AI is transforming how public health agencies collect, interpret, and act on data, but the benefits depend on strong interoperability, governance, and security foundations. This conversation breaks down the real-world opportunities and risks that leaders must navigate as AI adoption accelerates.
⬥EPISODE NOTES⬥
Artificial intelligence is reshaping how public health organizations manage data, interpret trends, and support decision-making. In this episode, Sean Martin talks with Jim St. Clair, Vice President of Public Health Systems at a major public health research institute, Altarum, about what AI adoption really looks like across federal, state, and local agencies.
Public health continues to face pressure from shifting budgets, aging infrastructure, and growing expectations around timely reporting. Jim highlights how initiatives launched after the pandemic pushed agencies toward modernized systems, new interoperability standards, and a stronger foundation for automated reporting. Interoperability and data accessibility remain central themes, especially as agencies work to retire manual processes and unify fragmented registries, surveillance systems, and reporting pipelines.
AI enters the picture as a multiplier rather than a replacement. Jim outlines practical use cases that public health agencies can act on now, from community health communication tools and emergency response coordination to predictive analytics for population health. These approaches support faster interpretation of data, targeted outreach to communities, and improved visibility into ongoing health activity.
At the same time, CISOs and security leaders are navigating a new risk environment as agencies explore generative AI, open models, and multi-agent systems. Sean and Jim discuss the importance of applying disciplined data governance, aligning AI with FedRAMP and state-level controls, and ensuring that any model running inside an organization’s environment is treated with the same rigor as traditional systems.
The conversation closes with a look at where AI is headed. Jim notes that multi-agent frameworks and smaller, purpose-built models will shape the next wave of public health technology. These systems introduce new opportunities for automation and decision support, but also require thoughtful implementation to ensure trust, reliability, and safety.
This episode presents a realistic, forward-looking view of how AI can strengthen the future of public health and the cybersecurity responsibilities that follow.
⬥GUEST⬥
Jim St. Clair, Vice President, Public Health Systems, Altarum | On LinkedIn: https://www.linkedin.com/in/jimstclair/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥RESOURCES⬥
N/A
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact
⬥KEYWORDS⬥
sean martin, jim st. clair, ai, interoperability, public health, data governance, population health, cybersecurity, ciso, automation, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
[00:00:00]
[00:00:36] Sean Martin: And hello everybody. You're very welcome to a new Redefining Cybersecurity podcast. I am Sean Martin, your host. I may not sound like myself today with a bit of a gravelly throat, but, uh, it is me and, uh, I still get to talk to the coolest people about the coolest topics, all in support of. Well generally, uh, [00:01:00] helping the business create a safe and secure business and protect the revenue that it generates.
Uh, but when, when businesses touch. Society and humanity. It's also protecting those things as well. And we had a great, uh, webinar, uh, not too long ago on the topic of AI in healthcare and a fantastic panel. And one of the panelists, uh, has agreed to come back and have a deeper conversation with me. Jim Sinclair, it's, it's a thrill to have you on.
Pleasure. Pleasure. To here my friend.
[00:01:30] Jim St. Clair: Yeah, no, the pleasure is all mine. Sean, I greatly appreciate the invite for the first panel session. I thought that was all star and, uh, an honor to come back and chat with you a bit more and on the topic.
[00:01:40] Sean Martin: Absolutely. So, uh, yeah, so it was a good panel. I'll, I'll include a link to, to that so folks can watch that on demand. Uh, a lot of great information there from. Provider and payer and, and operations perspective security as well. Um, so Jim, just to kind of [00:02:00] refresh folks, uh, if they saw that or let them know who you are and knew if they didn't see that, and, and, uh, just who you are, what you're up to these days.
[00:02:10] Jim St. Clair: Sure. Absolutely. Uh, I'm the Vice President of Public Health Systems at Al Alteram Institute. It's a, uh, a nonprofit. We've been around for a lot of decades, uh, with a specific mission to support, uh, public health agencies and public sector healthcare. So, uh, obviously interactions with, uh, federal Healthcare, H-H-S-C-D-C, other, uh, federal agencies and HHS agencies and then, and then state and local public health agencies, uh, which in my division we do, uh, interoperability IT solutions.
Um. Integration and engineering. Uh, and, and of, of course with that context during the division, in the, in the direction of artificial intelligence and machine learning to be able to support for public health and public health data.[00:03:00]
[00:03:00] Sean Martin: Lot, lot of great stuff there and I'm sure there's a lot of, a lot of little branches or, or leaves that come off all the things that you just mentioned as well. Um, so you, you reminded me of the, the interoperability thing, which is part of the conversation, uh, we had on the webinar as well. Um. What, what are you seeing?
Well, maybe big picture ai, but I, I think ultimately I want to get to some of the interoperability things because, uh, uh, data and now access to the data through ai, um, means we have to have all these systems connected. But I guess, let's back up for a second. We won't go there yet. Um, what are you seeing and hearing in terms of public health and, and.
AI being part of those conversations. What are they looking to do? Are they, do they have purposeful ideas or are they saying, here's ai, let's go explore what? What's some of that state of the union, if [00:04:00] you will, in that regard?
[00:04:00] Jim St. Clair: Yeah. And, and I'll break down, down into some, some tiers and some, some stratification. Obviously the first challenge is that, that public health has a real challenge at the moment, right? Um. Uh, the, the primary sources of funding and initiatives such as data modernization and the like, uh, have been subject to a lot of challenges and variation in the last few weeks, the last couple months.
Um, so we are trying to work very closely with all of our various clients, federal, state level, et cetera, to, to help navigate that. So there is some dust settling that has to take place with that over time. Um, and, and kind of see where things are going next. Uh, even so what we have historically been engaged in and so far fortunate to stay engaged in is helping a lot of public sector organizations continue what, uh, was brought about after the pandemic in the way of modernizing systems.
And with that comes a lot of interoperability. So. There's been [00:05:00] a, uh, a tremendous amount of work done both nationally and globally with new data standards, health IT standards, certify electronic health record systems, et cetera, that, uh, create new ways to generate better interoperability and data sharing.
Uh, and there are various software products, uh, various data standards and the like that we leverage. Uh, to do that. Um, within public health, uh, there's a number of use cases around, um, uh, registration, the registrar, so things like, uh, births associated with birth certificates, um, deaths, uh, other disease surveillance.
All of those are very important, almost daily points of, of information that public health agencies work with to be able to provide reports and statistics and generate other data. And we've been integrating a number of different solutions that increase that interoperability. And what it comes down to is any public health agency having access to data [00:06:00] easily and easily generated from someone coming in to see their doctor or the local coroner reporting who's passed away.
Um, interoperability in a lot of cases isn't just about the exchange of data more easily, but, but being able to report that data more easily and make that data available more easily. Um, so that it isn't, uh, some manual process or, you know, log into three different systems and provide information. So all of that is, is continuing to be outta way and then leading up into ai, as we talked about in the panel, as well as, uh, I'm sure what other people are seeing.
How does AI and, uh, enabling, um, processes with greater automation, with greater analytics. Benefit some of these processes for collecting data. Once you've collected the data, once you've improved interoperability, you know, what can you do to draw better conclusions or, uh, better predictive analytics. And that's where I think AI is starting to take root.
[00:06:59] Sean Martin: So the [00:07:00] reporting things. Interesting to me and, and there may be something there or not. I don't know. He'll tell me. Do, do public entities have a greater requirement to report on stuff versus the private, private health sector? Um. In terms of, I don't, I don't know what the re obviously how many, how many new, new births, how many people die?
Maybe some stats on measles just to pick something or I don't, I'm, I'm assuming those are the types of reports. Um, are there different requirements for different agencies separate from, separate from private.
[00:07:41] Jim St. Clair: Yeah, great question. There's, there's a number of requirements like reporting to, to, um, the, uh, the fun, the part of CDC still functioning around. Vital statistics and collecting all of that information. And then, uh, there is, uh, what the specific state laws and [00:08:00] regulations are around how that data is collected.
Uh, and then lastly of course is, you know, you don't wanna come up with yet another requirement for a physician to stop and have to submit this report or process more information or something along those lines. So, so it's a combination of both. What regulations are required or are requiring for data to be collected?
What is it that states want to be able to see and understand for their state populations? Um, and then not coming up with yet one more thing to ask a physician to have to do. So make it easy to be able to get that information from the HR or pushing a button for, for submitting a report. Uh, make that information readily available for the state public health agency to work with for their own benefit as well as for whatever their federal reporting requirements are.
And then lastly, you know, what does that information tell you? Um, just for instance, this past week, talking on topics of cancer registries where we're doing some work. Uh, in various states, the, the, the states are meeting their requirements and they're looking [00:09:00] to increase their interoperability and collection of information for, for cancer registries.
But yet the reporting requirements say you've got up to 18 months. So when you wanna know, hey, in the last month how many people got cancer in this zip code, you've gotta wait 18 months before all that information is put together. And that's not to blame on the system or the people sitting in front of the consoles.
That's just the nature of the procedures and the regulations as they are right now. So, you know, are, is there valuable information that may be collected more efficiently or more timely to get new public health answers that aren't being collected at the moment?
[00:09:37] Sean Martin: So is this a question of it's, so it's not the people, I'm not, you said it's not the system necessarily. Um, and I'm gonna, I'll question that, but I guess maybe, maybe it's more the, the policy.
[00:09:55] Jim St. Clair: Yeah. So in people,
[00:09:56] Sean Martin: the law.
[00:09:57] Jim St. Clair: it's process and policy. Yeah.
[00:09:59] Sean Martin: [00:10:00] Okay. Yeah. 'cause what I'm thinking is, I'm sure there's a lot, like a lot of legacy stuff, especially in the public, um, public sector, right?
You don't have a lot of money to, uh, redefine things and redeploy new things and, and tear, tear down old stuff, kind of keep it all in place. So I'm just wondering if there are. Reporting requirements that are antiquated. So we're not, we're not asking the right questions or we're not reporting on quote unquote, the right things, and we're just carrying that legacy stuff along, and therefore we're not getting the most out of our data.
Is
[00:10:38] Jim St. Clair: I think, actually that's a great question to ask because I think since the pandemic and with the advent of all of the modernized technology that we are working on, and the number of public health agencies that have made great strides in get rid of legacy systems or improving their data collection.
Then the question becomes, well, you know, what, [00:11:00] what is public health information? What does public health do? Um, and I'll take a radical approach for a second just for internal discussions as we look at, at these political arguments about, you know, are they gonna cut Medicaid? Or what's gonna happen to Medicaid?
Well, is there public health information within Medicaid that can be used to improve population health? Are there predictive analytics that would help guide how money is being spent on the Medicaid population as, as commercial healthcare moves to what they call value-based care and, and, um, and Medicare Advantage being a big example of value-based care.
How do we collect the right population health data for Medicaid to be able to, uh, make better value-based care decisions for their population? And that means what are we collecting from the Department of Health? What, what other information can public health collect? Uh, and then what do we do that information and how do we look at it and slice and dice it various ways?
[00:11:58] Sean Martin: Yeah, and I, [00:12:00] I, I can only imagine, I mean, a lot of the questions I presume are operate more efficiently. Cut costs, reduce waste, prevent fraud. I'm sure it was in there somewhere. Um, hopefully deliver care measurements are in there, better care is in there as well. But, but even those are for, are fairly tactical and aren't.
A broad, a broad set of things of what, what can we do? How do we change the way we look at this and ask a question of, with, with all of this data, what, what is possible? And, and how do we ask the right questions that aren't tactical, but are strategic in nature so that we can, and then there's the next part.
What do we do with it when we have, when we have some data to work with, there's some info to work with.
[00:12:49] Jim St. Clair: absolutely right. And there's a, a colleague of mine, Trey Rawles from Optum, who, who publishes a weekly substack sometimes, uh, a couple times a week, fa fairly prolific. And, uh, [00:13:00] he wrote a real good one, I think that I read Sunday about applying first principles thinking. So if we look at AI and interoperability and, and big data.
As ways to rethink the information we have available, the knowledge we can develop for, well, what is a first principles way of looking at how we're doing an entire process or, or what we do with the data we're collecting and the answers we're trying to get. And, you know, there there are, there are lots of examples and EHR being a good one where in, in some respects, it just was an electronic form of the way you kept a paper chart.
Anyways. That's not a true transformation or first principles rethink of how you collect information and manage it for a patient. Now, there may not be perfect answers there, but, but just rethinking in terms of first principles, you know, what is it fundamentally as an organization we're trying to do in population health and public health and disseminating information for, for diseases or chronic [00:14:00] conditions.
Um, and, and how can new technologies help get to a, a better first principles way of addressing that.
[00:14:08] Sean Martin: And So then the other thing I'm thinking, and I don't know, I just popped in my head, but I've had. Quite a few chats with our Common good friend, uh, Mr. Mike, Mike Parisi on the, the topic of Teka. And I think I posed a question, I don't know, a number of weeks ago, and nobody, nobody replied. Thank you very much.
Everybody on, uh, LinkedIn for not replying. was just wondering what I, I wondered then what the status of Teka was. I, I could probably venture a guess now.
[00:14:44] Jim St. Clair: Um, well, as of right now, it's still, it is still officially in the books. There was, there was, um, misinformation or disinformation that the Sequoia project contract had been canceled. Um, and, and in fact it's been confirmed. That's not the case. [00:15:00] Um, there is, there's still, uh, ongoing processes with the existing qualified health information networks.
Um, so it's not ruled out yet, but, but there is, I think that there are legitimate concerns and questions about where it continues to go with support and sponsorship from this administration, but that doesn't mean that organizations that haven't become qualified health information networks will just stop overnight.
Uh, and, and I think that the, the momentum is starting to build a bit,
[00:15:31] Sean Martin: Okay, because I, I have a feeling that's a, a huge part of finding success in, in this bigger picture is to having the, that common system. Right. Maybe, maybe for folks. I, I will, I'll butcher it. If I try to describe it. Can you describe Teka
[00:15:47] Jim St. Clair: uh, yeah, that's the, uh, trusted exchange framework and common agreement, uh, which is a. A framework for information exchange that, um, um, [00:16:00] the, what was the office of the national coordinator, now the Assistant Secretary for Technology Policy, A STP and HHS, uh, came up with a mechanism that was part of the 21st Century Cures Act, all aimed at building national networks for exchanging health information.
Now, I think, um, as a, as a, what I call myself as a, a self-described HIE guy. I think there's a, uh, there's always been an open question as to the roles of the q HNS and national networks relative to HIEs, but I think most everyone would agree diplomatically that they can function harmoniously together for, for various reasons.
Um, but
[00:16:39] Sean Martin: H-R-E-H-I-E is a health, health information exchange. Those are state level. Is that
[00:16:43] Jim St. Clair: those are state level and, and some in the cases of some states, they, you may have more than one. In the case of Texas. They pass their own law around the data exchange framework and have multiple health information organizations, what they call qio, specifically for service within, uh, California to [00:17:00] serve California, uh, population.
Uh, Texas also has several different, um, HIEs as well. But I think when you look to those, those biggest states between New York and Texas and California that really cover the most geography, it's natural that they're a bit more federated. Um, other states like, um, Michigan of course has the Michigan Health Information Network.
Uh, del the Maryland has crisp, so they may have a singular state entity supporting them, um, with some sub entities underneath. Um, but yeah, as I was saying, I think most everyone agrees that, that, that as defined so far, they can be harmonious. And the most important thing is that when somebody wants their information to go from point to point B.
That, you know, there's the right switchboard between at and t, Verizon and Sprint to be able to make it all work. So.
[00:17:48] Sean Martin: Yep. Yep. So I'm wondering how, how AI can fit in here. I mean, we could probably plug it into every, every spot somehow, some way. [00:18:00] Um, are there, are there opportunities, I'm just thinking of this, this complex network of systems and data sets, and if there's. Interfaces and frameworks and everything has to line up properly and it could take forever to do it.
Maybe a simple quote unquote, simple. Uh. Ai. API call
[00:18:25] Jim St. Clair: Yeah.
[00:18:25] Sean Martin: as, as a, as a bridge to some of this stuff could be a nice stop, stop gap, uh, to help connect some of these things as long as security's a part of that equation. Of course. Um, so I dunno, it's just coming in top of my mind. What, what are you, what are you thinking in terms of AI and, and how, how we can go, because there's population health, right?
So the, the broad and then there's. Precision health,
[00:18:52] Jim St. Clair: Mm-hmm.
[00:18:53] Sean Martin: which, uh, AI I presume can help with that as well. So where, where do you think some of the investments, and there's probably other areas, [00:19:00] but where, what are some of the investments you think are coming down the line?
[00:19:04] Jim St. Clair: Yeah. At, uh, Alterum we're, we're going out with a basic message around kind of five different use cases within public health that we think, um, are, are low hanging fruit or can bear fruit for ai, uh, around public health, uh, decision support platforms, you know, using algorithms and, and ML to assist in analyzing data and helping to come up with, uh, courses of action or better understand.
Um, um, next steps in a scenario, uh, community health intelligence suite. Um, and ask though the association of state, tribal and, uh, healthcare organizations. Uh, actually just did a good webinar today talking about AI enabled tools for community health workers and, and community health, uh, agencies, um, workforce augmentation.
And of course this is very similar to workforce augmentation that we're looking at in healthcare as well as other industries where. How can the AI chatbots or AI [00:20:00] agents help enable conversations or individual engagement or communication strategies? Um, one of the things we've talked about recently is you have certain communicable diseases, and of course there's always been a public health reporting requirement around that, and public health agencies collect that data and they report on it.
But what if you have AI tools that help you with that reporting and collection and, and understanding? That then translate into targeted communication tools. Hey, these communicable diseases are coming up in these specific zip codes affecting these demographics and populations. What can we enable through chatbots or other means to be able to communicate to those populations through, you know, uh, popular messages or social media or something to make them more aware, to be able to, uh, uh, address a health challenge or be more aware of a challenge that they have for a communicable disease in the area.
Um, that could be a na, an AI enabled workforce augmentation that would've taken four or five people doing tasks that now could be better automated [00:21:00] by AI going forward. Uh, we're also looking at AI enhanced emergency response coordination. Maybe that's a combination of GIS data being leveraged by large language models in conjunction with other emergency reporting data to be able to be more actionable in.
Um, uh, disaster areas and storm response. You know, something I concern myself with here being in a hurricane zone, and then as you mentioned already, predictive population health management, where we strayed a bit about saying, Hey, you've collected all this data from various registries, from various reporting on various conditions.
How can we translate that into population health information that, uh, provides po predictive analytics that help us make healthcare investment decisions or Medicaid decisions?
[00:21:44] Sean Martin: And so this is your guidance, those five things, which are fantastic. Um, how do, how do different public entities, uh, take, take those first steps are, is it. [00:22:00] Is it all over the place in terms of, of who's, who's moving, how, and where and why. And um, I'm sure a lot of it's driven by funding, but I, I also presume there's some understanding and skills, gaps that may, may impact some, some progress.
What do you think?
[00:22:19] Jim St. Clair: Uh, yeah, and I think that, uh, of it is, of course, early days. It's, it's kind of early days in healthcare. Well, so let's talk about AI and healthcare more, more broadly, where at the macro level we say, oh, early days, slow adoption. Things aren't really coming along. But if you read the Journal of American Medical Association, which has a dedicated AI section, there's all kinds of cool things.
Different hospitals and academic medical centers are doing on their own. You know, there may not be wide adoption, but if you just look at, say, empirical results or what they were choosing to try and, uh, sample with ai and do, I think it holds lots of pro promise for the future. I think public health agencies, uh, agencies are, [00:23:00] are in a similar position, realizing, of course, we started off by saying the immediate challenges that, that we all are facing with regards to budgets and, and just, you know, government investment.
Um, but there's potential for the next generation of tools and what they continue to adopt to be able to leverage some small portion of ai, maybe a larger gen AI implementation for managing their data, uh, all of which are, are there for consideration. I think what I'd like to think is that the barriers to entry are relatively low.
If you, if you consider them, you know, there's been lots of technologies in the past that just getting your hands on something like. A certain server or a certain router or a certain, a certain piece of software, um, wasn't as immediately achievable and, and, and leverageable as you can, you know, sign up for a free chat GPT account right now.
[00:23:57] Sean Martin: Yeah, exactly. Exactly. [00:24:00] And just makes me wonder what, um, yeah, I, I presume there's a lot of requirements, I'll call 'em, requirements for things that need to get. Done or built or we, we, we have all these systems, we replace them. There's still a list of things we never got to, some of 'em, some of 'em it may be because the system doesn't support it or whatever the case may be.
I'm thinking of the scenario that's coming to mind is, um, like remote, remote health, where. Doctors and nurses go out and visit and they, so they have a, a set of people they're gonna go visit at their home. Home, home health, I guess it should say.
[00:24:42] Jim St. Clair: Or remote patient monitoring. Yeah.
[00:24:43] Sean Martin: Yeah. And so how, how do you, how do you schedule those calls and, and visits and, and I, I would, I would imagine setting up logic to do that manually would be hard.
And using AI could, would [00:25:00] be easier. Um, uh, that's probably a lame example, but
[00:25:04] Jim St. Clair: I think it's a great example, and if I could elaborate on it for a second. Um, mm-hmm. I, I think you just described the scenario. So let's just say for argument's sake, it's three people, three people in a rural area that have responsibility in some fashion to follow up on, whether it's home health, remote patient monitoring.
Um, can all three people cover the geography necessary to get to the necessary number of patients? Um, how many of those patients lack the resources to be able to get to some healthcare center, to to, to, uh, be seen versus having someone go to their house? Um, there's a whole range of remote patient monitoring tools and, and not just the wearables and the, and the Fitbits, but, but real live, medically approved wearables that, uh, and remote patient monitoring that get reliable data.
Really just pose a challenge if you don't have something like big data and AI to potentially do [00:26:00] analysis for you. So you could have, whether it's prompts or agents set up that query for specific information or are looking for trends or you know, let me know when Mrs. Watson has another AFib episode as an example, and that information is fed back.
That help tailor and improve or augment what those three people have to be able to do every day. I, I like to use the term force multiplier 'cause it's a, um, a Nick na moniker we had from DOD because we'd say, well, with this weapon system, it's a force multiplier. You know, I have this, I have this one weapon.
Weapon. Instead of sending in two squads of troops, I have this one weapon. So that makes it a force multiplier. Okay, well instead of sending in, you know, two squads of healthcare workers that don't exist, and I've only got three. Um, my one weapon is an LLM or a trained multi-agent, uh, framework. Uh, using all of this collected data to help answer questions and analyze things for me to tell me what I need to focus on for priorities.
[00:26:58] Sean Martin: I love it. [00:27:00] I love it. So are there, uh, there must be the, the companies building some of these systems for public health entities to use and they're not, public entities aren't building this stuff themselves, are they? Or maybe they are. I dunno.
[00:27:15] Jim St. Clair: Uh, um, well, that's a super question, and I think it speaks to the industry in general. You can go out and, and you can buy Gen ai, you know, you can, you can get a subscription to CLO or get a subscription to chat GPT or Gemini Pro or whatever, and then you do something with it. It's still just a subscription like anybody else.
Uh, and then there's a, a multitude of vendors that may be offering you. Tailored AI capabilities to do a function, to write a document, to review information, et cetera, that are built on those same generative AI platforms. And then you have, uh, the, the cloud service providers themselves, the data center and technology providers.
AWS and, and Google with the cloud platform, Microsoft Azure and [00:28:00] their AI work. And they're offering you enterprise type AI solutions where you're doing things with their computing and cloud platforms that you can benefit from what their AI that's built in has to offer, um, which is more of what we're doing with our initiatives at Alter.
Um, so you really have the choice of kind of, you know, do I, oh, and then I guess the last one, which I last, but by no means, uh, not least, is of course the open source, open model world that allows you to download and run your own if you want, or set it up in an instance of a cloud. And I would offer, if you look again at some of those publications in, um, the Journal of Medical, uh, journal, journal of American Medical Association, AI sections, a lot of those efforts, they've built their own machine learning models or they've done something with their own algorithms.
They have rolled their own completely for research purposes. Um, in some cases, because you obviously have the most control over that and in others, because they may have a commercialization opportunity. So they can in turn, turn that into a commercial AI platform and offer it as [00:29:00] something that's explicitly applied for, you know, kidney dialysis or, uh, cardiac monitoring or something like that, that they could use.
So it's, it's, you know, kind of, again, it's also very, very much like we were talking about before. It used to be if you needed a copy of, uh, Oracle database, you had to go and buy a copy of Oracle database. And that was the only way to use it. Now it's like, well, I need to do something with ai. Okay, well, here's the six different ways that you can approach, you know, identifying, utilizing, implementing ai depending on how, what you're calling AI to be in the first place.
[00:29:34] Sean Martin: Yeah. And uh, so. Here's the question is we're, we're roughly 30 minutes here. Um, so my audience, primarily security leaders and chief security officers, chief information security officers, practitioners, and business leaders as well. And so I want to connect this for them. So [00:30:00] clearly if, if they're in the healthcare space, they, they probably know a lot about what we talked about.
Um, but what might. Let's look at it from two different ways. Are, let me ask a question. First, business leaders in public health, are they still doing what's right for, for hipaa high tech and, and privacy in general? let's answer that first and then I'll go to the, the
[00:30:27] Jim St. Clair: Uh, yeah, so, so in the context of our clients, um, we have our own. Secure cloud network that meets, um, NIST and, uh, and, and many of the FedRAMP requirements specifically to support, you know, PHI, um, controlled, unclassified information, that sort of thing. Mm-hmm. Um, so, so we have taken that seriously because our clients in the public health agencies are taking that very seriously.
And, and I would say to you as,
[00:30:55] Sean Martin: So they're not, they're not laxing because they're chasing the shiny new [00:31:00] thing. And they'll get to the privacy stuff later. Are they,
[00:31:03] Jim St. Clair: Yeah, no, that's, that's a great way to ask the question. Um, I was about to say that I have been a little bit surprised, and I guess I like the fact that more and more, um, say state level requirements that we see the states are now benefiting from the, what, what's known as FedRAMP, that's called state Ramp at the, at the state level.
So states have embodied. NIST type security controls in their requirements and will offer, you know, ask for something perhaps bright and shiny, but that bright and shiny still has to operate within a security control environment. Um, and, and we're seeing that quite a bit. I think that's very heartening as a guy who believes everything that's should be, that everything that's done in the cloud should be done in a FedRAMP environment.
Um, you know, preferably FedRAMP, moderate or high. Uh, so in that context, as we talk to clients. About AI and doing things with ai. You know, I like initiatives that [00:32:00] involve generative ai, and I'm not here to bash generative ai, but generative AI is a rented service. You know, just like any other online service driven by APIs, that's different than recognizing we want to get into AI as a public health agency, make it part of our knowledge management, uh, and our data governance, and saying how we do that in the context of FedRAMP state ramp.
Um, um, high-trust type compliant environments, which means selecting an architecture where you have more control over the large language models, the, the AI processing in the context of that environment. So those, those models themselves have a number of vulnerabilities. Of course, you're always exploring safety and security in ai.
If that's running contained within the enclave of your FedRAMP state ramp secured environment, that's an entirely different risk management scenario. Then I'm just gonna feed something in the chat. GPT, who promises me, it's gonna be anonymized.
[00:32:59] Sean Martin: All right, so let's [00:33:00] that, that's great information. Thank you for all that. Let's switch it to the, to the CISO now. So ho, hopefully CISO and these entities are having conversations with the, the directors and executive leaders, uh. Driving, driving the boat, right? Steering the ship.
[00:33:20] Jim St. Clair: Mm-hmm.
[00:33:21] Sean Martin: Um, but there's always, there's always gonna be some form of shadow ai, I think.
And the easiest is with, with the rent to service. Uh, grab yourself a 20 bucks a month, uh, usage. Right? Um, uh, how do CISOs, well, let's start, look at it two different ways. At the executive level, what, what kind of questions should they be? CISOs be asking the executives to ensure that they're driving the right message down in terms of secure and safe use of ai. then the other way up, what should they be looking for to see if there are [00:34:00] signs of, of AI being used that's not, I'll say sanctioned or uh. Completely well understood at the, at the business and operational level 2D
[00:34:10] Jim St. Clair: Yeah. Um, I think that's a great question. From my experience, I've seen lots of CISOs and had the pleasure to interact with quite a few that are working on getting those answers. So, um, for instance, the Healthcare Sector Coordinating Council, which is, um, the healthcare industry representative group working with HHS and DHS around cybersecurity infrastructure protection.
We, one of our nearest working groups is, is, uh, uh, cybersecurity for ai. That is starting off first by saying, look, there's a whole collection of publications and pontifications around reliable ai, trustworthy ai, secure ai. What, what does that mean? What, what are, um, overlapping frameworks or what are frameworks we haven't addressed yet?
From, from nist, from Etsy, the European authorities, from Anisa, from, you [00:35:00] know, whoever, the UN about ways that AI should be controlled and risks of AI and things to be concerned with. And I think we're trying to synthesize that into, you know, easily understandable, actionable risk management tools for healthcare CISOs to use to understand if, if AI gets thrust upon them by leadership, you know, these are things to look out for.
Or of course, ideally they're, they're asked at the table, well, what are some of, you know, we're interested in moving into AI strategically. Hey, ciso, what does that mean for us in terms of our security concerns and how should we approach it safely and securely to begin with? Um, and, uh, you always wanna point to, you know, speaking of my CISO days, you always want to point to a framework, a reliable standard, something that keeps you outta trouble because it's what everyone has adopted.
Uh, and, and those are still evolving. I think, um, my personal thought, the biggest challenge with AI is that. Um, [00:36:00] you know, you got a box and in that box is AI and it's a neural network and it's, it's confabulating things and coming up with calculations and how it processes the GTAs into gatas is still kind of, you know, mathematical confusion.
Um, and historically you've had systems and you've had data control and system integrity to know, well, if I put one value in here, I expect to get this value out over here. And that's how I know the system was working. Right. You don't always have those controls now, so we concern ourselves with, you know, um, LLM poisoning and data injection and some of these other concerns.
But then what other frameworks can I look to to mitigate that risk in terms of controlling, uh, either the, the, the checks that are involved or how the data is entered or what happens to the data while it's in there and it doesn't leave these three servers no matter what. Okay, that's cool. Um, uh, how does my, how does my memory work with the GPU?
So it's not dumping, uh, [00:37:00] memory content into an unsecured location or something along those lines. Uh, that all comes from just, um, the combination of technical understanding with, you know, these frameworks and, and guidelines and controls.
[00:37:11] Sean Martin: Yeah, and I've had quite a few conversations on AI security and, um, I, people listen to the show, probably heard me say a few times that I harken back to my days in quality assurance where you, you had a, a defined set of scenarios and use cases and inputs and outputs and. You had a nice box that you could test and then you'd, you'd try to break the box in as well and mix stuff up inside the box, but it was fairly contained and now there, there's no, there's no form like interface. That people are interacting with. It's a free form, free thought. There's vibe, coding and all kinds of other vibe stuff going on. Uh, [00:38:00] that it's not a single input. And to your point, not the same output. Um, not always the right output or an accurate output. And. That's just from the data level. And if we start to think of it in the same context or in the same sense, but in the context of security and privacy, in terms of access control and, and, um, yeah.
Systems sharing information or, uh. We're exposing information. I think the, the way we look at it, security of AI also needs to be rethought in that sense. 'cause it's not, it's not, it's not just a box where, you know, something's going in and something's coming out and I, as long as I protect that perimeter, I'm okay.
'cause there, there's
[00:38:44] Jim St. Clair: uh, you're exactly right, Sean. And I mean, that goes back to. To the, to the turn of the century when we were still talking about defense in depth strategies and, and you know, from a military perspective, applying the way we, we secured on the battlefield to secured our [00:39:00] networks. But it was largely whatever wire connected to another box was your various points of security.
But now, um, as you were just describing, I think it's. You know, it's not just AI security. What you're really worried about is data and the data governance. AI is meaningless if there isn't data behind it. What you're worried about are the safety, security, integrity, availability of that data and, and data governance, uh, is turned into a, a real challenge for, you know, an environment where data is is everywhere.
So.
[00:39:33] Sean Martin: Yeah. So I don't, you, you described some of the vulnerability and attack services and methods. Um, you think you could describe what I described for CISOs in a way that gives them something to, to work from, to think about differently as they, as they, uh, re redo or redefine their cybersecurity programs with AI in mind.
[00:39:58] Jim St. Clair: Um, yeah, I think, uh, I think [00:40:00] NIST has some good guidelines, unfortunately. Um, I know speaking for myself, it's an area that requires almost, you know, daily understanding. Um, and, and of course appreciating that, that healthcare CISOs in particular have enough challenges just with their own environment before AI starts introducing new ones.
Um, I think, uh, and I sincerely have not paid as much attention to it, but I think that AI for cybersecurity is also, you know, rapidly growing too, which is, hey, these new threats are gonna be too difficult to keep up with. So why not have AI as my friendly guard dog being able to, uh, to help watch what AI is doing in other places too?
Um, uh, and uh, and I think most CISOs are pretty smart when it comes to understanding vendor wear and, and, um, and, and whether or not there are real solutions to choose or to acquire or to build something or buy it. And that's all, that's all part of the game for development.
[00:40:59] Sean Martin: Yeah, I, [00:41:00] I'll put in part of the fun and games. Uh, I, I drug you all over the place. You're, uh, you're, you're amazing to, uh, to, to follow along my crazy mind, mind bending today. Um, I, I know you, you've been doing some research as well and, uh, I don't want to go through all of it, but was, was there anything in there, because we didn't touch on it directly, uh, was there anything in, in the material you're putting together.
That stands out maybe even in the context of what we discussed today that you wanna highlight.
[00:41:31] Jim St. Clair: Um, yeah, I, I think it's grown more and more important, you know, taking a look at the AI research stuff that I, that I read and skim through every day to translating into real live AI adoption and, and where that gap is. I don't think you can understand the trend and multi-agent frameworks. So there's still a very general understanding around AI being gen ai, which means.
Chat, GPT or an LLM, uh, what Multiagent frameworks are [00:42:00] capable of doing what smaller language models with multiple agents can do, uh, is only just being discovered. And that's really where I think the cow is gonna knock over in a lantern and, and set the, set the barn on fire. Um, so, so that'll be
[00:42:15] Sean Martin: I'm with
[00:42:15] Jim St. Clair: area to explore.
[00:42:17] Sean Martin: I'm, I'm with you and I, I had a, a, an introductory for myself. Anyway, uh, conversation on, on, uh, agent AI and, and, uh, with a hint of cyber cybersecurity. Uh, Ken Wang from, uh, from oas. I think he's the AI exchange.
[00:42:34] Jim St. Clair: yeah, yeah. Ken's good.
[00:42:35] Sean Martin: And, uh, so. He enlightened me. I mean, he's got deep knowledge. I, I learned like this much 'cause that's all I can
[00:42:42] Jim St. Clair: Yeah.
[00:42:42] Sean Martin: But, uh, I'm, I'm with you there. The, uh, the lantern getting knocked over, I mean, we start talking about agents writing codes, so the system works differently based on how it's prompted. It's gonna be gonna be quite something. [00:43:00] That, that's a good advice. Thanks for bringing that up again and, uh, making my mind spin some more. Well, Jim, it's uh, it's been great chatting with you and, um, obviously we could, we could chat for hours, but we won't. We'll let, let folks, uh, rum ruminate on this and, uh, we'll chat with you soon. So thank you so much. Appreciate it
[00:43:20] Jim St. Clair: Absolutely. Thank you so much. Good to talk to you, Sean. Appreciate the opportunity.
[00:43:24] Sean Martin: Absolutely. Thanks everybody for listening. Stay tuned, subscribe, share with your friends and enemies, and, uh, we'll see you on the next episode.
​[00:44:00]