Practical Guidance for Resource-Constrained Healthcare Teams
A Candid Conversation with Clearwater and Nathan Littauer Hospital
For many healthcare organizations (especially small, rural, and community hospitals) cybersecurity doesn’t fail because leaders don’t care. It fails because teams are overwhelmed, under-resourced, and unsure where to start.
This session of the Healthcare Cyber & Compliance Exchange focused on the hardest part of the work: execution. Not theory. Not checklists. But how real teams build resilient programs while juggling workforce shortages, budget constraints, evolving regulations, and nonstop patient care.
Led by Jackie Mattingly, Senior Director of Consulting Services at Clearwater Security, and Lance Alston, Director of IT at Nathan Littauer Hospital, this conversation offered a rare, unfiltered look at what building a strong cyber and compliance program actually looks like on the ground.
Watch more from this event:
2026 Healthcare Cyber Threat Landscape | Risk, Regulation & Resilience
New York Cybersecurity Regulations & HIPAA Updates | Healthcare Compliance
The Reality for Small and Rural Hospitals
Jackie opened the discussion by naming the tension many healthcare leaders feel but rarely say out loud.
Smaller and mid-sized hospitals are being held to the same expectations as large systems and often without the same funding, staffing, or infrastructure.
“The leaders want to do the right thing. They want to reduce risk. They’re just overwhelmed at where to start and what actually matters most.”
Lance reinforced that reality from lived experience.
“We’re trying to accomplish the same task as everyone else. We just may have fewer resources than some of our friends and colleagues.”
With limited staff, multiple single points of failure, and competing operational demands, prioritization becomes a daily challenge.
“Cyber Uncertainty” and Why Communication Matters
One of the most resonant concepts from the session was what Jackie called “cyber uncertainty.”
Not knowing:
- When an incident will occur
- Which system it will impact
- How severe it will be
- Who will be affected
For Lance, that uncertainty shows up not only inside IT, but across clinicians, staff, patients, and the surrounding community.
“Uncertainty isn’t always technical. It’s about visibility, ownership, and unspoken assumptions.”
Security changes like MFA, email restrictions, or password requirements weren’t rejected because people didn’t care, but because they disrupted long-standing workflows.
Nathan Littauer addressed this by investing heavily in communication and education, both internally and externally, including outreach to patients navigating new security controls.
Where Organizations Should Actually Start
A central theme of the conversation was the danger of starting in the wrong place.
When organizations feel pressure — from regulation, audits, or incidents — the instinct is often to:
- Buy a tool
- Check a box
- Move fast just to feel progress
Jackie challenged that approach directly.
“That’s not the most effective starting point. It’s not just technology — it’s understanding your risk.”
A thorough, asset-based risk analysis reframes fear into facts, noise into clarity, and chaos into structure.
“Risk analysis turns guesswork into decision-making.”
Turning a Risk Assessment into a Roadmap
Lance shared candidly what the risk analysis process revealed at Nathan Littauer, including surprises.
One of the most unexpected outcomes wasn’t technical at all.
“The biggest surprise was the ownership people felt — even those not in IT.”
By involving frontline staff and subject matter experts, the assessment surfaced informal workarounds and undocumented workflows that would have otherwise remained invisible.
Importantly, the organization didn’t treat the assessment as a report to file away.
Instead, they:
- Identified process fixes that cost nothing
- Prioritized low-hanging risk reductions
- Built a multi-year roadmap for larger investments
- Used findings to support leadership conversations
“We didn’t throw tools at the problem. We started with what we could fix right now.”
Leadership Buy-In Requires Translation, Not Jargon
A major barrier to program maturity, Jackie noted, isn’t leadership resistance, it’s miscommunication.
“Executives don’t disengage because they don’t care. They disengage because they don’t know how to translate technical jargon into decisions.”
Boards and executives want clarity on:
- Risk to patient care
- Operational disruption
- Financial exposure
- What decision is being asked of them
Lance emphasized that when leaders are accountable under new regulations, it’s the responsibility of IT and security leaders to communicate risk in business and clinical terms.
“If they’re being asked to attest, it’s our job to make sure they understand.”
Why Trusted Partners Matter for Resilience
For organizations without deep internal security teams, the session highlighted the importance of trusted external support.
Lance shared a real-world incident where a threatening extortion letter could have spiraled into chaos… but didn’t.
“Within 15 minutes, Clearwater had a war bridge stood up and the investigation underway.”
That support allowed a small internal team to stay focused, informed leadership quickly, and avoid unnecessary disruption.
“Without that partnership, we would have spiraled.”
Key Takeaways for Healthcare Leaders
As Jackie summarized, strong programs don’t require perfection, but they do require direction.
Key takeaways from the session:
- Start with a risk-based roadmap, not a tool purchase
- Align cybersecurity to patient care and business priorities
- Focus first on low-cost, high-impact improvements
- Communicate risk in enterprise and clinical terms
- Leverage partners to extend capacity and confidence
“Cybersecurity is a journey — not a destination.”
Watch more from this event:
2026 Healthcare Cyber Threat Landscape | Risk, Regulation & Resilience
New York Cybersecurity Regulations & HIPAA Updates | Healthcare Compliance
Watch the Session Replay
This session is designed for healthcare leaders building or maturing cybersecurity and compliance programs under real-world constraints.
▶ Watch the full replay to hear the complete discussion and practical insights.
