Real-World Cyber Threats in Healthcare: Balancing Tech, Training, and Safety​ with Josh Spencer

Episode Transcript

Phillip Wylie: On this episode of the Phosphorus IoT podcast, I’m joined by cybersecurity healthcare expert and consultant, Josh Spencer. We discuss HIPAA, connected device security, ransomware, and other issues in healthcare cybersecurity. Welcome to the podcast. I’m your host, Phillip Wylie, and today I’m joined by cybersecurity colleague Josh Spencer, highly recommended by another professional in the Dallas-Fort Worth area.

Phillip Wylie: Josh has been gracious enough to join us today. A lot of our focus is going to be around healthcare cybersecurity. There have been many changes around HIPAA that we need to keep up with. Josh, could you introduce yourself and share your background?

Josh Spencer: Certainly. Thanks for having me, Phillip. I’ve been in healthcare cybersecurity for about 15 years. I started as a certified ethical hacker, breaking into databases and systems to identify vulnerabilities. I then moved into technical program leadership and cybersecurity leadership across large health systems. It’s a rapidly evolving field with growing threats, but also many tools and techniques we can use defensively.

Phillip Wylie: Josh worked at UT Southwestern Medical Center for over twelve and a half years as CISO and CTO. You definitely bring strong experience.

Josh Spencer: Thank you.

Phillip Wylie: Let’s kick off with the new changes and challenges in HIPAA.

Josh Spencer: We’re seeing some needed changes. The ambiguity in previous regulations let some organizations cut corners. These updates remove that by requiring things like network maps, asset inventories, and disaster recovery plans. It enforces what should have always been best practices and holds everyone to a consistent standard.

Phillip Wylie: Hospitals have been major ransomware targets. Preventing those attacks is crucial.

Josh Spencer: Absolutely. In healthcare, ransomware doesn’t just mean financial loss—it can lead to increased mortality. Systems can be down for months. Patients might not have their allergy or medication info available. Sometimes ambulances have to reroute, delaying care. There have even been tragic cases, like a fetal monitor infected by ransomware, leading to undetected complications. These consequences emphasize the need for advanced cybersecurity controls.

Phillip Wylie: The real-world impacts are devastating.

Josh Spencer: Yes, and attackers know healthcare is critical. That’s why many ransomware payments are made. But ideally, we’d prepare enough in advance—with air-gapped backups, for example—so payments aren’t necessary. That industry needs to dry up, and we need to prevent funding further attacks.

Phillip Wylie: With so many connected devices in hospitals, the stakes are even higher.

Josh Spencer: Exactly. Many device manufacturers don’t prioritize security updates due to long certification processes. That’s where we implement compensating controls—segmenting the device, using zero trust architecture, and isolating them from broader networks to reduce exposure.

Phillip Wylie: It’s good to hear that mitigations are used rather than just risk acceptances. I’ve seen scary setups in hospitals during WiFi pen tests.

Josh Spencer: Yes, and hospitals are complex environments. A patient could set up a rogue hotspot or plug in a USB stick without knowing the risks. Technologies that detect and alert security teams to such anomalies are essential.

Phillip Wylie: What else can hospitals do to protect connected devices?

Josh Spencer: Stay aware of vulnerabilities and recalls. Some threats are theoretical, but others require immediate action. Physically protect devices—block unused ports, segment networks, keep firmware updated, and monitor network traffic for anomalies, like unusual data transfers to foreign IPs.

Phillip Wylie: Good point. I hadn’t thought about people plugging in phones to charge—another attack vector.

Josh Spencer: Exactly. Sometimes people are just being helpful—like plugging in a found USB stick—not realizing they might be spreading malware.

Phillip Wylie: You mentioned your pen testing background. That must help your defensive strategies.

Josh Spencer: It absolutely does. Having that mindset helps us identify and prioritize real-world threats. Compliance-based approaches often miss the mark. Understanding how attackers think gives us better visibility into what needs fixing first.

Phillip Wylie: Are you seeing more hospitals embracing pen testing?

Josh Spencer: Yes. Headlines help bring awareness. For every incident you read about, there are many more that go unreported. The industry is waking up to the need for proactive defense.

Phillip Wylie: HIPAA compliance is often treated like a checkbox. Hopefully, the threat landscape is encouraging deeper security investments.

Josh Spencer: Exactly. Compliance is only part of it. Culture is huge. Many breaches could’ve been stopped by someone recognizing something unusual—a suspicious email, a weird request. That human element is critical.

Phillip Wylie: Security teams need to build tools with the business, not in isolation.

Josh Spencer: Right. If tools are too secure or restrictive, users go to shadow IT. We’ve seen people use Dropbox instead of internal tools because it’s easier. Secure solutions must also be usable.

Phillip Wylie: What about security awareness in healthcare? Doctors and nurses are busy—how do you train them effectively?

Josh Spencer: Traditional training is ineffective—too dry, too infrequent. The best programs tell stories and explain why these behaviors matter. Reinforce them throughout the year with simulations and real-time feedback. If someone sends sensitive data to ChatGPT, show them policy and alternatives. Catch actions at the moment and make them teachable opportunities.

Phillip Wylie: I love reward-based approaches—recognizing good behavior instead of punishing mistakes.

Josh Spencer: Exactly. One org gave points for reporting phishing emails, which employees could redeem for merchandise. It gamifies security and builds engagement.

Phillip Wylie: That helps build secure habits at home too, especially with BYOD.

Josh Spencer: Yes, and with mobile app management, we can enforce security controls on personal devices while respecting privacy. Good hygiene at home reinforces enterprise security.

Phillip Wylie: Let’s talk about AI. What are the biggest security concerns and best practices?

Josh Spencer: AI is both a huge asset and a threat. It helps analysts triage faster, identify log anomalies, and communicate findings. But users are leaking sensitive data into public models like ChatGPT. We’ve done assessments where data exposure shocked leadership. Some staff even justify their actions, saying it’s worth it for better outcomes. That’s why secure AI implementations are critical.

Phillip Wylie: How are you using AI in your consultancy?

Josh Spencer: We use it constantly. Junior analysts use it to understand logs. Senior staff use it to convert technical findings into clear business language. AI helps summarize complex data, write reports for CIOs, and explain risks in relatable terms.

Phillip Wylie: Any tips for communicating with business stakeholders?

Josh Spencer: Understand their priorities. CFOs care about cost. Executives care about reputation. Use examples from the industry to demonstrate risk. You can even use AI to tailor your communication style.

Phillip Wylie: What are your top recommendations for cybersecurity in healthcare?

Josh Spencer: Stay up-to-date. The threat landscape is evolving fast—especially with AI-driven attacks. Understand the latest vulnerabilities, tools, and best practices. Teams that fall behind get left behind.

Phillip Wylie: Agreed. AI is improving phishing too—making it harder to spot threats.

Josh Spencer: Exactly. Attackers use AI to write perfect emails, personalize messages by scanning LinkedIn, and eliminate the old red flags. But we’re seeing the defenders learn to fight back with AI too.

Phillip Wylie: Thanks for joining the podcast, Josh. It was a pleasure.

Josh Spencer: Likewise. Thanks for having me.

Phillip Wylie: Thanks everyone for listening. To learn more about how Phosphorus secures your IoT and OT environments, visit wwwdev.phosphorus.io.