The Cyber Event Playbook: What to Do Before, During, and After an Attack

Most healthcare executives assume their IT team has cybersecurity covered. Gary Salman has spent 33 years in healthcare tech, responds to active cyber events daily, and says that assumption is the single most dangerous mistake in the industry right now.

Our Guest: Gary Salman is the CEO and Co-Founder of Black Talon Security, a firm that secures approximately 2,000 healthcare entities globally and is regularly retained by law firms and insurance carriers to respond to active cyber events. With over three decades in healthcare technology, from building early practice management and EMR systems to deploying one of the first cloud infrastructures in the late 1990s, Gary brings an operator-level understanding of how healthcare organizations function under attack.

The Problem: Healthcare operators are running cybersecurity the same way they did three to four years ago, and the threat landscape has changed completely. Email account takeovers are now more frequent than ransomware attacks. Hackers are weaponizing AI to find vulnerabilities in minutes that previously took weeks. And 90% of small to mid-size healthcare organizations have never had a formal review of their own security vulnerabilities. When an event occurs, the financial exposure rarely ends with the ransom. It extends to maxed-out insurance policies, regulatory reporting requirements, and class action lawsuits that arrive within days of the breach.

The Solution: Gary outlines the specific questions executives need to be asking, explains why IT and cybersecurity must operate as separate functions, and breaks down the four-layer security framework that separates organizations that contain events from those that don't. He also walks through the exact steps to take in the first 60 minutes of a suspected cyber event and why rushing to restore operations is the most expensive mistake executives make.

Key Takeaways:

1. [04:12] Email account takeover is now the #1 threat vector. When a C-suite email account is compromised, hackers gain access to M&A communications, wire transfer instructions, and vendor relationships. The damage extends well beyond the organization itself.

2. [07:17] Ransom payments are nearly universal, even for organizations with backups. When patient data is exfiltrated, refusal to pay means that data gets auctioned to other threat groups on the dark web, exposing patients to direct targeting and triggering regulatory reporting obligations.

3. [08:51] Class action lawsuits now arrive within days of an attack. A mid-size DSO was served with a class action within 48 hours of the breach appearing on dark web monitoring sites. A three-location dental practice maxed out its cyber insurance policy and went out of business as a result.

4. [19:27] Self-auditing is the #1 systemic failure. 90% of small to mid-size healthcare organizations have never had their security vulnerabilities formally reviewed. Asking the team that built the security to validate it doesn't work regardless of their competence.

5. [22:17] IT competence and cybersecurity competence are not the same thing. A cardiologist and a cardiothoracic surgeon both work on the heart but are not interchangeable. Most executive teams are making that substitution in their security stack right now without knowing it.

6. [27:47] When a cyber event occurs, stop. A tactical timeout, shutting down network traffic, opening an insurance claim, and letting qualified incident response counsel lead, consistently produces better outcomes than trying to restore operations fast.

About the Hosts: Amol Nirgudkar is the CEO of Patient Prism and brings 8 years of healthcare AI expertise to every conversation. A.J. Peak is a multi-site healthcare operations expert and the founder of Health Wealth Capital.

SEO Keywords: healthcare cybersecurity, DSO ransomware, cyber insurance healthcare, email account takeover, healthcare data breach, Black Talon Security, HIPAA cybersecurity, cybersecurity, healthcare executive cyber risk, cyber incident response healthcare

Full conversation on Healthcare100.

🎧 Spotify: https://t2m.io/yq0eaWz

🍎 Apple: https://t2m.io/1bQPiib

📺 YouTube: https://t2m.io/U3Q6xPB

🌐 All episodes: https://t2m.io/kSc7KYQ

⚡ Amol Nirgudkar (Patient Prism CEO, 8 years healthcare AI expertise) and A.J. Peak (multi-site healthcare operations expert and founder of Health Wealth Capital) dig into the tactical frameworks that separate scaling winners from everyone else on Healthcare100. We break down the growth engines behind America's fastest-scaling healthcare organizations with the operators who built them.

Follow us for more insights: https://t2m.io/HGeS9xG