Insights from ViVE 2025 and HIMSS25: Reflections on Zero Trust, Generative AI, and Cybersecurity Innovation

ViVE 2025 and HIMSS25 were invigorating reminders of just how dynamic, and challenging, the world of healthcare cybersecurity continues to be. From my speaking sessions to the launch of the Zero Trust Hospital book series, the energy around driving innovation while safeguarding our most critical healthcare systems was palpable. Across both events, I saw renewed focus on proactive strategies like zero trust, a heightened awareness of AI’s potential, and the urgency to outpace sophisticated cybercriminal tactics.

Zero Trust as a Healthcare Imperative

One of the proudest moments for me at ViVE was introducing the Zero Trust Hospital book series. For years, we’ve talked about zero trust as a foundational security principle, but healthcare’s unique challenges—balancing patient safety, operational efficiency, and limited resources—have made universal adoption a slower journey. With this series, our goal is to demonstrate the business value of zero trust while demystifying the concept and providing step-by-step guidance for healthcare organizations to evolve their cybersecurity frameworks. It’s no longer a nebulous “future concept”; it’s a present-day necessity.

This wasn’t just theoretical at HIMSS25. In our session, “From Crisis to Resilience: Zero Trust’s Role in Breach Recovery,” we drilled down into the anatomy of a recent ransomware attack on the University of Vermont Health Network. Their story was a powerful testament to why zero trust is critical. Attacks don’t just disrupt business—they impact patient safety and compromise trust. By embracing zero trust, they not only navigated recovery but built resilience to prevent future breaches. It was a compelling case study that reminded me of why we need to move healthcare beyond the reactive band-aid approach and toward proactive, breach-prevention-first strategies.

Proactive Cybersecurity in the Age of Generative AI

One of the hottest topics at both conferences was generative AI (GenAI). There’s no doubt about its transformative potential in healthcare—diagnostics, virtual care, operational efficiencies—but with that promise comes real risk. In the Zscaler session, “Guarding Healthcare's AI Revolution: Innovate Boldly, Protect Relentlessly,” we delved into the questions every healthcare leader should be asking their security teams right now.

How do we protect creative AI strategies while safeguarding patient trust? How do we ensure data stays secured and compliant with regulations like HIPAA? Technologies like advanced isolation and data loss prevention are invaluable here, but they’re just part of the solution. What struck me most was how much healthcare leaders are embracing the idea that innovation and security don’t stand in opposition. They’re two sides of the same coin. We can—and must—unlock AI’s potential while protecting the very patients it’s designed to help.

That theme carried through to my discussions around vulnerability management. In “Vulnerability Management: Ending the Spreadsheet Nightmare,” we reframed how healthcare organizations measure and act on their security posture. Spreadsheets and siloed tools just don’t cut it anymore. Continuous Threat Exposure Management (CTEM) is what’s allowing some of the most innovative health systems to move beyond overwhelmed IT teams chasing endless to-do lists. By identifying and automating fixes for top exposures, coupled with better data fabric approaches, hospitals are finally seeing measurable security improvements.

Learning from Evolving Threats

One important takeaway from the events is the increasing sophistication of cybercriminal organizations, particularly those targeting critical industries like healthcare. Reflecting on how these groups operate reveals the importance of staying vigilant and proactive. They demonstrate relentless determination, constantly evolving techniques to bypass traditional security measures. They operate like structured organizations, collaborating, troubleshooting technical issues, and demonstrating a business-like approach to achieving their illicit goals.

Despite progress in disrupting malicious efforts, the adversaries’ innovative practices serve as a reminder that cybersecurity is a continual battle. Staying ahead requires persistent innovation, collaboration, and investment in robust defenses to meet the threats of tomorrow. In this ever-changing landscape, the challenges are great, but so too is the potential to safeguard organizations from harm.

Generative AI: The Double-Edged Scalpel

In another session, “The Double-Edged Scalpel of GenAI,” we further explored how AI is both the future and a potential nightmare. The partnership discussion with AWS highlighted how we can align innovation with secure technologies that protect privacy and compliance. AI will revolutionize healthcare, but without the guardrails to control it, we risk eroding the trust that binds patients to providers.

From deep-learning diagnostics to personalized telemedicine, the advancements being dreamed up are astounding. But cybercriminals are also eyeing AI—from embedding malicious prompts into generative tools to leveraging AI-powered reconnaissance for phishing attacks. And let’s not ignore the challenges of integrating secure AI into healthcare systems already struggling with legacy infrastructure. At the end of the day, successful and safe AI adoption in healthcare will depend on our collective ability to weave together security, compliance, and innovation in seamless ways.

Addressing Cyber Workforce and Human Vulnerabilities

Another theme I saw surface across both conferences was the talent shortage in healthcare cybersecurity. It’s an issue I’m passionate about because as great as our tools and technologies are, they still need skilled people to drive and manage them. From cybersecurity upskilling programs to automated workflows that relieve overburdened teams, we need systemic solutions to the workforce crisis.

On the human element, I also emphasized the importance of strengthening the “human firewall.” Social engineering continues to dominate as the leading cause of breaches, and phishing and “smishing” (SMS phishing) attacks are only growing more sophisticated. Training employees to recognize and respond to these threats isn’t just a “nice to have”—it’s as critical as installing the latest patch or firewall update.

A Holistic Approach to Cybersecurity

If I were to summarize my key takeaway from ViVE and HIMSS in one sentence, it would be this: cybersecurity in healthcare doesn’t exist in a silo. We can’t treat it as a standalone line item or afterthought. Patient safety, trust, operational resilience, and financial stability are all inextricably tied to how well we protect our systems.

As technological advancements like generative AI accelerate, so too must our ability to secure that innovation. As ransomware groups evolve—and trust me, they are evolving—our defenses must outpace them. And as hospitals and health systems integrate zero trust principles, we need collaborative efforts to guide them through that journey.

The cybersecurity challenges ahead are daunting, but they’re not insurmountable. With zero trust as a guiding principle, proactive measures like AI-driven threat detection, and continuous learning from the successes and failures of others, we can build resilient, secure healthcare systems that thrive in the face of change.

For me, ViVE 2025 and HIMSS25 were more than just conferences. They were reminders of why I’m so passionate about this work—because the future of healthcare depends on us getting it right. Let’s not just react to the threats. Let’s stay ahead of them.