AHLA’s Speaking of Health Law | Sponsored by Clearwater
Cyber risk in healthcare is no longer defined solely by HIPAA. As organizations become more connected to federal agencies, research partners, and complex vendor ecosystems, new requirements are entering the picture.
In this episode of AHLA’s Speaking of Health Law, Clearwater’s Dave Bailey is joined by Jennifer McIntosh to examine the growing impact of the Cybersecurity Maturity Model Certification (CMMC) on healthcare organizations.
Originally developed by the Department of Defense, CMMC is expanding beyond traditional defense contractors often affecting healthcare organizations through contracts, vendors, and indirect relationships they may not fully understand.
Listen to the Episode
This conversation focuses on how CMMC is changing expectations around data governance, vendor accountability, and enterprise risk in healthcare.
In this episode, you will learn:
- Why CMMC is becoming relevant to healthcare organizations, even without a direct DoD contract
- How third party and supply chain relationships are introducing new cybersecurity obligations
- What distinguishes CMMC from familiar frameworks such as HIPAA and NIST CSF
- Why data governance is foundational to both compliance and operational resilience
- Practical steps organizations can take to assess exposure and begin preparing
About the Guests
Dave Bailey
Vice President, Consulting Solutions and Strategy, Clearwater
Jennifer McIntosh
Of Counsel, Stinson
What This Means for Healthcare Organizations
CMMC introduces a different standard for how cybersecurity is evaluated. It is not a point-in-time compliance exercise. Organizations are expected to demonstrate that controls are implemented, consistently followed, and supported by evidence through a formal audit process.
For healthcare organizations, exposure is often broader than expected. As discussed in this episode, CMMC applicability is frequently driven by contracts and supply chain relationships, not just direct engagement with the Department of Defense. Organizations may be subject to requirements because they store, process, or interact with regulated data somewhere in that chain.
A consistent theme in this discussion is the role of data governance. Before organizations can assess CMMC readiness, they need a clear understanding of what data they hold, where it resides, who has access to it, and how it is used. Without that foundation, it becomes difficult to meet not only CMMC expectations, but also broader regulatory and operational requirements.
For many organizations, this is where the real work begins. Not with mapping controls, but with establishing visibility and discipline around data that already exists across the environment.
Podcast originally hosted and published by AHLA
About Clearwater & Redspin
Clearwater is the leading provider of cybersecurity and compliance solutions for the healthcare industry, helping organizations align privacy, security, and business objectives to achieve resilience and trust.
Redspin, a division of Clearwater specializes in security assessments and is an authorized CMMC Third Party Assessor Organization (C3PAO). Together, Clearwater and Redspin support healthcare and related organizations through CMMC readiness, control validation, and formal certification, bringing practical experience in both preparing for and executing against rigorous federal requirements.
