Ransomware groups aren't slowing down, and they're getting smarter about where they strike. In this episode of Data Book, host Ron Southwick sits down with Baxter Lee, President of Clearwater, for a direct conversation about the real state of healthcare cybersecurity. Lee walks through why third-party vendors have become the industry's greatest exposure, how AI is reshaping the threat landscape on both sides, and why the mindset healthcare needs is shifting from prevention to resilience.
What you will hear in this episode
- Why ambulatory and specialty providers have become prime targets, not just large hospital systems.
- How the Change Healthcare attack permanently reshaped vendor risk management.
- Why AI is lowering the barrier to entry for attackers faster than healthcare can adopt AI on defense.
- What the Stryker attack signals about nation-state motives shifting from ransom to disruption.
- Why healthcare's average ransom payment hit $1.1 million last year, and what brings that number down.
Third-party risk is the industry's weakest link
Hospitals have spent years hardening their own defenses. Attackers responded by moving to where the defenses are thinner: the vendors, SaaS platforms, and cloud providers that hospitals depend on every day. Lee points to third-party risk as the greatest risk facing hospitals today, given increasing reliance on vendors who share and transact on patient data.
The Change Healthcare attack didn't just expose one vendor's failure. It showed how a single point of compromise can cascade across thousands of providers, and it's pushed health systems to ask sharper questions about redundancy, backup vendors, and how quickly they could recover if a critical partner went dark.
Healthcare has been the most targeted industry for close to a decade now, and that's because attackers are having more success in the healthcare market. Our defenses aren't as strong as in other industries. Baxter Lee, President, Clearwater
AI is arming both sides, unevenly
AI has lowered the skill floor for attackers while raising the ceiling on what they can do. Lee describes a landscape where AI-generated phishing is more convincing and produced at far greater volume, where reconnaissance is automated, and where vulnerabilities in code and network configurations get found and exploited faster than any human team could manage alone.
Defenders have the same tools available. The problem is speed of adoption. Healthcare's operational and compliance constraints mean new technology rolls out carefully and slowly, while attackers operate with none of those constraints. That asymmetry is what's widening the gap between attackers and defenders across the industry.
Compliance is not the same as protection
One of Lee's sharpest observations: organizations often treat compliance as the finish line rather than the starting point. Meeting HIPAA Security Rule requirements doesn't guarantee effective cybersecurity, especially when the same practices are repeated year after year without evolving alongside the threat landscape.
It's not about prevention anymore. It's about response and being resilient. It's less about if, and more about when. Baxter Lee, President, Clearwater
Nation-states, ransomware economics, and the path to resilience
Lee also addresses the shift toward nation-state actors targeting healthcare for disruption rather than financial gain, pointing to the Stryker attack as a signal of what's ahead. And on the economics of ransomware, his guidance is direct: organizations with tested recovery and backup plans are demonstrably less likely to pay, since they can restore operations without negotiating with attackers.
Healthcare cybersecurity questions this episode answers
Why are third-party vendors the biggest cyber risk to hospitals?
Hospitals increasingly rely on outsourced vendors and cloud providers, so a single compromised vendor can cascade across thousands of providers at once. Attackers have recognized this and now target the connection points rather than hospitals directly.
How is AI changing healthcare cyberattacks?
AI lowers the barrier to entry for attackers by generating convincing phishing emails at scale and automating vulnerability discovery. It is widening the gap between attackers and defenders because healthcare adopts new technology more slowly than attackers do.
Why did the Change Healthcare attack matter so much?
It was the most disruptive cyberattack in U.S. healthcare history and exposed how dependent the industry is on a small number of critical vendors. It pushed providers to scrutinize vendor security posture and build redundancy into vendor relationships.
Is compliance the same as being protected from cyberattacks?
No. Meeting HIPAA Security Rule requirements is often treated as a finish line, but compliance checkmarks do not guarantee effective cybersecurity, especially when the same practices are repeated year after year without evolving with the threat landscape.
How can hospitals reduce ransomware payments?
Organizations with tested recovery and backup plans are less likely to pay a ransom because they can restore operations without negotiating. Healthcare had the highest average ransom payment of any industry last year at $1.1 million.
Is your organization ready for when, not if?
Clearwater helps healthcare organizations move from a compliance checklist to a resilient, defensible security posture. Get out of the storm and into Clearwater.
Talk with our consultants

