Healthcare is one of the most attacked systems in cybersecurity, and the people defending it are saving lives just as surely as the EMT racing through traffic. Sean Martin sits down with Gil Bashe to examine where information, AI, and human leadership intersect in a system that still runs on fax machines and ransom payments.
⬥EPISODE NOTES⬥
The healthcare system is, by some measures, the most targeted sector in cybersecurity. Patient records get lifted, hospitals get held for ransom, and the supposed protections often look more like antiquated friction than modern defense. Gil Bashe, Chair of Global Health and Purpose at FINN Partners, joins Sean Martin to explore why the systems meant to protect people's most sensitive information are, in many cases, the same systems holding back better care. A former combat medic, agency CEO, private equity operator, and now author of Healing the Sick Care System: Why People Matter, Gil Bashe brings a rare composite view of how information, technology, and human judgment collide in healthcare.
The conversation moves quickly from ransomware and HIPAA-covered entities into the harder questions about AI. With an estimated 80 percent of doctors already using OpenAI tools to assist with diagnosis or treatment patterns, the line between "in the zone" and "precision" information has become a clinical safety issue. Gil Bashe reframes hallucinations as what they really are in his world: wrong facts. And wrong facts, fed back into a system that increasingly trusts the output, create a feedback loop that no one is accountable for. The machine doesn't sleep, doesn't worry, doesn't carry responsibility. The humans on either side of it do.
That accountability gap is where the cybersecurity audience comes in. Gil Bashe draws a direct parallel between great coders and great clinicians: both work inside-out and outside-in, interviewing the people who use the system and the people the system serves. He argues that the cybersecurity professional protecting an EMT's routing system, a hospital's power grid, or an MRI data pipeline is saving lives on the same continuum as the paramedic. The skillset is different. The stakes are not.
Sean Martin and Gil Bashe also press on the leadership question raised by AI. If clinicians are freed up by 15 percent of their day, what does the system ask them to do with that time? See two more patients on the conveyor belt of sick care, or actually treat the underlying cause of disease? With 18.7 percent of U.S. GDP going to healthcare and 35 percent of that consumed by administration, the answer is not technical. It is a leadership decision about what the technology is for.
This conversation asks cybersecurity practitioners, CISOs, and technology leaders to widen the frame. Protecting data is the floor. Protecting the human relationships, the clinical judgment, and the dignity of the patient on the other end of the system is the work.
⬥GUEST⬥
Gil Bashe, Chair, Global Health and Purpose at FINN Partners | On LinkedIn: https://www.linkedin.com/in/gilbashe/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
⬥RESOURCES⬥
Healing the Sick Care System: Why People Matter (book by Gil Bashe) | https://www.finnpartners.com/news-insights/healing-the-sick-care-system-why-people-matter/
FINN Partners | https://www.finnpartners.com/
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
⬥ADDITIONAL INFORMATION⬥
Redefining CyberSecurity Podcast | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
The Future of Cybersecurity Newsletter | https://itspm.ag/future-of-cybersecurity
Connect with Sean Martin | https://www.seanmartin.com/
⬥KEYWORDS⬥
gil bashe, finn partners, sean martin, healthcare cybersecurity, hospital ransomware, ai in medicine, chatgpt clinical use, patient data protection, hipaa business associates, health information leadership, sick care system, non-communicable diseases, human leadership in ai, medical misinformation, prompt accountability, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
When Patient Records, Powerlines, and Prompts All Lead to the Same Risk | A Redefining CyberSecurity Podcast Conversation with Gil Bashe, Chair, Global Health and Purpose of FINN Partners
[00:00:00] Sean Martin: And here we are. You're very welcome to a new episode of Redefining Cybersecurity. This is Sean Martin, your host, and I get to talk to all kinds of cool people about cool things related to running businesses in a safe and secure manner. And sometimes those businesses connect directly to us, the human, and sometimes those humans are patients.
And we're gonna talk about the healthcare system and a lot of things that are going on in that space. And I'm thrilled to have Gil Bashe on from FINN Partners. How are you, Gil?
[00:00:31] Gil Bashe: Thrilled to be with you. I think we spent a good amount of our time together talking about you and how great Redefining Cybersecurity was. So I guess I've graduated to the big leagues. Thank you very much for having me.
[00:00:49] Sean Martin: Graduated somewhere.
[00:00:51] Gil Bashe: That's true. And you got my name spot on, so obviously you're ahead of the game.
[00:00:58] Sean Martin: Well, we were joking about changing your name before we started, but we won't do that. We want people to find you.
[00:01:04] Gil Bashe: That actually, this is just an alias for security purposes.
[00:01:08] Sean Martin: Exactly.
[00:01:09] Gil Bashe: It's my name, not to worry.
[00:01:10] Sean Martin: No, it is your name, Gil Bashe. And you're, yeah, bestseller book, I believe. Healing the…
[00:01:18] Gil Bashe: Yeah, it's a miracle. And actually we didn't have to use coding to manipulate the numbers of sales. That was one of the great aspects of this. But Healing the Sick Care System, Why People Matter, I think should be of great concern to your audience that really focuses on the sanctity of information.
[00:01:40] Sean Martin: Yeah.
[00:01:41] Gil Bashe: And when we take a look at it, we sometimes look at security systems or ways of detecting fraud and so forth. Actually one of the most troubled systems when it comes to cybersecurity is our health system, particularly our hospital system. And often patient records are lifted, stolen, hijacked, or blocked, and health systems have to jump in and historically had to pay in a way ransom to get their data back.
It shows you how valuable. Now at the core of this, and I think most of your listeners, especially those involved in the health system, will know that health information is highly, highly protected, so protected that we're using antiquated systems that are hard to enter. I joked around in an article I wrote some time ago, I referenced it in the book, called Death by Fax.
And I actually do think that the fax machine producers, manufacturers must have a massive lobby to protect the fax, because actually our health system was supposed to transition away from fax machines onto encoded or encrypted email systems. It's our own personal lives, our health data. Obviously cybersecurity is a big priority and a big worry for our federal government and also individual health systems.
So I hope we can talk a little bit about that. Hope we can talk a little bit about the role of information and the relationship between patients and physicians, what that means. Do physicians take it seriously or not? How do they react to a patient who comes in with reams of data that they've printed out from OpenAI, ChatGPT? What does that mean in terms of quality of information, trust in the information, and what happens when someone encodes your life incorrectly and then your insurance company and your life insurance company jump on it and you're in the twilight of life trying to correct your very soul?
[00:03:37] Sean Martin: Right. Yeah. You become uninsured, which is not…
[00:03:41] Gil Bashe: Almost. It happened to me, my friend. We can talk about a personal story.
[00:03:46] Sean Martin: Sure, we can do that. I wanna do this to kind of level set folks for what they're about to hear. And of course you're much more than just the book, but maybe a few words about some of the things you've worked on and maybe the premise of the book as well, just so folks have that in their mind as we start to dig into some topics.
[00:04:07] Gil Bashe: I probably, like you, I've had a very eclectic background. I actually started as a health provider in the military as a very senior level combat medic in a paratrooper battalion. I was in government for a few years. I started a company successfully and I sold it to another company. I grew that enterprise as a president.
Larger, I went to a bigger company and did a massive turnaround there globally. And then I became a CEO, a group company CEO, for 14 different companies around the world. That was about $1.2 billion in billings. And from there went to a large private equity firm that then was managing about $4 billion in active management.
And from there I moved to a series of, again, buildups, turnarounds, until I ended up my current position. I'm very grateful to be at FINN Partners, which is a purpose-centered global communications agency that has about 35 offices around the world, 1300 employees, and I'm Chair of Global Health and Purpose, two of our substantial practices that seek to make important work to sustain our society.
And that's given me another look at the health system and information. And then probably most precious, I'm the parent of a child with a rare disease. And I often find that nothing is by chance. Nothing is a coincidence. It just patterns, coding, you could say, that we just haven't found the rationale behind the connection, but there's a connection there.
And so I learned a lot about the health system as a provider on one end, and as a parent on the other. I've had glimpses into the system, its greatness, and its weak spots. And I can talk a little bit about both. And I'll say that information in theory should be like science in theory. It's not. And I'll say that all our information, whether coding or cybersecurity, who has their hands on the wheel of the programs, or the barriers to protect people? It's not coding itself.
And even with augmented intelligence, AI, we think that AI will do coding for us. That's somewhat true, but not true. You see, the person in cybersecurity, I think, is gonna have to rise to a new level with AI that they haven't thought of before. Historically, it was their knowledge of code that created massive programs that protect our society financially, medically, militarily, you name it, transportation, you name it. But what's happened now with machines is they're driven by cognitive power.
It's not just your ability to code, it's your ability to prompt the machine correctly in order to get the output that you need. So I would say the human dynamic in the age of machine learning is more important than ever before, not less so.
[00:06:56] Sean Martin: Yeah. So many things rattling through my brain now already. Just on the coding part, and really the code, writing code using prompts. I think we're becoming reliant upon these systems.
[00:07:24] Gil Bashe: Not just over-reliant, too comfortable. Too comfortable with the systems.
[00:07:28] Sean Martin: That's the other point in my head. So reliant in terms of, we expect it to be there. We expect it to be online. We expect to not run out of credits. We expect the power to be on so we can access these machines. We expect the internet to be there so we can connect to the systems on the other side of them. But then I think there are two things. The experience. When we talk about coding, sometimes we hear the thing about vibe coding, and what vibe do you have if you've not had an experience or know what experience you want to share on the other side?
[00:08:07] Gil Bashe: Bingo. Bingo. We're in the age of wisdom and experience and knowledge, and the machine, no matter how well it works for you, is really only as good as you. You see, in a spiritual sense, AI is a shadow of us. Now, it says that in the Bible that we are created in God's image, and some people might say AI is the new god. And I say absolutely not. No. God is God. We're created in God's image, which means we're like a poor clone, you could say. But what's the machine? The machine is essentially curated information. It neither feels, it has no responsibility, no accountability. It does what you ask it to do. And in that ask is the quality of your humanity, your insight, your experience, and your being able to visualize possibility.
Now in medicine, I think AI and OpenAI is a given. I mean, I think 80% of doctors are using OpenAI now to assist in diagnosis or treatment patterns. The challenge is a great amount of that information is, well, they call it hallucinations, obviously, in your business. In my business, we just call it wrong facts. And so try to imagine, we start to trust and believe in what we're seeing and what we're reading. How do you know it's not correct or incorrect?
Well, you're a bright guy. You mentioned you're hanging out at the Guggenheim and doing all these artsy things and intellectual things in New York City, so obviously we can assume you've got Einstein-like IQ. You'll pick up the true and misinformation or the disinformation like this. But for the bulk of society, when what they see is what they believe, and what they see on ChatGPT they take as gospel, that becomes a problem where we start to act on incorrect information and actually feed the system more misinformation.
Have responsibility. You're held accountable. Would we agree to that? Those people who are involved in cybersecurity hold themselves, or are held, accountable for the quality of their output. OpenAI is not held accountable. It is. And therefore it can never be a reflection of us. OpenAI, when it goes to sleep at night, does it go to sleep at night? Probably not. But when it goes to sleep at night, does it get up two hours later and say, oh my goodness, I forgot to do this in the program or the report or in the briefing, people, or speaking to people?
It doesn't, none of that. We do that with it, but we are the arms and legs and ears and eyes and voice of that system. And that's why… Well, people say, am I gonna lose my job to AI? And I do know that there's a lot of conversation about… I have a lot of friends who say, I just created an amazing program that would've taken me months. I did it in a few hours using OpenAI.
Now someone said that to me recently. Someone who is masterful. I won't say the person's name, I'll say where they were employed. You'll get the picture. They were a senior person at the sort of transportation, navigation company called Waze. And so they said they did something in a few hours that would've taken them months beforehand. Well, look at where they're coming from in the coding. I mean, look at what they created and they're building on top of that. That's a different cognitive power than someone else.
And so the ability of AI to drive output is directly connected to the mind prompting the machine. It's not gonna take someone who has a year of experience and make them masterful. And actually, the Harvard Business Review, I think it was the last month's issue, had a special survey and study on this where they said the performance of someone who is really skilled and experienced improved somewhat with AI, but not a lot. The person who was junior using AI, their experience didn't improve much with AI. It was the person kind of in that more upper-middle zone whose experience improved more dramatically. And that's a real key factor here.
[00:12:57] Sean Martin: Yep.
[00:12:58] Gil Bashe: We can't assume one size fits all with this information. With your blessing, Sean, I'll switch to medicine for a second in this.
[00:13:07] Sean Martin: Absolutely.
[00:13:07] Gil Bashe: So doctors and health professionals use AI. Sure. I mean, why wouldn't they? Just like they used to use WebMD. WebMD was the doctor's most trusted source. AI has moved into that zone. Problem: WebMD was all vetted. Information editors working tirelessly to vet the information. So what WebMD posted across all different therapeutic categories, someone had to double-check and vet with references. Who's doing that for OpenAI, ChatGPT? I'm not familiar with that, really. I mean, there are closed systems that do that, yes. But in general, no.
And so what we have is we have a belief system that says, I'm asking important questions, I'm getting accurate information. And what you're really doing is getting accurate information in the zone, but not necessarily precision information. Now where it can help: patients who use ChatGPT can punch in a lot of symptoms and ask it to sort of catalog what the diagnosis might be and why. That's a very good use of ChatGPT. Doctors can do the same and ask about possible treatment alternatives. But it's not 100% rock solid. It's in the zone, and in the zone in medicine can be very dangerous.
So I just bring that to our guests, our people sitting around us in our virtual living room, thinking about that. It can be a little scary. Flip side of all this now…
[00:15:05] Sean Martin: Yeah.
[00:15:06] Gil Bashe: I always say to doctors, when a patient used to come in with reams of pages out of Google and they would dismiss it. They would look at that patient like, oh my goodness, one of those. And I say, from a behavioral standpoint, really, you have a curious patient who comes in, they've done a lot of homework, it may be wrong. Why don't you start your visit with your patient and ask them what they were looking for and what they found? That's the basis of a real connection around their curiosity and their needs.
Instead, doctors, many doctors, too many doctors, would dismiss this and they'd say, oh, Dr. Google, come on, let's talk. Let me, I'm the expert in the room. When by doing that, they actually dismiss the patient's authentic experience and curiosity.
And I would say people involved in cybersecurity, one of the greatest things they do, and I think some of the great professionals I meet, what do they do? They interview the customers. They interview their internal customers. They interview them for concerns, use, how information is input, how people can access information. A great programmer in cybersecurity is looking at this inside out from the point of view of the internal customer, outside in from the point of view of the person interfacing with the system. That's the difference between an average coder and one of the greats. Same with doctors.
[00:16:49] Sean Martin: Yeah, I love this parallel, and it's maybe much deeper than you realize. Because think back to doctors, right? Everything the doctor said you believed.
[00:17:03] Gil Bashe: Right.
[00:17:03] Sean Martin: You followed.
[00:17:04] Gil Bashe: Stethoscope.
[00:17:06] Sean Martin: Exactly. Exactly. And I mean, rightfully so for many things. They did a lot of research, a lot of training, a lot of practice to get a set of knowledge that can help a lot of people at scale.
But to your point, and I'll call it, it's a bit of… The connection I'll make to cyber is this sense of mystery, right? You don't know the intricate details of this virus or how the molecular system works or whatever it is that's being discussed, and that mystery is used to kind of keep a separation between the person who knows and the person who doesn't.
So we see that in cyber as well, where it's, don't worry about it, we have it covered. You don't need to know the intricate details. Just go about your business. But where I think it also connects, and you painted it in a nice picture where cybersecurity has both views, but my experience is we tend to miss… Yes, we might have a view of our internal program and then connection to the people who are connected to the systems internally. But I think we lose sight of the business. And I was just in San Francisco at a cybersecurity conference, RSAC, where I was looking for: what is the business outcome? What is the societal outcome of all this stuff? The 44,000 people going to see thousands of vendors. What's the outcome of all that? What are we trying to achieve? It's not just protecting against malware, it's not just protecting against ransomware. It's not just protecting against fraud.
[00:18:25] Gil Bashe: Storehouses of knowledge about humanity, and yet we don't think about humanity's ability to utilize the information. So here's a question I'm going to offer you and all the listeners today that concerns me.
We talk about AI in the health system as an optimization tool, right? It's gonna make things faster, more efficient. You'll come to faster diagnoses, faster treatment decisions, all of that. Great. I don't dispute that. I think it's true. Then you're freeing up time. Correct. The most precious commodity. None of us combine more time in life. Time. What will the health system ask of those doctors who are saving time? Will they say, we would like you to think more about your patient's health and shift from treating their symptoms to treating the underlying cause of their disease? Or will they say, wow, we freed up time, you can see another two patients each day?
You see, that's a human decision. That's a leadership decision. And the reason I want to bring this up with you, because I think you have a very expansive view of cybersecurity and information technology, all this rests on leadership, human leadership, not machine leadership.
A human has to say, you know what, we're freeing up 15% more time of our clinicians. How can we put that to really good use? Well, we've moved to a symptomatic treatment model in our society. We often don't cure diseases, we manage them, so they don't become super dangerous. They just become well, ticking time bombs.
And so a leader has to step forward and say, if information technology, coding, is freeing up your time, then we would like you to go through the cases you see in the course of a day and look at, is there something better we can do for that patient? Now, how do we bill for that? How do we account for that? The health system is a financially driven system also, so we have to think about that. But if we look at the risks of what's called non-communicable diseases that are often preventable, we can prevent heart disease to a large extent. We can prevent type 2 diabetes to a large extent. We can prevent certain respiratory conditions to a large extent.
We can improve mental health to a large extent. We can prevent some cancers to a large extent. But why don't we do that? I mean, think about it. We can. But why don't we do it? Why do we say, oh, high cholesterol, let's prescribe a statin, a cholesterol-reducing drug. Well, it's a good thing to do. Why? Because the doctor no longer has the resources or the time to speak to you and counsel you about diet and exercise. So they jump to secondary prevention. We once called primary prevention not having disease. Now we just shrug our shoulders at that and we say, well, he'll have disease. Let me write a prescription.
And then we talk about the high cost of care. In this country, 18.7% of our GDP goes to healthcare. 35% of that, I might add, is administrative. A lot of money.
[00:22:16] Sean Martin: It.
[00:22:17] Gil Bashe: But the bulk of it is non-communicable diseases. Wow. So I think that we have to think about what your community is capable of doing. They're capable of inventing incredible technologies that protect humanity. And I'll go as far as to say, in our conversation, save people's lives. How will we use that talent to just pass them through the conveyor belt of disease, sick care? Or will we say, we've gotta invest a little more of that intellectual capital on improving their care, on protecting them from what is not the inevitable?
[00:23:04] Sean Martin: Yep. Oh my gosh. So many cool things here. And you, in the context of the healthcare system or the sick care system…
[00:23:15] Gil Bashe: Yeah.
[00:23:15] Sean Martin: Have described my premise for the show, which is we have data, IT data, information, security data, threat data, business data, all kinds of data. And yet, I'm speaking in general terms here, we don't necessarily take the time to use that data outside of treating the secondary symptoms.
Right.
[00:23:43] Gil Bashe: Yes.
[00:23:44] Sean Martin: And so I'm often pushing my guests in the cybersecurity space to say, how do we take what we know as a profession and bring that back to the business to change the business? So we're not spending so much trying to protect against the exposure that we've created with the business, rather than, perhaps, I don't know, saying, why? If we build it differently, if we engage with patients differently, if we engage with each other differently, if we build the systems differently, we don't have to protect as much. We don't have to burn our team out as much. So it shifts from, yes, we might get efficiencies from AI, but it shifts from, I can close two more vulnerabilities a day or respond to two more incidents a day, now, to maybe that time can be spent to say, maybe let's eliminate that system that's always vulnerable.
[00:24:42] Gil Bashe: No, look, absolutely. Your colleagues are doing incredible work on saving people's lives. And I'll give you an example. Most EMTs in major cities, when the EMT suspects a certain diagnosis, whether it's a stroke or another event, they plug that into their laptops on their mobile units and they're directed to the right hospital that can intervene.
That's sort of information technology at its finest. Obviously that technology has to be protected. Try to imagine someone tampered with it, got into the system and corrupted that program. I mean, countless lives would be lost throughout the day until it was caught. So what's the difference between you and your colleagues doing that, to the person in the ER, the emergency department, who is skilled at starting an infusion line? They're saving lives also. It's a different skillset technologically, but it is a lifesaving skillset.
I know we often think about, we see all these movies about millions or billions being moved, you know, like sort of mysteries or James Bond-like moments of the power grid being turned on and off. Of course that's cybersecurity. But believe it or not, when you think about that, the power grid being turned off, how about the power grid being turned off at a hospital system? Hospital systems have to think that through. They do. They have to protect their infrastructure. And so those people who are doing that fine work are at the cutting edge of saving people's lives, and they should stand up and take the bow for their contributions to society.
It's not just the EMT who drives the ambulance through traffic quickly and skillfully. That's a skill. So is coding on health information, or looking at diagnoses, or comparing X-rays or MRI data to one another to really perfect a clinical… And part of it is that code to them is like musical notes. They see the pattern. They can create the pattern. Now life has patterns. We see actually the external expression of health or illness. It's a pattern. Information helps us recognize those patterns, and the correct information that is validated helps us make wise judgments around a person's life.
I think that we often separate the doctor and the nurse and the pharmacist from the information. We call them health information experts, but the people involved in health information are essential to the system, and they are exhibiting more and more leadership over the system, because the system has become highly information-reliant. So I attend a meeting every year called HIMSS. About 35,000 people attend. I was on stage with the CEO of HIMSS, Hal Wolf, the one of the founders of the health AI system, Isaac Kohane, and really one of the most practical users of the AI system. His work in AI and the COVID virus was instrumental to teaching the rest of the world.
A body that's not healthy is also vulnerable to its external environment. It deteriorates quickly. It is like a code that is imperfect. It is open to all sorts of malware, viruses, whatever you wanna say.
[00:28:24] Sean Martin: Yeah. Well said, Gil. I think it's easy to forget, and I'm gonna ask my listeners to think about this for a moment. There's the, in HIPAA terms, the covered entity, the main unit in the health system. But then there's the business associates, the BAs, that provide all the supplementary third-party services that make it all work, whether it be payment programs or filing claims or all the stuff that isn't directly just…
[00:29:00] Gil Bashe: That's where the bulk of this technology is being deployed right now, actually, in hospital efficiencies.
[00:29:08] Sean Martin: Yep. So I think at some point, a lot of us, or someone we know, plays a role in the healthcare system, system of systems, if you will. And so let's pause to think about that and remember that chances are what we're doing matters more than you…
[00:29:28] Gil Bashe: Absolutely. Yeah. Look, to everybody who's gonna be tuning in, soon and later, I would say you make a difference. And I know for a fact that you are the foundation upon which the future of our health system will stand.
[00:29:45] Sean Martin: Yep. I agree wholeheartedly. Keep the patient at the center, be a good leader, think about what we're doing. Gil, it's fantastic to chat with you. Marco was right when he said I would enjoy this conversation.
[00:30:00] Gil Bashe: And I loved it as well. Thank you, Sean. And thank…
[00:30:02] Sean Martin: We could talk for hours, I think. And maybe we can pick another topic at some point and connect on that.
[00:30:07] Gil Bashe: That'd be great. To the Redefining Cybersecurity audience, thank you for letting me join you.
[00:30:12] Sean Martin: It's a pleasure having you, Gil. And everybody listening, watching, thanks for tuning in. And please join me on more. And if you have thoughts on this, let me know. If you wanna talk, let me know that as well. Thanks again, Gil. Thanks, everybody.
[00:30:26] Gil Bashe: Bye.