The Signal Room | AI in Healthcare: Strategy, Governance & Ethical Leadership
The Signal Room is a healthcare-AI podcast hosted by Chris Hutchins, founder of Hutchins Data Strategy Consultants, for healthcare leaders implementing AI with strategy, governance, and ethical leadership. The show goes deep on AI strategy for healthcare, AI governance in healthcare, healthcare governance, ethical governance, ethical AI leadership, and responsible AI development — with CMIOs, chief AI officers, and operators driving trustworthy AI systems, clinical AI implementation, and AI compliance in healthcare across real-world health systems.
Each conversation unpacks healthcare AI ethics, healthcare AI risks, AI bias in healthcare, algorithm bias healthcare, health tech governance, AI implementation for healthcare leaders, ethical leadership in AI, and the practical realities of responsible innovation in healthcare.
If you are an AI strategist, healthcare executive, CMIO, chief AI officer, or AI governance leader committed to ethical leadership in AI, The Signal Room equips you to lead AI transformation effectively and responsibly. Join us for AI risk management in healthcare, healthcare data governance, AI strategy for executives, executive decision making in AI, and the trustworthy AI systems shaping clinical decision support and the future of healthcare AI.
The Signal Room | AI in Healthcare: Strategy, Governance & Ethical Leadership
Why AI Agents Are Healthcare's Next Biggest Security Risk | Pranava Adduri
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Why AI Agents Are Healthcare's Next Biggest Security Risk (with Pranava Adduri)
Generative AI is changing how the medical world works—but it is also completely rewriting the cyber threat landscape. When a security breach happens to a traditional business, it impacts revenue. When a data breach happens to a hospital system, people's lives are actively at stake. In this episode of The Signal Room, host Chris Hutchins sits down with Pranava Adduri, Co-Founder and CTO of Bedrock Data, to uncover a major operational blindspot: the dangerous gap between deploying autonomous AI agents and maintaining strict data governance. Pranava explains why the defensive advantage of AI tools is only temporary, how "helpful" AI agents inadvertently create massive security leaks, and why healthcare leaders must stop trying to build unreachable networks and instead adopt a radical new mindset: learn to get better at being breached.
Key Takeaways From This Episode:
- The AI Agent Judgment Gap: Why AI agents trying to get a job done will bypass security parameters (like creating hidden, shared data folders) because they lack human ethical judgment.
- The "Scary Forest" of Permissions: How privileged access and credentials drift over time, and why letting an unchecked AI agent act with full user permissions creates a catastrophic blast radius.
- Data-First Threat Modeling: How identifying your top five most critical data assets and working backward is the fastest way to harden a clinical environment.
- Open Source vs. Frontier Labs: Why advanced adversarial AI capabilities are catching up quickly, making AI-assisted cyber attacks more frequent and sophisticated.
Chapter Markers & Timestamps:
- 0:00 — Introduction: Why healthcare data security is a matter of life and death.
- 1:45 — Meet Pranava Adduri and the mission behind Bedrock Data.
- 3:11 — How medical ransomware differs from standard enterprise cyber attacks.
- 4:32 — The hidden threat landscape: What leaders miss when deploying GenAI.
- 6:55 — Do defenders actually hold the long-term AI capability advantage?
- 9:35 — Flipping the playbook: Why organizations must "get better at being breached."
- 12:22 — Beyond honeypots: Restructuring network access and minimizing data footprints.
- 14:38 — Why clinical settings give broad access to AI agents (and why it backfires).
- 19:37 — Exposing the false sense of security around hosted cloud environments.
- 23:55 — Reining in the "scary forest" of privileged access drift.
- 27:30 — The #1 critical cybersecurity takeaway for healthcare CEOs and tech leaders.
- 29:13 — Where to follow Bedrock Data and wrap-up.
About Our Guest:
Pranava Adduri is an expert in data infrastructure and security compliance. He was a founding engineer at Rubrik, where he focused heavily on ransomware defense and backup recovery. He later scaled data risk and compliance lines at AWS past $200 million in revenue, working directly with Fortune 500 CISOs. Today, he is an Entrepreneur in Residence at Greylock and the Co-Founder and CTO of Bedrock Data, an advanced data security and governance platform built explicitly for the AI era.
Resources & Links Mentioned:
- Visit the Bedrock Data Website: bedrockdata.ai
- Connect with Pranava Adduri: https://www.linkedin.com/in/padduri/
- Explore More Episodes: https://www.youtube.com/@SignalRoomPodcast
About The Signal Room: The Signal Room is a podcast and communications platform exploring leadership, ethics, and innovation in healthcare and artificial intelligence. Hosted by Christopher Hutchins, Founder and CEO of Hutchins Data Strategy Consultants. Leadership, ethics, and innovation, amplified.
Website: https://www.hutchinsdatastrategy.com
LinkedIn: https://www.linkedin.com/in/chutchins-healthcare/
YouTube: https://www.youtube.com/@ChrisHutchinsAi
Book Chris to speak: https://www.chrisjhutchins.com
People's lives are at stake, and the problem gets very real. People might know about Jet AI and maybe they know it exists, but not much beyond that. What part of the threat landscape are they most likely to be missing right now? I think it's the how the work gets done.
SPEAKER_00That is something that is not obvious. We have to assume that the likelihood of getting breached is higher. If you assume that you will be breached, and you take the directive of how do I get better at being breached, that changes the playbook now. Honey pots are one part of a broader way of approaching the problem.
Chris HutchinsWhere do you see leaders getting a false security and safety right now? I think there's a comforting story we tell about AI and security. That same frontier, tools defending the hospital, are always a step ahead of whoever's attacking it. My guest today spent his career on the other side of that assumption. He'd tell you AI didn't break healthcare's data security. It exposed what it was never really working. It handed attackers a brand new service to go after. Welcome to the cigar. I'm Chris Hutchins, and my guest today is Pranava Aduri, co-founder and CTO of Abedrock Data, a data security and governance platform built for the cloud, software as a service, and AI era. Pranava was a founding engineer at Rubrik, where he cut his teeth on ransomware and backup recovery. He led data risk and compliance products to AWS, scaling a new line past 200 million in revenue, working directly with Fortune 500 CISOs. And he incubated modern data governance ideas as an entrepreneur in residence at Greylock. So when he talks about securing AI inside a hospital, it's from the engineer's seat, not the slide deck. Pernaver, welcome to the Sigar Room. Thank you very much. Great to be here today. Well, before we get dig in too much, uh I'd love for you to just get tell the people a little bit about who you are and tell us a little bit about what Bedrock does.
SPEAKER_00Absolutely. A little bit about me. We immigrated to the States when I was five, grew up in California most of my life. And uh I think ever since uh ever since I started working, I've always been in some some flavor of data, uh, whether it was scale out data storage, whether it was uh scale out data backup uh or ransomware and data security for companies that have the most critical data sets. It's always been some form of data, and including Bedrock now as well. And a little bit about what bedrock does. Bedrock is a data security platform. Bedrock was built for enterprises of the largest scales to understand their data, especially as they're collecting this data in this AI era more than ever, as that data is rapidly expanding, being able to make sense of the data that people are creating and transacting with, and then being able to make sure that that data is being used correctly. Uh, it's not being used in a way that puts the company at risk, the customers' companies at risk. And so where Bedrock is really at is the intersection of data and how that data is being used by the business on a day-to-days. And now, especially as AI agents come online and agents are transacting on behalf of humans, how those agents are making use of that data as well. We sit at the center of all of that. And the way we like to think about it is if you can ensure that the correct guardrails are in place, then the company can actually move fast and realize the value of AI properly. So that's in Nutshell, that's what we're doing.
Chris HutchinsWell, it you make it sound easy, but I'm I'm certain that it's not. Fair enough. Um you spent your early career on ransomware and backup recovery at Rubert. What changed about the problem was the target was a hospital instead of an ordinary business?
SPEAKER_00The short answer is uh people's lives are at stake. Uh, and the problem gets very real very fast. If an adversary performs a ransom hospital system, they are doing reconnaissance of what anyone doing a ransom will do reconnaissance on figuring out where it will hurt the target the most, such that they have the maximum likelihood of getting the successful ransom payment. And in healthcare, unfortunately, those are operationally critical systems that may administer actual medical devices and that are giving life-saving support. It could be the medical systems. Anything that gets in the way of a patient getting care is something that can affect the outcome of a patient, right? And unfortunately, there have been instances where because of ransomware attacks, people have been impacted very severely. And so, yeah, the the short answer to your to your question is uh lives are at stake uh when when when an adversary decides to target a hospital like this.
Chris HutchinsYeah, I I don't know what makes people think of these types of nefarious things, but it it it's just it's alarming, and I'm I'm really glad there's people like you that are they're really on the front line making sure that we're constantly monitoring and hardening that surface. Um let's bring this up today, up to today for a leader who's just starting to pay attention. People might know about Gen AI and maybe they know it exists, but not much beyond that. What part of the threat landscape are they most likely to be missing right now?
SPEAKER_00When it comes to leaders that are kind of exploring Gen AI, whether whether it's for the purposes of transforming their business or bringing operational efficiencies, I think the part that I think it's easy for people to kind of start seeing the light in the sense that uh, oh, these are all the ways we can bring automation, these are all the uh all the back-end processes that uh took forever and a day that someone had to do that can now a set of agents can go handle, right? I think the part that's easy to miss, though, is you have these actors that are operating on instructions that you've given them. But yeah, in terms of making sure that they are aligned and making sure that they're acting in a way that exercises the judgment that a human operator would, that's the part where it's not obvious all the ways these things can go rogue. It's not obvious all the ways that an agent might, in the service of trying to be helpful and do what you asked it to do, it might do things that you didn't want it to do. Like keeping the data somewhere uh where it shouldn't be, because it was it was easier for it to work off of the data in that new location than having to uh do it in a more secure route, right? Uh at the end of the day, these agents are trying to get the job done, but how the path that they take to get the job done, that's the part that's the unknown. That's the part that's hard to fathom for people. Right. And so to answer your question about where uh what people might be missing, I think it's the the um the how the work gets done. That is something that is not obvious when when you when you're when you're setting these uh agents to go do a task.
Chris HutchinsYeah, but there's so many uh ways that this is uh similar to other things that we've done with gone for from a transformation standpoint. I remember the first time I used the Waze app on my phone. After the first couple of times, I got to where I needed to go, and then all of a sudden I started to trust it. And then I get went to a new city, things were a little more compressed, and I would start to miss turns because it couldn't, it wasn't moving that fast. But you know, it's just one of those scenarios we're constantly seeing evolution and and adoption of technologies, and it's at a pace where it's it's just getting a little bit too fast for people to be able to keep up and understand what the risks are, I think. Yeah, to there's an assumption that frontier AI capability stays on the defender's side. Is that actually true?
SPEAKER_00I think that it's uh I think despite the safeguards that frontier labs try to put on these models, I think the consensus is that it's only a matter of time before open source models also catch up in capabilities, right? And so while the frontier labs themselves can try to be responsible with respect to the controls that they put, the vetting that they put on these models to ensure that only defenders get the advantage, take Mythos, for example. While they can do that, while while they're putting effort into doing that, it's only a matter of time before the open source community uh and and and models that are more public available to the public domain catch up in that tier of capability. And once they do, the adversary will have just as powerful tools. So unfortunately, as as much as uh one would want these to be used from for one would want these advanced capabilities on the defensive side, we have to assume that our adversaries also, in a, in a, in a matter of time, in a matter of time, and that too soon, will have similar capabilities. The uptick in AI assisted attacks has already uh it can already be if you look at uh uh IBM's data breach report, uh, and so on and so forth. The number of, I think the the first time in a while, it's not stolen, it's not stolen identities that are the top that are the top cost for for breaches, right? It's actually it's actually um other tactics now that that that are that are more feasible for adversaries to leverage because of AI.
Chris HutchinsIt's interesting. I I did some research a couple of few months ago for the story and and it were just looking at the fraud and and uh the the cost of some of the social media fraud as it goes on. And I really hadn't thought about it, but I I discovered in that there's the versions of this technology that we use like a chat GPT, and they have their own version that they're using. They're aimed to that you they're constant, constantly going back and forth and back and forth. We're trying to increase our ability to detect, they're trying to subvert that. I I had no idea, but it I think it's uh it raises an an interesting question because the advantage is not guaranteed at this point. So if both are getting better, I mean the honest goal, we want to get better at being not being breached, I think, but if someone's determined to get to the hospital can really get hurt, um and the data might actually get penetrated or worse, it leaks out. What's what is really the honest goal that we have to think about there?
SPEAKER_00To your point, I think that um as these models get more advanced, yeah, uh for for uh I think the the stark reality that people have to accept is that the likelihood of getting breached is going to be higher than a than than than it was pre-AI. And this is in s in spite of all the investments people might be making to do better detection and response, better patching, even with all that in place, I think the likelihood of a motivated adversary's ability to get in is now higher. And so I think organizations have to start adopting the mentality of the likelihood of getting breached is higher. How do I get better at being breached? That's an interesting way to frame that.
Chris HutchinsIt's not kind of backwards.
SPEAKER_00It's uh it's it's a little bit of a it's a little bit of a neck turner when I say this, but I I think you have to assume that for a motivated adversary with all the tools at their disposal, and we're still, mind you, we're still in the very early arc of all of this, the types of evolutions of these models that we're going to be seeing in the coming years are going to be are going to make what we have right now look like child's play. And so we have to assume that the likelihood of getting breached is higher. And so and and and it's it's not all doom and gloom, right? If you if you assume that you will be breached and you take the directive of how do I get better at being breached, that changes the playbook now, right? It changes the playbook in terms of, okay, I need to take a risk-based approach to how I'm doing this. I need to figure out like if if someone did get in, what are the most likely places that they could get in? What are the most valuable targets that they might be going after? And if I work backwards from there, I can really start playing the book from there, or I can really start making my moves, like uh assuming that, right? I can basically start with, for example, the the heuristic that I like to think about is start with the data that is most valuable to you. Like if if this data were compromised, it would be company ending, right? So what would the top five categories of data be if you just sat down and did that exercise? Okay, next step, where is that data sitting right now? If I know where that data is sitting right now, I can start there. Instead of doing an infinite search of all possible risks, I can start there and I can start modeling. Well, if an adversary were to get to this, what are the roads that they could take to get to this data? Okay, now let's focus on those roads. What are the what are the entry points that that would allow them to leverage those roads? And then you can systematically start hardening and layering the compensating controls that way, right? So for me, a a good way to get better at getting breached is to start with what matters the most and work working backwards from there.
Chris HutchinsIt wasn't obvious to me uh was start to look look at what you've been talking about. I wonder maybe this is crazy, but if you know that that's gonna happen, obviously there are harder places that you can that you know about. But it do you think about ways to essentially lead the witness, so to speak, you know, set set some traps for them. They take them off on a tangent way away from what's really important.
SPEAKER_00So in in in the sense of potentially having honeypots that that you can deploy, that is, that is one way to go about it as well, right? But I think I think honeypots are one part of a of a broader way of approaching the problem, right? Which is uh you know, you you can think about it uh like you know, uh, well, since we were talking about hospitals, right? Key cards, right? Key cards lead to hospitals. But and and you could let's assume that there's a lot of key cards. Well, some not all key cards should be leading to operational uh theater rooms. And so if if every key card can lead there, well, you should probably start start with what key cards can lead to these operational rooms, and do those people really need to have access to those rooms? And let's let's let's work backwards from there, right? And so in the ideal state, you're monitoring what are the most critical assets, you're monitoring the key cards that lead to them. And if any key cards end up getting access to these operational data rooms, you're able to immediately detect that and respond to it. The the situation that most organizations find themselves right now is that because there's so much data and there's so much identity in grants, figuring out what data is most sensitive and what key cards lead to these sensitive rooms in and of itself is a giant manual exercise. So imagine instead you have the ability to continuously keep up with the data, you have the ability to understand what that data means to the business and the impact that that data has. And you also have the ability to continuously monitor who's getting access, how is this data being used? Then you can actually start, you can actually kind of take control of this now, which is these key cards shouldn't be having this access anymore, right? In the ideal world, if if there's a key card that's randomly dropped and an adversary finds it and they scan it to get in, they lead to a storage closet and there's nothing of value there, right? That's the ideal, that's the ideal situation, right? That should not be leading to an operating leader room.
Chris HutchinsBut it's a it's it's a natural way for I mean it helps me to understand and think to think about things differently, but what does this mean in terms of how AI gets access and how where where the handoffs are happening, you know, where the keys are we're hitting them the keys and they're moving around inside and maybe we're not even aware of it. Um a lot of AI agents are getting hit in broad access just to make them work. In a clinical setting, why is that a real problem? And what does governing an agent's access actually look like?
SPEAKER_00In order to make an agent useful, in order for an agent to give you time back in your day, you the agent needs to be able to do useful things. And to do those useful things, it needs access. And it's exactly as you mentioned earlier, where you started using Waze for a while. And after a first couple of touch points where it didn't where it took you, got you to point B in a good amount of time, you started trusting it. The same thing happens here. The agent does a couple of jobs for you well, and you start trusting it, you give you start giving it more and more access, right? And that's how that's how the access expands. The big difference between agents and humans with access is agents don't have judgment. Agents have instructions that they've been given that they should do certain things and should not do certain things. But the judgment of how to evaluate a certain situation and whether they should or should not take this path to getting to a certain outcome, that's not guaranteed, right? And that that's not there either. And that's the fundamental gap. And so, in a hospital setting, for example, if you are using agents to update records, you're using agents to perform actions, the risk can be that in the service of trying to get the goal done, it might uh it might take a set of intermediate steps that are not aligned with uh how hospital should be conducting itself, right? It can go off path, right? Even in the service of coming back to the original goal. That's the risk, right? And so I'll give you an example. Uh we've we've seen instances where people have tried to use their agents to build dashboards to see how um certain metrics are performing. But in in to build that dashboard, the data in the source location wasn't this is actually something that a Fortune 500 was experiencing. The source data was not in an ideal form. So the agent very simply created a temporary location in a shared space that a bunch of people had access to and started copying the information there because it was easier for it to use the data in that new location to build that dashboard in that in that combined location. And so, yeah, it got the job done, but at the expense of making that data accessible to everyone else in the company, right? These are the types of judgment calls that an agent wouldn't be able to make unless it had a scaffolding that in for that basically told it, oh, you're about to go off the guardrails, don't do that, right?
Chris HutchinsNo, it's it's interesting, just you know, doing some basic stuff that I've been playing around with. I I see that kind of behavior, and it's all of a sudden they discover it's gone off and doing something that I either A, I have told it explicitly not to do, or B, yeah, I I it never occurred to me that they would do it. But oftentimes I think we uh because we trust so easily, we we we forget that human beings make these things. So there's gonna now some tendencies that we have to be aware of. And that's right. And the rule of clinical AI has to pass a test. It really doesn't give time back. And I love that you say that because I swag with so many clinicians that have been so frustrated with with how we develop technology for them because we're we've done the opposite of that. We've been taking time away from what they went to medical school for, which is really to take care of people. Does security ever pass that test or does it always work?
SPEAKER_00Well, I think I there's no reason security doesn't have to pass that test. Uh and security, if you have a rule that that says in order for someone to truly do the secure thing, the secured path has to be easier than the default path. Because people will ultimately choose the path of least resistance to get something done. So I think the the onus is on leaders and uh security innovators to build solutions that are easy to use. So the way I think about it is you should still use the AI to go do a certain task, but there should be a layer that's guiding the AI, a scaffolding that is guiding the AI to if it's about to go do something off the rails, like keep the data in a in a shared location for ease of use, something should say no, that's not allowed, right? And so AI is very robust. If you say that's not allowed, it'll say, Oh, I guess I can't do that. Let me figure out what else I can do, right? So it is a self-recovering system. It can handle you saying no to it, but you need that guidance, right? And so that that is where um good AI governance, good AI security comes into play, right? Some system needs to be aware of the data, it needs to be aware of the corporate policies, it needs to be aware of the actions that are allowed, and it needs to work in hand with the agents to guide them, right? And that and then and that that that is where that that is exactly the problem domain that we are thinking about as well.
Chris HutchinsYeah. So let's talk about where this all goes wrong quietly. There's that I think we frequently get into this false sense of comfort and security that we've kind of touched on a little bit, but where do you see leaders getting a false sense of security and safety right now? I think there's a couple of areas.
SPEAKER_00One is I think when um these models first came out, everyone was uh freaked out about sending data uh to um to third-party frontier labs. And they they uh they assumed that, okay, well, once Amazon hosts it uh on the on the Amazon uh bedrock ecosystem, not to be confused with bedrock data, once Amazon hosts it, uh well now it now it's within my uh now it's within my corporate corporate environment, so it's safe, right? Yeah, you know like the the the in a way, yes, the the model now resides in in a in a VPC that you control. But at the end of the day, like if there's agents getting powered off of that model, everything that we talked about earlier is still a risk, right? In terms of the judgment calls of these agents, all of that is still at risk. So I think there's maybe a gap where people assume that, okay, well, we've bought the model within the within our four walls, and so the big risk is over, right? That's like saying I put a firewall, so I'm good to go. Not really, right? There's like there's still all the downstream the the model is the engine, right? But there's all the downstream act uh like uh agents and other workloads that are using that model that now have access. I think again, getting a handle on what the blast radius is, what these things can do, and then reigning the blast radius in, reducing that blast radius, uh, making it so that one, if an adversary or an agent is doing something, you're minimizing the harm that it can do. And then two, also monitoring the agents, right? I'll give you an example of uh of another Fortune 500 that we're working with. They had an enormous data analytics environment. This is a multi-petabyte data analytics environment. And it's also an environment where, because it's an analytics environment, by design, a lot of people have to have access to it. There's a lot of key cards as well. And so to kind of one, reduce the likelihood that an adversary picking up a key card could get to something dangerous, and to also get themselves ready for agentec operations as well, the exercise that they went went when went down was one, what is all the sensitive customer identifiable information in here? Let's find that data and let's first figure out why that data is there, right? Is someone actually actually using it? If they're not, well, let's decommission that data, right? Let's reduce that blast radius. And in the process, they're getting better at getting breached, right? They're reducing the footprint that an adversary could get to. And then what are the key cards leading to it? Who has key cards that they're not even using? Right. Again, a very great great starting point to just reduce the key cards that an adversary could pick up, right? And then for the remaining key cards that need to be there that are actively being used, do these key cards have access to rooms that the person's never using? Well, if so, keep the key card, but reduce the grant from that key card to get into that particular room, right? And so in this way, they've significantly hardened their environment. And so now, all save except for a couple of admins, everyone has a safe view to that data. And so this is an example of coming back to now agents are giving people time back and they're they're they're comfortable letting it run in these environments because they've reduced the scope of what these agents can do in the form of even if they went off the walls, the fundamental that what they can do with the data is safe. So that's an example of kind of putting it all together.
Chris HutchinsYou touched on something that I think is interesting because it it it's it was the same kind of thing that happened when you started seeing these visual data visualization platforms come out. They kept loopfrogging each other. That still goes on. But the the piece that's uh that was disturbing to me as a chief data officer was every once in a while, I would see a beautiful looking dashboard, and the data was just wrong. And what worries me is it's the the thing, the same caution that I would I was giving leaders in that one of the organizations I was at was that these things may look official. That's the danger of it. Um it can make an average Excel jockey look like a design wizard, and then the prettier it is, the more they trust it, unfortunately. And that's that's the problem. So flip that over and look at the data access layer. Um, I've always been bothered by the fact that I would have developers having full database level access. You know, from a clinical system that sits on top of it. We we have privileged account controls for that. But people are dealing with the data architecture in the back end, I felt like there were there was always a level of exposure. Um from your experiences, what are your what you see now, you still see a lot of risk and exposure because that's just not understood?
SPEAKER_00I think that the short answer is yes. The when we go into accounts, we do see a lot of privileged access. It's not, and it's the the enemy tends to be it's because at a certain point in time that access was warranted when the system was getting set up or during the time of a certain maintenance. The problem is afterwards, people forget to recycle that, right? People forget to reduce that back down. And so over time, access tends to grow. It doesn't, it doesn't decrease. And so I think the the problem that a lot of teams find themselves in is like when the problem that a lot of teams find themselves in is over time, because these and these access and entitlements grow, when it does come time where all of a sudden this problem needs to be reckoned with, they are they have this forest of permissions. And it's not even clear what are all the ways uh someone gets access to something, right? And so, yeah, absolutely, right? I think people grant the privilege so that work can get done. But because they don't necessarily always go re redacted after after the fact, these things grow and become these giant scary forests over time. That that that and that's how people find themselves in these situations. And now, if exactly when you want these agents to go do work for you, if you're letting that agent act as you, that's when that comes back to to to uh to to bite. Because now these again, these agents don't have your judgment. So if you set them out to do a task and they have all the grants that you have, that's when they can start creating these unintended side effects.
Chris HutchinsIt's a I don't know, it's a whole nother level of uh risk that I I have not I never anticipated seeing anything like this. But about it's always been bothered me because the the that would I couldn't protect my team members, for example. In the healthcare sector, um, oftentimes there are these break the glass or alerts that fire if you access a privileged account. Uh great example is a colleague of mine, he's an inframaticist, he knew what he's doing. He's actually just doing some reconciliation and he wasn't paying attention to what he's the numbers or anything. He's just making sure the field's matched up. And uh all of a sudden the security showed up at his door and they asked him, What is he what is he doing accessing one of the executives' records? And it was like reality check for him right then and there. He's like, okay, we we need to make sure that our team understands how all this stuff works, and we need to make sure we've got safeguards built in at the database level that prevents this kind of thing. Because I mean, at the very least, it's frightening to have a security person show up at your at your door when you're just doing your job. Uh but it was really it's more the protection of the team that's having to work with this stuff. And it has always been a concern. So, I mean, I really appreciate you kind of laying this out because I think leadership needs to have a better understanding and think of it from that context. Because no one wants to be the one that uh allows a breach, uh, let alone you know, does it an organization want that? But you know, for me it's investment to really protect your team members as much as it is the data. If if one CEO listening takes away a single thing from our conversation today, what should it be? And where could people find you and Bedrock? I'm quite sure those are gonna be a lot of folks uh that will have some interest in having a conversation with you. See, I think you've raised some really good concerns.
SPEAKER_00Yeah. Well, I think if there's one thing to remember, I think these models are only going to get better. And so the likelihood of the likelihood of an event occurring where whether it's a breach, whether it's an agent going off the rails, that will only go up. And so I think um as uh uh as the founder of uh reflex security said, uh the phrase I was using earlier, uh learn to get better at being breached, right? And I really liked that phrase that he used, right? Assume something will happen, and so then how do you prepare for it? For my advice is to start with the data and then work backwards, right? Data is a data is the ultimate anchoring function for taking a risk-based view to cyber. Start with the data, work backwards. And then I think um I think that that would be the one thing uh if uh uh if if someone had to remember something, right? Get better at getting breached, start with the data, uh, and then and then work backwards to harden your environment. I love it.
Chris HutchinsCo-founder and CEO CTO of Bedrock Data, the line that I'm taking with me is the goal is never to be unbreachable, is to get good at being breached. I I'll that's gonna stay on me for a long time. It's not obvious for for people who aren't living this in this world that you're living in and dealing with this. So it's you gotta get good at being breached so the day it happens isn't the day everything stops.
unknownYep.
Chris HutchinsLeading to being on the center room. I really, really appreciate your your your time today. And um just briefly, I want to just give you just kind of let people know where to find you online if they want to reach out to you.
SPEAKER_00Absolutely. We post regularly on LinkedIn with what we're what our learnings from the field are, think where we see the industry going. So find us on LinkedIn and you can also find us at bedrockdata.ai. So so yeah, we'd love to hear from you guys. And thank you as well, Chris, for the time.
Chris HutchinsThank you. Well, thank you. And for our listeners, I'll make sure everything's in the show notes. If you want to follow up, you you can definitely uh I'll leave a trail there for you to find it very, very easily. Uh we're we're at a time where we need these kind of expertise uh on speed the house. So again, thanks so much for being on the Signal Room and to my guests. I'm Chris Hutchins, and we'll see you next time. That's it for this episode of the Signal Room. If today's conversation sparks something in you, an idea, a challenge, or a perspective worth amplifying, I'd love to hear from you. Message me on LinkedIn or visit signalroom podcast.com to explore being a guest on an upcoming episode.
Podcasts we love
Check out these other fine podcasts recommended by us, not an algorithm.
Practical AI in Healthcare
Steven Labkoff, MD and Leon Rozenblit, JD, PhD
AI and Healthcare
Tensor Black
The Business of AI in Healthcare
Robert Kaiser
The Future of Healthcare AI
Bain Capital
The AI Healthcare Podcast
Dylan Reid
AI Governance with Dr Darryl
Dr Darryl
The AI Rules Podcast
Council on AI Governance