In April 2026, CISO Series brought together six security leaders from across the healthcare industry for a week-long Reddit AMA on r/cybersecurity. The stakes of a security failure in healthcare aren’t measured solely by downtime or data loss. They’re also measured in patient outcomes.
The panel fielded questions on everything from medical device security and vendor negotiations to career paths in OT/IoT and how to think honestly about risk in an environment where “no” is rarely a safe answer either.
This week’s participants:
- Errol Weiss, (u/SecretaryWise6205), CISO, Health-ISAC
- Jack Kufahl, (u/AccidentalCISO1817), CISO, Michigan Medicine
- Samantha Jacques, (u/MedDevGuru786), VP of clinical engineering, McLaren Health Care
- Jason Elrod, (u/CISO_Jason), CISO, MultiCare Health System
- Montez Fitzpatrick, (u/Beneficial-Expert635), CISO, Navvis
- Gary Longsine, (u/IntrinsicSecurity), CEO, Intrinsic Security
Read from the full AMA here.
Join the conversation on LinkedIn.
Medical device security starts with knowing what you have
A community member asked how healthcare organizations should approach the risk of connected medical devices, especially those from major vendors. Jack Kufahl responded to where the problem actually begins:
“Visibility โ you can’t protect what you don’t know you have. Inventory is still one of the biggest gaps, especially with legacy and vendor-managed devices.” โ Jack Kufahl, (u/AccidentalCISO1817)
Samantha Jacques added that the lifecycle problem compounds the visibility one. Patches depend on manufacturers, and manufacturers don’t always deliver.
“A lifestyle approach is often cited. Initial mitigation at deployment, such as segmentation, followed by patching (when we can get patches from manufacturers). The issues come up when the systems go end of life.” โ Samantha Jacques, (u/MedDevGuru786)
You’re not balancing risk and innovation. You’re deciding whether to be honest about the tradeoffs.
When asked how to balance organizational pressure for emerging technology against the risk it introduces, Jason Elrod reframed the question entirely.
“You don’t really balance it. You decide whether you’re being honest about the tradeoffs. If you don’t make the tradeoffs explicit and assign ownership, risk just gets absorbed silently into the system. And in healthcare, silent risk is usually what shows up later as a real-world problem.” โ Jason Elrod, (u/CISO_Jason)
“Human error” is a symptom, not a cause
When asked about the most common threats on a day-to-day basis, Jason Elrod pushed back on how the industry tends to frame the problem.
“‘Human error’ gets blamed a lot, but it’s usually a symptom, not the root cause. Most of what I see day to day falls into a few buckets: phishing and social engineering, identity issues, third-party exposure, misconfigurations, and self-inflicted wounds. Underneath all of that, the common thread is pretty consistent: systems and processes that assume perfect behavior from imperfect people.” โ Jason Elrod, (u/CISO_Jason)
The threat from legacy network devices is structural, not accidental
Gary Longsine on why poorly protected network-connected devices remain such a persistent problem in healthcare:
“There’s no relationship between the size of the vendor and the security of their network-connected devices, either. Everybody is just making things and putting them out in the world without an appropriate concern for security unless it’s been forced upon them by government legislation, which is usually waived.” โ Gary Longsine, (u/IntrinsicSecurity)
OT/IoT security as a career: necessary, but not well rewarded yet
A community member asked whether OT/medical device security is a worthwhile area to pursue given how competitive the broader cybersecurity job market has become.
“OT security is absolutely necessary and is worthwhile to pursue. The economics of the field right now just aren’t great. Don’t be discouraged by the fact that you haven’t been able to leap, but I would estimate that there isn’t a differentiation for you that makes you more desirable than your peers. Find that and change that.” โ Montez Fitzpatrick, (u/Beneficial-Expert635)
What the threat landscape actually looks like heading into 2026
Errol Weiss flagged a data point the community hadn’t raised, one worth paying attention to as we head into the rest of the year.
“From Health-ISAC’s Annual Threat Survey, the top issue in 2025 was ransomware, phishing, third-party and partner breaches, data breaches, and 0-day exploits. Looking ahead into 2026, the top issue was AI-enabled attacks plus everything from 2025.” โ Errol Weiss, (u/SecretaryWise6205)
Healthcare security doesn’t operate in a vacuum. Every trade-off has a patient on the other end, and every unpatched device or silent risk absorbed into the system is a decision that was made, whether or not anyone said so out loud. What this AMA made clear is that the practitioners doing this work aren’t just managing technology. They’re navigating organizational complexity, clinical reality, and an adversary landscape that isn’t slowing down.
In our next AMA, the conversation shifts to incident response. The May 2026 AMA will bring together security professionals who have dealt with ransomware firsthand. How they dealt with the attack. So many questions and issues to consider. But the most important one is how do you keep business running?