Errol Weiss spent fourteen years in banking and finance before joining Health-ISAC, where he serves as Chief Security Officer. His career has tracked a quiet but profound shift in how critical sectors think about cyber defense, away from prevention at all costs, toward resilience and rapid recovery.
In a conversation with Joe Pettit, Weiss explains why treating attacks as inevitable changes everything, why hospitals need to think like emergency rooms during a ransomware event, and what the pace of AI means for defenders already stretched thin.
How has the mindset of healthcare shifted toward preparing for inevitable attacks, and what challenges still remain?
I saw this shift starting around 2014 to 2015, even in banking and finance. The old mindset was “keep them out at all costs.” We had good perimeter control, and the strategy was simply to protect the boundary. Now the realization has set in: attacks are happening. The bad guys are going to be successful. We have to assume there’s going to be a compromise, and we need to focus on how fast we can detect, respond, and recover.
Healthcare has its own wrinkle. When IT systems degrade because of an attack (and hospitals depend heavily on IT to function) these downtimes become a patient care problem. So, the recovery side becomes critical. You have to be able to run an ICU or ED safely in the event of a ransomware attack.
The issue at hand is that most organizations continue to treat this as an IT issue rather than a resilience issue. Cybersecurity must be considered equal to clinical continuity, emergency preparedness, and disaster recovery plans. The leaders of organizations should be focusing on “Can we continue to operate?” and not “Are we safe?”
What’s the role of information sharing across regions, and how does Health-ISAC adapt to different maturity levels?
Maturity varies greatly across regions and organizations, and there is a significant disparity between large providers and smaller or rural clinics, where limited resources and the lack of nearby alternative care can significantly increase the impact of a cyber incident on patient safety. What’s shifted within Health-ISAC is the purpose of information sharing itself.
Traditionally, the focus was on sharing incident information during attacks, and indicators of compromise during steady state. That’s still important. But now, there’s increasing emphasis on sharing incident response playbooks, lessons learned from real incidents, and outcomes from tabletop exercises, practical approaches to response and recovery.
It demonstrates a change in the overall way of thinking. Information sharing not only helps in mitigating future attacks, it also helps organizations to respond to and recover better from incidents.
When lives are at stake, not just data, how should recovery planning change?
In finance, it was about protecting data and dollars. In healthcare, it’s a life and safety issue, and that changes the recovery plan fundamentally.
Not only are you recovering data; you are providing the means for safe and prompt care to patients whose digital systems fail or malfunction. Recovery planning becomes clinical continuity planning and is part of the same emergency response procedures as those used in mass casualty situations or natural disasters.
However, in real-life situations, this is not always the case. When there are system failures, it might happen that the clinicians must depend on partial data, manual records, or even their memory. Putting together all the data when the systems become operational again can be a complicated process.
These are practical concerns:
Can the ED perform triage?
Can the ICU give medication?
Can surgery proceed?
Is lab data available?
Organizations must plan what will happen during downtime and how to do work manually to ensure that the clinical staff can continue to provide care without access to electronic health records, imaging databases, or other information systems.
What does good cyber recovery realistically look like in a hospital?
Recovery has to be tiered and risk-based. Not all systems are equal.
The most critical clinical functions, ED, ICU, operating rooms, and medication administration, need resilience measured in minutes. Ideally, those systems are designed not to fail completely, or there are well-rehearsed downtime workflows to keep care delivery going.
Recovery periods for back-office and revenue functions can be counted in days, provided that patient care is uninterrupted. In serious disasters, total recovery may take weeks or even months. However, companies that handle such crises effectively follow a similar hierarchy: first, their critical systems, then their operational systems.
Why is ransomware such a powerful attack vector against hospitals?
It creates a difficult situation. When life-safety and critical services are impacted, and systems can’t be restored quickly, organizations can feel significant pressure to resolve the situation as fast as possible.
At the same time, many healthcare entities are operating with limited cybersecurity resources (staff, technology, and processes) which can increase their exposure. That combination makes it easier for attackers to gain a foothold and increases the impact when they do.
Filling these gaps is not just a matter of organizational capability but a wider need for better clarity on the minimum baseline requirements in terms of policy support, particularly for smaller entities that may not have the capacity to even undertake basic cybersecurity efforts.
How fast is AI moving, and what does that mean for defenders?
It’s moving incredibly fast. AI can now identify new vulnerabilities and potential zero-days, which shortens the timeframe defenders have to act. As those vulnerabilities emerge, exploits are likely to follow quickly.
These tools won’t be limited to defenders. Cyber criminals, nation states, and hacktivists will all have access to similar capabilities. That means CISOs and security teams need to rethink how they approach threat management and look at how to use these tools effectively themselves.
There’s also a more encompassing concern. We’ve already seen cybercriminal groups package and sell capailities (like phishing or DDoS kits) as services, lowering the barrier to entry. AI has the potential to accelerate that trend, making it easier for less-skilled actors to carry out attacks.
At the same time, there are clear benefits. Advances in healthcare and health technology are moving quickly as well. But the pace of change means defenders need to adapt just as quickly.
Errol Weiss, Health-ISAC Chief Security Officer, has over 25 years of experience in Information Security beginning his career with the National Security Agency. He created and ran Citigroup’s Cyber Intelligence Center and was a Senior Vice President Executive with Bank of America’s Global Information Security team.
Managing Director, Bora.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.