Skip to main content

George Pappas Explains What AI Means for Cybersecurity Leadership

July 11, 2025
Image: [image credit]

George Pappas, CEO of Intraprise Health, a Health Catalyst Company

The convergence of generative artificial intelligence and healthcare cybersecurity has created a threat environment that many health systems are structurally unprepared to confront. In this week’s interview, George Pappas, CEO of Intraprise Health, a Health Catalyst company, outlines the stark realities of AI-powered attacks, and what health leaders must do to meet the moment.

Pappas offers a pragmatic, risk-informed view of both the offensive and defensive roles of AI in modern cyber conflict. He identifies how AI is accelerating the sophistication of attacks through tactics such as identity-based lateral movement, autonomous phishing, and deepfake-driven credential theft. Just as critically, he dispels the illusion that AI-enabled defenses are foolproof or complete. Instead, he makes the case for a multidimensional cybersecurity strategy—one that blends advanced automation with executive-level governance, risk management, and structured human oversight.

The interview also surfaces a deeper institutional vulnerability: most healthcare compliance frameworks lag behind the capabilities of AI, leaving dangerous governance gaps in both regulatory response and organizational readiness. Pappas calls for smarter alignment with frameworks such as NIST CSF 2.0 and argues that future-proofing must begin with operational realism, not technological optimism.

For healthcare executives, this conversation is foundational to enterprise resilience. It signals that success will depend not only on digital tools, but on how intelligently and collaboratively they are deployed across the health system.

 

How is AI changing the tactics and capabilities of cybercriminals targeting the healthcare sector today?

AI is making it easier for cybercriminals to attack healthcare organizations. AI capabilities used in Cyberattacks increase the level of sophistication at scale that can penetrate several of the current defenses in place. Some of these examples include identity/credential acquisition, phishing, network penetration, undetected lateral movment. Due to the productivity of AI-based methods and the “cyber attack as a service” software models on the dark web, we are seeting more and more sophisticated cyber events.

What are the biggest misconceptions healthcare organizations have about AI’s role in cybersecurity—both as a threat and a defense?

As AI is still a new and emerging technology, misconceptions abound. Many cybersecurity companies are working to build more applied intelligence into their platforms to reduce the amount of human intervention needed to perform critical tasks. As LLM’s improve in capability (which is happening rapidly), there is a belief that AI based systems will make defenses inpenetrable. As a threat, there is a corollary that AI can make attackers penetrate any defense . Not surprisingly, AI-based platforms are and will be powerful levers for security teams and cyber attackers to do more with less at a higher level of intelligence that will require both sides to continually improve and adapt or they will fall behind.

In what ways are current compliance and regulatory frameworks falling short in addressing the evolving cyber threat landscape?

Compliance and regulator frameworks are slowly adding AI-centric measures and controls. At this time, due to the immature and complex nature of the technology, the frameworks for AI are primary focused on governance, data management, and questions of LLM provenance. To evolve, the frameworks need to address verifiable measures of safety, execution leakage, model and application training metrics, and more methodical meaures of testing and validation for certain performance standards to be deployed in healthcare.

Can you describe the components of an effective AI-powered cybersecurity strategy for healthcare organizations?

An AI-powered cybersecurity strategy should include the following components:

1. Threat detection and response (intrusion detection systems, behavioral analytics, automated incident response, intelligent yet automated vulnerability assessment and remediation/escalation).

2. Data and infrastructure security and privacy (data encryption, de-identification and masking, access controls, interoperability controls, user authentication controls).

3. Risk assessment and vulnerability management (predictive analytics, continuous monitoring, threat intelligence integration).

4. Endpoint and IoT device security (device ID and monitoring, anomaly detection, zero trust architecture).

5. User education and awareness (phishing testing/escalation, detection and prevention, adaptive training programs).

6. Regulatory compliance and reporting (automated compliance audits, audit trail analysis).

7. Resilience and recovery (AI-driven backup verification, disaster recovery planning).

8. Governance and policy enforcement (policy automation, risk-based authentication).

Also, organizations should examine the NIST CSF 2.0 framework, a set of voluntary cybersecurity guidelines and best practices from the National Institute of Standards and Technology.

What steps should healthcare executives be taking now to future-proof their organizations against AI-driven cyber threats?

Healthcare organizations need to take a unified approach to cybersecurity. Enterprise risk management offers a framework to guide the process. Rather than treating individual areas of risk – such as financial or operational threats – as distinct factors to be considered in isolation, the approach encourages leaders to consider all risk factors in their decision-making process.

It begins with taking stock of their current cyberdefenses and vulnerabilities. Just because an organization hasn’t yet been hacked doesn’t mean it’s safe. It’s more likely just a matter of time. Cyberdefenses can quickly become obsolete so hospitals should regularly update them. Take a close look at emerging, intelligent, cyber threats and develop a robust plan to address the many layers of technical debt that exist in almost every Healthcare organization. This is particularly important given the latent interoperability vulnerabilies that are increasingly exposed to sanctioned AI projects yet represent new risks that are often underappreciated.

Every organization of any size should have a chief information security officer (CISO) that reports directly to the CEO. Too often, cybersecurity is the responsibility of chief information officers or chief technical officers, who already have too much on their plate. CISOs also should not have to handle legal and other matters, but be free to concentrate solely on cybersecurity.

And, of course, cybersecurity operations need to be adequately funded, which they often are not. Given that millions of dollars, patient data and even lives can be at stake it doesn’t make sense to skimp on defenses.

Executives also should be on guard against complacency or treating cybersecurity as something that can be crossed off a list. Attackers are never going to give up or stop devising new hacks. AI simply makes it too easy. Anytime an organization thinks it is safe is when it becomes most vulnerable.

How can healthcare organizations balance automation and human oversight when implementing AI in cybersecurity?

Any deployment of AI in healthcare, whether in cybersecurity or something else, requires robust governance, ethical practices and human oversight. Organizations need strong guidelines in place to ensure it’s used correctly and fairly.

To balance the risks vs. the rewards of testing and deploying the generation of new agent-based services, the technical leaders (CIO, CTO, CISO) of the organization should establish a continuing process of standards and early involvement with functional leaders. Too often, the risk vetting of a new technology takes place late in the acquisition cycle that lead to undue risks. A good governance practice here would include the technical team sharing their vetting of all AI-based technologies with the entire leadership team to better educate them on the standards expected.