Healthcare Rethink - Episode 112
FinThrive's CTO, John Landy, and Chief Information Security Officer, Greg Surla, delve into an engaging discussion on the evolving landscape of IT security and the role of AI in the healthcare industry at HIMSS 2025, Las Vegas. They outline the significance of proactive cybersecurity measures in the face of increasing attacks targeting the healthcare sector.
Episode Transcript
Hello. This is John Landy, CTO of FinThrive, here at HIMSS 2025 in Las Vegas, Nevada. I'm here with Greg Surla.
Yeah. Hi, everybody. I'm Greg Surla. I'm the Chief Information Security Officer of FinThrive.
I've been with the company for about three years now, in the industry for a little over thirty years. Just excited to be here in Vegas with the FinThrive team.
Thanks, Greg. We're in the midst of a lot of change on the security front. What's getting you excited these days about what you're seeing in the marketplace?
Yeah. So cybersecurity is always changing, and that's what makes the job and the career a lot of fun. Nothing tends to get boring. What we're seeing lately is the fallout from the Change Healthcare event and other events that are impacting healthcare.
Healthcare has been hit a lot lately, and it's becoming a big target. So we're trying to respond to those targets. We're trying to work with our customers, work with our vendors, and make sure that we're all on the same page so that we're responding to these events when they occur, and if they occur, we're responding correctly. That kind of gets me excited about the role.
There's a lot to do, a lot more to do, and, as I said, it never gets boring.
Yeah. Great. And we noticed that healthcare, in general, gets targeted a lot more in the security space, more so than other industries like financial services that have over-invested in security. What do you see as far as investment in security today that's out in the market in healthcare specifically?
Right. So FinThrive conducted a survey on how cybersecurity is being financed and how technology is being financed. And we're seeing a differentiation between those healthcare organizations that have hefty budgets and those that are on the bottom end. As you can imagine, those organizations with bigger budgets are able to respond to these events, whereas the smaller organizations are struggling a little bit.
We're also seeing that a lot of the security focus is on how people are trying to respond to Change Healthcare, how to respond to that event, and it's becoming a struggle across the board. Everyone wants to know what everyone else is doing. So, you know, you have disparate spending between both types of organizations.
But at the same time, everyone still has the same problem. So we're trying, with FinThrive, as an organization that kind of sits in the middle, to do more for both organizations—bringing in companies, larger and smaller healthcare industry players, and larger and smaller customers so that we can understand what they're doing for us.
Yeah. Great. And interestingly enough, we've actually started an AI and security customer council at FinThrive to get different perspectives from different-sized organizations and our customers to talk about best practices, learn from each other, and make sure we have a great way of sharing information across the board, across the spectrum of healthcare IT.
One thing where we overlap—in my role, I typically deal with product development, really coding and working on that—is that we're seeing a lot of momentum around AI as assisted coding for Copilot usage of coding. We're seeing more productivity in developing software. We're seeing more productivity in writing test cases. We're seeing more productivity using AI to help us deploy that software.
There's been a real overlap with AI and security. What are you seeing in the security space where you're also getting some of those productivity gains?
Right. So attacks happen at the speed of the fastest bot or the fastest system that's coming after us. And so what we're trying to do is adapt and adopt technologies and the ability to meet those attacks head-on using AI.
We're also looking at, with FinThrive, a framework—an AI security framework—that we've implemented that says, "Hey, this is how we're going to deploy AI. We're going to make sure that the data we're using in AI is secure, that we're not sharing data across the board, and that we're not causing any customers' data or our own data to be compromised due to AI."
I know there's a lot of concern about that. We've looked at that. Like I said, we built a framework. We're very comfortable with that, but we're looking at other things. You know, AI is a relatively new world.
These things are going to change, just like security, so we're going to adapt to those as well.
From the technology side of FinThrive, we've invested in a data fabric platform. You could think about it like a data lake where we've worked with Greg and the security side to make sure we ensure consistency of the data and also privacy around that data, and make sure we're using it in ethical ways when we look at AI on top of our data.
So we've just released interesting features, such as a 30-, 60-, 90-day cash flow predictor, which uses this data that we've collected across our full suite of applications in our platform and gives an individual CFO visibility into future cash flows.
That's so difficult because there are many payers, many claims types, and many different relationships that one of our customers may have. We're able to do that only because we've invested in the data first. So we're super excited about doing that and making sure that it has the security framework on top of that.
So if you were to go back to the security side, if you were looking at starting a security program, where would you go first? What would you do if you're a hospital provider?
Right. So one of the big areas where we found the biggest impact with the least spend was security awareness.
The ability to use the individual, the employee, and the systems as that frontline of defense against an attack. That security awareness has been very helpful in allowing us to be a little bit more secure in how we do things.
I think, as an industry, security awareness is at the top of everyone's minds. People are performing internal phishing tests. They're conducting security awareness training. They're doing a lot of these things. I think that's where it needs to be because that's where you get your biggest bang for your buck.
Great. And we know that phishing is a prime target of the bad guys, so that's a great area to invest. What we're seeing on the AI front is getting our employees more productive through the use of tools like Microsoft Copilot and other tools we use internally.
Secondarily, we're working on the processes of how we handle things. You could think about that like loading contracts in our system, using automation and AI to do that more intelligently to get a differentiated capability where we can do things more quickly but also more efficiently with fewer people handling each of the different documents.
And then we use it in our products. I talked a little bit about analyzers and doing something complicated like 30-, 60-, 90-day cash flow prediction.
We're also utilizing that to do clustering of denials. That allows our customers to work a batch of denials at one time so we can actually work things more efficiently. We do things in our insurance discovery product where we optimize the best potential candidates for insurance that our hospital systems may see for their patients so that they can work that more efficiently.
So that's something where we have AI inside, and that's big on what we do here at FinThrive. We're also looking at, as we mentioned before, the AI Council to share these best practices and efficiencies across the board. If we're saving by being more productive and efficient internally, the end result of that will be better productivity, faster time to value in our products, and also more cost-effective usage of everything we're doing across the board.
Yeah.
So back to security—what do you think is going on in the phishing world? Why am I getting so many things personally and professionally around phishing today?
Yeah. That's a great question. The bottom line is that it's a very easy attack. People fall for it. They become very convincing in how they present those attacks. And because it's very convincing, people fall for it, and the payoff is usually pretty good, right?
You get the wrong person who clicks on a link, downloads a file, and infests your environment with ransomware. All of a sudden, you're paying these ransoms.
So, yeah, like I said, the bottom line is it's really easy to do. The cost for them is relatively low.
And so, you know, it's return on investment, I guess, is what it boils down to. It's very sad the way that it works out, but that's how it is.
Yeah. Yeah. It's a dangerous world. I think from an IT perspective, where we're focusing is on those passwords.
How do we make sure people are educated enough through these awareness programs that they know it's dangerous to put their password in a third-party site for their corporate credentials? But also moving to a passwordless environment—two-factor, multi-factor, two-factor plus using no passwords whatsoever—is really where the industry is moving.
And I think, you know, all of our investment is around that. We're there to ensure that we're keeping the data of our customers safe, but also internally, all the systems we use.
Is it important to classify your data while you're going after this?
Absolutely. Because you want to protect your crown jewels, right? And so you place all of your protections, all of your walls, everything that you need to protect those crown jewels.
Take a risk-based approach where you always ask the question, "Where's the risk? Is the risk high? We need to apply our security here."
We need to do a lot more than we're doing in other places because there's only so many dollars to go around. There's only so much that you can invest. So you want to invest the money in the right places where, again, it protects those crown jewels.
You don't ignore the rest of the area, but you look at the risk of, "What am I doing here to protect these crown jewels versus another area where, you know what, we could get by with securing it in this way because we think that the risk is much lower."
Yeah.
And so that's the approach that we're taking with a lot of these.
Yeah. That's great. So do you think you're working yourself out of a job just by getting us so secure we don't have to invest anymore?
I will tell you this—it never changes.
You will see—I mean, and if that happens, that's y'all's loss, not mine. But the fact is that being a secure organization will always be necessary. Ransomware is today's problem. AI is starting to become today's problem.
There's always going to be something new, right? And so the key is not worrying about whether you're going to lose a job because, you know, the chances are that's very—it may happen, but probably won't.
But the better opportunity—the way that you need to position yourself—is, "How am I looking forward to the next threat?"
Right? So if you stop looking and you stop trying to figure out what's coming next, maybe you shouldn't be in that role. Right? And if I ever do that, please let me know.
I'll be sure to do that.
Alright. The one thing we're working with our customers on is around a refresh of security, as a vendor and a partner, and what we're doing with AI. So we're actually proactively reaching out to our customers and partners and saying, "Hey, ask us what you want to know."
Greg and I are going and meeting with customers to do an overview of our program. And also, I think it's good information sharing at that point—what's interesting for each other and what we're doing. But we've learned a lot through that process.
And I think when you're working with your vendors as a customer, you want to make sure that they're open to talking to you directly about what's going on. You don't want anything hidden. After the point in time you procure software, usually, you may see gaps.
And, just as Greg mentioned, security is constantly evolving. You want to make sure your vendors are keeping up with the security investment so that you can be assured they're meeting not only 1999's issues, 2010's issues, but 2025 and beyond.
Right.
Yeah.
Yeah. I mean, to that point, we are working with customers during their disaster recovery planning and their business continuity planning because they want to know what our response is if they're going to go through an event.
And we found that a lot of our customers have found that, hey, it's good to know what FinThrive is going to do. Can they keep the lights on for us so that they can continue doing what they need to do with FinThrive rather than have everything cut off?
Right?
So during a ransomware event, that event occurs a lot of times. Systems are cut off. That costs people money. So FinThrive will work with our customers.
They say, "Hey, what's the best approach? How can we keep you going in an event?"
Yeah.
Yeah. And I think, from an event perspective, we look at it in terms of, you know, catastrophic disaster from hardware equipment. All of our products have a disaster recovery and business continuity plan.
Right.
We work with customers and make sure they both understand it and can coach us through it, which I think is really powerful.
Absolutely.
But then we look at a cybersecurity event. It's almost impossible to prevent some sort of issue. We have a number of threats we talked about already during the podcast.
But what we're looking at is architecting cybersecurity safety into the solution so that we limit the amount of downtime if something were to happen. And we have very specific movement on some of our products now where we're designing a feature of that product so that we can be up and running within five days.
We think that's a big way that you should be asking your vendors today, which is, "How do you deal with an everyday common catastrophic disaster like a router in a data center that doesn't work or a region in some sort of public cloud provider that fails?"
But also, "How would you handle a cybersecurity event where the data may be corrupted and there may be a long-lived problem or virus in that data as you go to restore it?"
So these are things that we like to recommend people ask about. Make sure your vendors are working on solid plans around it, and that you can go visit and review those plans to make sure they're all real—not just marketing on their website.
Right.
Yeah. I mean, that's absolutely correct. I mean, we want to make sure that they're doing the right thing. We do the same thing. So we have a third-party risk management program. We have a team that looks at our vendors because our vendors affect you guys as they kind of affect our customers. So we're going to make sure that our vendors are standing upright.
So we want that to continue to go all the way through the entire process with customers, their vendors, and their vendors' vendors.
Usually, what we find is there's a weakest link out there. And it's not just in open-source products. It's also in third parties that maybe someone hasn't validated properly. There's the weakest link that is usually in some small, little use—either acquisition or provider—that nobody's even aware of.
So going with vendors with respect to a platform play allows you to ensure they've got the same security umbrella across everything that they're using in their suite. It's a big benefit for customers. It's a big benefit for partners to know that every piece of software in their products goes through the same security review. We take that approach when we look at vendors that we use today.
It's much harder to procure a new vendor, even if it might only be a few thousand dollars and a little use, than it is to go with the existing vendors we do and have good relationships with on the security side. It's really important.
Absolutely correct.
Yeah.
It's almost impossible for us to get a new vendor.
Yeah.
Well, we kind of have to make sure that we're doing the right thing too, though. Right? I mean, there's a lot of vendors out there, as we've seen here at HIMSS, at the HIMSS conference. So we want to make sure everybody's doing the right thing.
Yeah. And just like with AI, there's a lot of marketing around what they're doing. What we try to do is talk about how we're deploying AI within our solutions rather than just spouting off about AI this and AI that.
Right.
Because we want to do this and make sure, as we talked about, it's deployed both ethically and pragmatically. We don't want to jump into things. We've seen examples where people actually take advantage of a new software solution very quickly. They get into it too fast.
It may be AI, or it may be a new data platform, and it can result in really bad outcomes with respect to data loss or some sort of data security issue that wasn't found during the procurement process.
Right.
So we typically like to recommend doing proof of concept, understanding what you're doing, and working with vendors who back up what they say with documentation and security protocols.
And that's true from the AI point as well. There's a lot of fear and uncertainty out in the marketplace today around how people are actually using it. And so we're actually coming out—as I look at our marketing team—with a logo to put on certain products and talk about our investment.
We've amped up our investment in the last two years. We've doubled, if not tripled, our investment in security. We've increased the number of people that are serving our security and our global security operations center, and also everything we're doing around penetration testing.
On the AI front, the same thing is true. We've really increased our investment in AI so that we can get faster time to value for our customers. One interesting thing we're seeing in AI is that, in the old days—let's say two years ago—you used to do it as a science project.
You would get a model. You would do ML. You would actually spend a lot of time working on a model to make sure it's right, and a lot ended up nowhere. They ended up in the trash can.
What we've done now at FinThrive, which we think is good, is we've kind of democratized AI. The tooling is there such that we can have individual development teams who are not necessarily experts in traditional ML, but they're familiar with using OpenAI and other tools that are out there.
They can quickly jump-start both their use of GenAI and even AIML, and now what we're seeing with generative AI. So we've kind of democratized our deployment of AI, which I think is big, and it's similar to what we saw in security.
No longer is it just one standalone vertical.
Like, it's not a monolith.
Right?
It has to own it and be a part of it, and the tooling is helping us get there.
Absolutely correct. I mean, as you said in security, it wasn't the security team's problem. It was everybody's problem when it came to securing. Same thing with the AI program at FinThrive, right?
Yeah. Everybody's responsible.
Everybody's responsible. One of the things that I think, if we take a look at our investment we talked about in the data platform—we call it the data fabric—we think it's really important, and it's really hard, by the way, to get that right.
We've now got that base there, and we've got probably about twenty different work streams of AI embedded in our products going out. But one thing we think is interesting for the next couple of years is going to be the growth of agentic AI.
We believe that is basically packaging up a unit of work. So it's not just a chatbot, but it's also a unit of work that can respond to different situations and trigger different workflows while at the same time using data from AI—it can be GenAI—to create new content.
We think about the appeals process of denials as a great use case for agentic AI. We're heavily invested here, and we think that'll be coming out in the next year or so, where we can actually get denials information back using the large catalog of denials that we have.
Right.
We can run models on that, and we can kick off agents to know how to handle that appeals process and create an appeals package to send back out to the payers, which is going to be great. That's an agent of work. And as part of agentic AI, we're super excited about seeing that come to fruition.
Yeah.
I mean, we use AI across the board for clustering denials so that you can quickly identify denials that are there. And we also use a lot of ML models so that we can actually detect document classification coming in, know how to respond to that, and kick off different units of work based on that.
Yeah.
So a lot is going on in the AI front, and a lot is going on in the security front. Any parting thoughts?
No. I just think that, you know, being here at HIMSS, it's been really important to see what the healthcare industry has gone through. We see it firsthand, understanding what healthcare is going through in terms of security.
Healthcare is seeing a lot. They're going through a time right now where security is on everyone's minds. FinThrive is making the investment in security, making the investment in AI. So I think that we're really good at what we're doing in terms of security and AI and how we're positioning FinThrive.
Great. Thanks for joining us here at HIMSS 2025 in Vegas. It's been great for us to meet with our partners and customers, learn more about what's going on, and talk about what we're doing. We're super excited to talk about AI. Come by our booth, and we'll chat with you at any time. Thank you.
