16] Robert Eikel: I think we're starting to see it. I think especially—you mentioned Change Healthcare—for a lot of smaller providers, because they didn't have any redundant capacity to send claims to get paid, it could have been an existential risk or threat to them. And I think executives are starting to get—I will, that's as far as I'll go—starting to get that this can be existential. For example, right here in Connecticut, Waterbury Hospital is bankrupt in part because of a ransomware incident and the recovery from that ransomware incident broke the hospital financially. It can be existential and I think some executives get that and some are still getting it.
[8:12] Megan Antonelli: And it just, I mean, why do you think that is? Why do you think it has taken so long with so many examples of where this has, you know, disrupted care, you know, created bankruptcy. Why do you, why is that that it doesn't, you know, necessarily sink in as fast as it should?
[8:32] Robert Eikel: I think too often cybersecurity is seen as an IT problem or an IT issue. The CISO in at least half of US organizations according to surveys I've seen is underneath IT. I think financial services has done better in this regard. Lots of financial services CISOs now report directly to risk, where I think they belong. And I think part of that is on my profession. It's on us security professionals, many of whom come out of IT like myself, many of whom are more comfortable in the world of IT and haven't always learned to speak the language of the business of the C-suite and so it's too easy to write it off as an IT thing that IT should handle.
[9:23] Robert Eikel: And most executives, frankly don't like dealing with IT. They want IT to just happen. They want to focus on the business, which is what they're hired to do.
[9:31] Megan Antonelli: Right. Yeah, I know, it is interesting and it, you know, I mean, as the digital transformation happens to healthcare and, and, you know, across all industries and sectors, that distinction between IT and just operations and all, you know, all that has become, you know, certainly blurred, but in healthcare, it does, there are, you know, those factions remain, right, the silos of that and then that security tends to sit underneath that is really a big piece of that, in terms of how to, you know, build it into a sort of strategic capabilities, right?
[10:09] Megan Antonelli: I mean, we have a lot of conversations here around how it impacts, you know, part of the security piece is, it is hard. There is, you know, it adds layers of inconvenience and workflow that, you know, you wouldn't necessarily design in to an operation to protect the data, and that becomes, you know, cumbersome or burdensome to some of your clinicians or operational staff and then you meet resistance. In terms of, you know, you used to work at Connecticut Children's Hospital, you know, there were sort of patient safety, cybersecurity issues. What are some of the, you know, areas that you do think when speaking to leadership gets their attention, right? I mean, how can organizations who, you know, sort of have that champion, CIOs who are the champion, get the leadership, you know, kind of corralled in all the same direction.
[11:06] Robert Eikel: Yeah, I think it comes back to that healthy paranoia and sometimes you just have to marshal all the headlines, and it's not hard to get a whole list of headlines together, especially in the hospital and provider space. I mentioned Waterbury Hospital, but the patient safety issues and financial issues stemming from usually ransomware, but some other failure of cybersecurity. And it has to be, as I said, in financial services, information security more often is reporting up to risk. It has to be seen as part of that risk function, that this is a risk that needs to be mitigated, because it can be existential.
[11:56] Robert Eikel: And, again, speaking that business language of risk, quantifying risk wherever possible. I'm a big believer in risk quantification. There are several methodologies out there, but when there's a dollar sign in front of that risk, now we're talking the same language, and now I, as the security leader can justify the investment that mitigates the risk.
[12:23] Megan Antonelli: Yeah, for sure, and it isn't, you know, it isn't an inexpensive problem. So the implementations of these, whether it's through workflow and through the security systems that are needed, has a dollar sign attached to it as well. And of course there's been regulatory. You mentioned HIPAA and changes coming to HIPAA and then around interoperability. I mean, it is almost like innovation itself in healthcare has sort of been counter to the protection of data, right? And whether it's the desire for more access to their own data for patients, and then that on the other side, this desire to or need to keep that data private and to keep it, you know, out of the hands of both, you know, those who are with mal intention and then even beyond that, just, you know, there's just a lot of security that you want to keep that data protected.
[13:18] Megan Antonelli: And now, in addition, of course, you've got sort of this, you know, cybercriminal framework, and then now AI coming into this and sort of these elements of both machines and humans accessing the data, and then interoperability, a desire for organizations to speak to each other. You know, what in terms of, you know, how organizations can kind of balance that need for data and innovation, and then the operational imperatives. You know, how do you see that all kind of coming together? How do you work with your clients on that?
[13:59] Robert Eikel: I think the most important number one thing is to know your data, and that's easy to say and sometimes very hard to do. Large organizations have a lot of data sprawl, but there's a reason that the first step in the cybersecurity framework is identify. In that context talking about identifying all the range of assets, but I would say in particular the data assets. And as you get to know your data, you'll probably find, you may find that some of it is not needed, as we did, and you can de-risk yourself by simply not holding that data.
[14:38] Robert Eikel: You'll probably find that some of that data doesn't have a clear owner or a governance structure. And so that's the next step in this CSF is govern. You need to put a governance framework around it, and then protect, detect, respond and recover. I, as you can tell, I'm a big fan of the cybersecurity framework. I think it's a really, you know, 6 points that fits on one slide. It's something that I use and people like me can use to show executives at a high level, these are the things we need to do. But as I said, it all starts with knowing your data.
[15:21] Megan Antonelli: Which can be hard because there's data coming from so many places, right? Especially now, you know, and even when we talk about wearables and medical devices, and just unbelievable, everything that goes into a health system now is smart, you know, is smart in some way, which creates more and more, you know, vulnerability. So how do you, you know, how are, you know, you suggesting that systems kind of approach that from a, you know, sort of device security and governance standpoint. What are some of the top things you tell your folks to do?
[15:59] Robert Eikel: Well, in the, again for hospital and hospital systems where you do have potential life safety issues, in particular because of network medical devices, I think in many cases you have to fix the organizational problems first. In a lot of places we have what I consider the worst of all possible worlds. IT and IoT sharing a network, technically integrated and in full communication with each other, but organizationally siloed between IT and biomed. And so you've got to fix that organizational challenge, make sure that everything is under the jurisdiction of the CISO.
[16:44] Robert Eikel: And then you get the governance right, then you can identify and move on to protect and in the IoT context, that's gonna be network segmentation because these devices, as we all know, you're not putting a sensor on the device, you're not putting anti-malware on the device, you're not putting EDR on the device, the device just is the device. And so it's gonna be network layer protection, like again, we can learn from financial services. PCI DSS is a tough framework that everybody hates to comply with, but it says your credit card data needs to be network segmented and look at other critical infrastructure, water, power, the IT and OT are clearly separated. So that's something that healthcare needs to learn.
[17:41] Megan Antonelli: Sure. No, absolutely. Well, then, and then beyond that, of course, and we talked about it a little bit in terms of AI kind of revolutionizing healthcare delivery and introducing a whole new stream of threats, threat vectors and how healthcare organizations can both, you know, effectively adopt and experiment and bring in these amazing tools that are helping, but also ensure that these are secure. Are there specific steps that you recommend when it comes to kind of partnering with AI companies, using AI tools internally. What are some of the things that you've been, you know, sort of warning and advising your clients about in that regard?
[18:28] Robert Eikel: There's such huge potential and we're seeing just the beginning of, as you said, revolutionary changes in how we operate on data and what we do with data. I think there are two main points I would make. One is know your AI supplier. And know their suppliers, and that's really hard, but doing that and doing that homework upfront, understanding where your data will go, how it will be used, when it will be destroyed, how long will they keep it, how long will that risk exist in their space, and what are your contractual guarantees and what's your legal recourse. That homework is very much worth it.
[19:16] Robert Eikel: And second, if the guarantees aren't adequate, data is too sensitive, don't be afraid to do it yourself. Running models in-house is absolutely an option, the technology is there, the models are there, it takes one or two skilled people and it stays within your four walls, because a lot of AI risk is just supplier risk.
[19:49] Megan Antonelli: Of course, yeah, I know that's great advice. You know, you've worked in this space for a long time, inside, outside of healthcare, you know, I think one of the biggest learnings and one thing I find in sort of my role where I'm sort of recruiting and amplifying security stories is a lot of times people don't want to share the mistakes or the mishaps or, you know, after something's happened, they don't really want to talk about it too much because it will then further expose vulnerabilities. Well, without doing that, can you share maybe some of your, you know, hard lessons learned with our audience? Is there a particular example of one that you're just like, you know, that was it, you know, that was the lesson. And if you could share that with folks so that they don't find themselves in that.
[20:35] Robert Eikel: One that comes to mind, you mentioned Change Healthcare, and we, I talked about how a lot of providers, small and big, found themselves in a very tough situation because they didn't have a secondary supplier. And I was too slow to take that lesson for myself. So we are now doing what we should have done a while ago, which is identifying our business processes that have a critical dependency on a single supplier. And then we need to either re-engineer those processes to run if that supplier's down or get a secondary supplier, because when it comes to business continuity, suppliers are the wild card—vendors, suppliers.
[21:29] Robert Eikel: Systems that we own and control or your own organization owns and runs, you know what their DR performance is, you can run tests, you can run exercises, you can make it better, you can be pretty confident it'll be back up in X amount of time with X amount of data. For outside firms, who knows? And they may tell you something, but it's hard to have really solid assurance of their disaster recovery. So that then comes back to how do we continue business continuity in a situation where like Change Healthcare, supplier went away for 6 or 8 months.
[22:12] Megan Antonelli: Yeah, absolutely. And I mean, in talking about kind of the supplier, the vulnerability of partners and suppliers in this, I mean, a lot of times there isn't a choice. I mean, you mentioned, yes, you can bring the models in with AI, but certainly there's a number of areas where your, you know, organizations have to work with suppliers. Are there, you know, what are the best practices, what are the questions you have to ask and what are some of the sort of basic fundamentals of ensuring those partner agreements are not exposing you to new vulnerabilities?
[22:48] Robert Eikel: Yeah. There are I think 3 hard questions that you should ask before doing business with a supplier. One I already alluded to. How long will you be down? How long will you be down if like Change Healthcare, you get ransomware and the incident response firm tells you, nope, your environment's dirty, your backups are dirty, you can't restore into your environment. Now what? That's a really hard question, and that's a question we're asking ourselves, and we're asking our suppliers, especially our critical suppliers. What are you gonna do if you don't even have a data center to restore it to?
[23:29] Robert Eikel: Second, again, I already alluded to, how long will you keep my data and what will you do with it? And what does the contract say about what you are and aren't allowed to do with it? And then how will you prove to me that you have or have not done what you're supposed to do with my data. Again, a lot of companies, especially the AI companies, they're selling you the service, but they also want their hands on your data. And that puts your data at risk.
[23:99] Robert Eikel: And the third gets back to the compliance that we talked about a few minutes ago. There's not a strong enough regulatory framework to rely on. We live in a world where you have to look to gold standard third party certification. In healthcare that generally means a HITRUST R2 or a SOC2 report. You need to dig into that, you need to look at who wrote it, you need to actually read it, which is a long and painful exercise, but you need to actually read it and understand, and if you have questions, you gotta press the supplier. What did happen with that control? What did happen with that gap that was identified? Show me how you're closing it. You have to think like an auditor a little bit yourself.
[24:52] Robert Eikel: If you're a very large and well-resourced firm, like, say, back in financial services, you might have the luxury of actually having an auditor or two of your own. But for the most part, we're relying on those third party audits which are great, but we need to apply our own skeptical eyes to them.
[25:09] Megan Antonelli: Yeah, I know, and I think, I mean, nothing in healthcare is easy. There's lots of complexity and lots of, you know, sort of stakeholders and players involved. So I think with security, it's one of those things where, you know, a lot of the leadership often leave it to the people who understand it, and then, you know, they sort of have blinders on until they can't anymore. But one of the things that we like to talk about at Digital Health Talks and our Health Impact is sort of what's good? What's good in healthcare? What are the, you know, we have a segment called Five Good Things. So I often end with this question and sort of to give us that optimistic look.
[25:46] Megan Antonelli: So despite sort of increasing threats, reduced resources, the tight timelines to which these healthcare organizations kind of have to respond and implement, as you look at what's to come within the security field and cybersecurity and protecting healthcare systems, what do you see as kind of the good things that are kind of putting us in the right direction?
[26:11] Robert Eikel: Well, Megan, thank you for that prompt because as a security professional, I see the glass is half empty at best. I always look to the bad side. So thank you for prompting me to try to look to the good side for a change. In healthcare, I would say more than many other verticals, notwithstanding everything I said earlier about executives and griping about executives, people get it. People get data security more than in a lot of other verticals after 25 years now, I guess, of HIPAA or 30 years of HIPAA. It's been a generation, it's sunk in that patient data, patient privacy, and all these things matter.
[26:55] Robert Eikel: You know, the other good, I think good news in healthcare is that we know, all of us know that what we do matters a lot to people who need healthcare, whether you're at the point of care or in a supporting role like I am or like PNT is. And when bad stuff happens, we find a way to get it done. And you saw that after the problems with Change Healthcare and you saw it during the pandemic, we find a way to get things done.
[27:31] Robert Eikel: And then I guess my third source of optimism is, you know, I see good people working in healthcare, in the healthcare security area, like, in part because we know that it matters and we don't always have the investment dollars we wish we did, but we have enough to get some good things done and, yeah, I see good people being attracted to this area.
[28:04] Megan Antonelli: Well, that's one of our more common answers I'll tell you is that the good people working towards good things, also very intelligent people, right? Who get it, and, and as you said, that sort of understanding of the importance of the task at hand, right? And that's why so many people do, you know, kind of get into healthcare, whether you're a technology person or you've come from finance and government, the healthcare side of this that makes even cybersecurity a human issue with, you know, with real risk attached to it, that kind of can motivate outside of just the numbers and the switches and the things that we need to do to minimize that risk.
[28:43] Megan Antonelli: But, tell our audience, like, what's the best way to get in touch with you if they want to learn more about PNT, how can they do that?
[28:50] Robert Eikel: Search me up on LinkedIn. I'm pretty easy to find, it's the best way to get in touch and, or to get in touch with PNT.
[28:59] Megan Antonelli: Yeah. So Robert Eikel, it's E-I-K-E-L for those of you listening, and yeah, no, thanks so much, Robert, really informative, really thoughtful. You guys are doing great work, so I appreciate you coming here and sharing that with us today.
[29:15] Robert Eikel: Thank you. It's been a real pleasure talking with you.
[29:17] Megan Antonelli: Yeah, and thank you to our audience for joining us on Digital Health Talks. If you found today's insights valuable, please subscribe and follow us for more conversations with healthcare technology leaders fixing healthcare. That's Megan Antonelli, and we'll see you next time.
[29:34] Outro: Thank you for joining us on Digital Health Talks, where we explore the intersection of healthcare and technology with leaders who are transforming patient care. This episode was brought to you by our valued program partners Automation Anywhere, revolutionizing healthcare workflows through intelligent automation. Nara, advancing contactless vital signs monitoring. Elite groups delivering strategic healthcare IT solutions. Cello, securing healthcare identity management and access governance. Your engagement helps drive the future of healthcare innovation. Subscribe to Digital Health Talks on your preferred podcast platform. Share these insights with your network and follow us on LinkedIn for exclusive content and updates.
[30:28] Ready to connect with healthcare technology leaders in person? Join us at the next Health Impact event. Visit HealthImpactForum.com for date and registration. Until next time, this is Digital Health Talks, where change makers come together to fix healthcare.