
Agents Don't Get a Pass: Governing Digital Identity | Executive Interview with Adam Hawkins

Paused
Agents Don't Get a Pass: Governing Digital Identity | Executive Interview with Adam HawkinsExecutive Interview
Questions Answered in This Episode
- How do you govern AI agents accessing patient data across healthcare systems?
- What happens when an AI agent improperly discloses protected patient information?
- Why are health systems deploying AI without security controls in place?
- Can you identify which users and systems an AI agent actually compromises?
- What's the real blast radius if your AI agents get exploited or manipulated?
About This Episode
July 15, 2026: Adam Hawkins, EVP, Healthcare and Life Sciences at Cyderes, has spent more than 20 years at the intersection of clinical operations and cybersecurity, from co-founding a clinical decision support startup in college to building Cyderes's healthcare vertical from the ground up. Drex DeFord and Adam cover what the sprint to AI actually looks like from the security side, why most health systems are building guardrails while the car is already on the freeway, and the emerging concept of "blast radius", understanding not just what's vulnerable, but what actually breaks when something goes down. The conversation ends with a clear-eyed look at the next five years: machines versus machines, and what that shift means for healthcare security leadership.
Key Points:
01:22 Adam’s Early Healthcare Start
05:10 Lessons from Robert Hershebeck
07:30 Today’s Biggest CISO Challenge
09:49 Security Context and Blast Radius
13:03 Machines vs Machines Future
Keep up to date on the latest in health IT:
https://thisweekhealth.com/news/
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
Contributors
People featured in this episode — open a profile for more.
Transcript
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. AI agents are quickly becoming one of the fastest-growing identity types in healthcare. They're reviewing images and coordinating care, supporting scheduling, and accessing patient data across multiple systems. The challenge isn't the AI, it's governing what these digital identities can access and do and share. If an AI agent improperly discloses patient information, the OCR won't care whether it was a person or a machine. You'll still be accountable. CYDERES helps health systems give every AI agent the right access, the right context, and the right governance before it's allowed to act. Find out more at thisweekhealth.com/cyderes I'm Drex DeFord from The 229 Project and This Week Health. Our mission is healthcare transformation together. Welcome to this executive interview, real conversations about managing risk at the highest levels. Let's dive in. I've got Adam Hawkins from Cyderes with me today. Hey, buddy. How's it going? Doing great. Great. Happy to be here. We have known each other, for years, and so I, I mean, I know what it is, but I'm gonna say tell me about your background because you're one of the most well-known cybersecurity people in healthcare, and it's a pretty tight-knit group. So how did that happen? For, for me, healthcare started actually back in college. So I actually co-founded a startup company with a gentleman that I met at a college job fair, who left Johnson & Johnson, and he had this crazy idea that, at the time, it was basically an early version of kind of clinical decision support or evidence-based decision making. And his, his view of it was, "Hey, we have to go through a very strict protocol when it comes to medical device manufacturing and selection. We feel like that, you know, the best doctors in the world, they have kind of a protocol and a process. We should try to make this into a software solution and sell it to other hospitals and other doc practices." So I joined with him. I had kind of an IT background, and it was just him and I, typical garage story. I was there for seven years, ran developments, and we sold into some of the UCs, and some of those relationships I still have today. So that gave me, like, firsthand experience working in a clinical environment,, you know, working in the ORs, like, understanding what the process would look like and how technology would be enabled. This is all pre-ARA and high-tech, um, and EMRs. So we were early in the game. Uh, so we were doing outcomes collections online. So after leaving that startup, I moved over to a company called Doctor First, which is still really large in the industry. Mm-hmm. Um, but they were kind of at the forefront of the whole medical... medication history, um, and e-prescribing. So that was the... I, I basically kind of helped run that organization's, like, kind of West Coast presence. I live in San Diego. So that gave me kind of an early insight into what that whole market was looking like, dealing with all the integrations, um, how, how that kind of, uh, history would help with point-of-care decisions. Um, and then n- during that process, um, you learned about cyber, uh, and then joined an organization and joined a, a, a company called Synergistek, uh, which now got acquired by Clearwater a couple years ago, which is where you and I met. And Synergistek was a cybersecurity firm, so I didn't really know much about cyber. This was about 15 years ago. But they had a lot of hospitals and health systems they were doing cyber work for, and I just... it just kept coming up in my conversations with CIOs and CISOs at the time. So I joined that company as, I think, the fifth employee. Uh-huh. Um, and then we built that company up, and it was very successful. We got acquired. We went public, um, and was there again for about seven years, and then joined Cyderes, which used to be called Hershebeck Group, um, after I met our founder, um, Robert Hershebeck, who's, who's spoken at Chime and has spoken at HIMSS a number of times. Because what my customers were telling me is they were... they needed someone to help run the tools versus just sell them the tools. Mm-hmm. And I think that was the big shift that, that I made, and I made, frankly, a pretty big gamble to join this organization now eight years ago, if you can believe it, uh, to basically build our healthcare practice. And it's been a great experience, and healthcare is now the largest vertical at Cyderes, and I'm very, very proud of that. Uh, I'll take a little credit, but I think the model that we do, and obviously the, the unfortunate growth of cyber attacks in healthcare has played a big part. Um, but definitely, like, cybersecurity has been, you know, the biggest growth area, both in a good and bad way for us in the healthcare sector. It's, uh... You don't look this old. So to tell that story- I have a lot of really good- ... it doesn't sound, it doesn't seem like you have that many years ... Zoom filters. There's some really heavy Zoom filters on right now- ... that I've turned on to help, help with that. Um, z- uh, uh, it's really interesting, too, to think, like, you sort of convinced Robert Herjavec to do a healthcare vertical, and that wasn't- Mm really in the plan. And look at it now. So that's a really crazy story. You, you've worked with Robert now for, um, as you said- Eight years, right? Mm-hmm. Uh, I met him at a Cyderes event at HIMSS this year. I'd met him before at another event. We had a really interesting sidebar on AI and security operations center, and he asked a lot of questions, and I thought that was a really interesting kind of part of our conversation. He didn't lecture. He asked a lot of questions. What's one of the biggest things you've learned from, uh, Robert, uh, since you've been working with him? Yeah, so I, I kinda coin them Robertisms. That's the term that him and I use. It's, it's things that I've picked up learning from him. In the early days, it was literally just me and him traveling to health systems. Uh, the company had a couple healthcare customers, but they just kind of won them through just brute force wins and RFPs. They didn't- Mm-hmm. They were a Canadian company primarily and just opened their US office, and being a Canadian company, they didn't understand the US health system. They didn't understand the whole model, the pay model, bundle payments, all that kind of stuff. So early on, and as you know from when you met him, um, just recently, is he just has a really deep curiosity. Um, even though he knows a lot and he's been very successful, and he's obviously, you know, been doing many investments for 16 years now on TrackTech and stuff, he just has this kind of endless curiosity. And I think one of the best things that I learned from him is we would go into these, you know, large meetings, whether it was with a, a health system or a payer or a medical device company, and they would give us this grand vision of what they wanted to do, and he would just look at them and say, "Why?" Why are you do- why would you wanna do that? Mm-hmm. And I, I don't think that question is asked often enough. I think there's a lot of assumptions that we make on my side of the fence, um, and as on enterprises, that this is just what we should be doing, or this is just, this is what everybody else is doing. So he would always push back and just say, "Why? Why, would you do that?" Even if, even if he agreed with the strategy or the decision that they were telling us they wanted to make, he would always kind of pu- he always pushes people to say, "Why are you doing this?" Uh, and I think that's a really powerful insight, because I don't think that we do that enough, um, still today, especially with the pace that things are moving right now with AI and, procurement and such. Like, people are just saying, "We have to do this," versus saying, "Why, are we doing this?" Like- what is the problem that we're trying to solve? And that would be, I think, one of the, one of the interesting things that I learned from him. Yeah. I think, uh, you know, you, you've become a partner at the 229 Project, and it's one of the questions that we use all the time too, what's the problem you solve in healthcare? Mm-hmm. I know you have something really cool coming up, because I don't know what it is, and I think we have a call scheduled for you and me and maybe Sarah, uh- Mm-hmm ... to do some exploration on that, so I'm excited about that. You get a lot of exposure to healthsec- healthcare security challenges 'cause you travel around the country, you talk to a lot of the CISOs, a lot of, uh, the security peers in the community. What's one of the biggest problems you're working with them to solve right now? there's two categories. One, like, full disclosure, we do have, I think, an interesting solution for it, but I'll, I'll take the one first that I think affects all of us, and it's really kind of around this sprint to AI, which I know you guys have talked about at some of your CIO summits and such. I know Bill has written some really interesting articles on 229's own experiences, kind of doing some of this stuff in-house. So I, for me, having been in this industry for a long time, it, it really kind of- Reminds me of, like, the meaningful use days, where it was full speed ahead on EMR adoption and infrastructure build-out and, and building data centers. And back then, security was just a subdivision of potentially network infrastructure. If there was a CISO, that was pretty rare. Maybe at some of the really, really big institutions, but it was pretty rare that cis- security was, like, at, at a leadership role. And it was just kind of full tor- full, you know, damn y- full speed ahead. And I think that's kind of where we are today. Organizations are just saying, "We have to do this. We have to deploy AMIA listening. We have to get better control of pop health. We have to... We're, we're using all these firms to do reimbursement, um, analysis for us." And security's just kind of, like, catching up and trying to figure out what's happening in their environment versus kind of understanding and having a seat at the table and actually being able to put some controls in place. Mm-hmm. So to me, that's one of the things that, that comes up a lot, is we have a lot of conversations with CISOs and CIOs saying, "I don't necessarily know what's going on in our environment. I don't know what our end users are using. I don't know what our research or IRB groups are doing. I don't know what our, um, in-house developers are doing. Uh, I, I don't really know. Can you help... What, what can we do to help find out what's happening? And then what can we do to actually put some controls and guardrails around it and kind of drive people into whatever lanes that they should be going into?" Mm-hmm. So to me, that's one, like, consistent challenge that we hear, you know, in most of our conversations, and even at the board level, is the train's moving or the car's down the freeway. We have to start building guardrails as the car is driving. Um, the second, and this is the area that we've, we've invested, um, which we've, we've recently launched, for us is just, it's really trying to deal with context. Um, companies like us that do manage security services, um, and there's, there's a lot of us in the space, it's actually the most fragmented space of the cybersecurity market. If you look at things like firewalls or endpoints, um, you know, the top one or two vendors own anywhere between 60 to 70% of the market share. Mm. In the managed security services space, the top 12 own, like, 15%. It's a very, very fragmented space. There's a ton of players. There's regional players. There's- A lot of competition, yeah vertical specific players. Yeah. So, um, I think, I think all of them, like, all of us do a good job. Um, there's different, you know, paths that organizations are taking. For us, we've been doing managed services since 2015, um, at the enterprise level. So we like to joke that we've kind of made every mistake or learned every hard lesson that we can, um, of delivering a, a, a service at a reasonable price for our clients. But there's still ... The biggest problem we have is context. So in healthcare, everyone knows their CMDB is just really in- not reliable. Yeah. You've got various different platforms trying to tell you things. So what we've, what we've tried and been really focusing our efforts on is giving the right context at the right point in time. So it's something that we'll talk about when we do our solution showcase with you guys, but the, the best way I can describe it is instead of there being just a regular security alert that says there was a malicious file on this device, and the device name is some gobbledygoop of numbers and letters- Right with some random username, what we're doing is it will actually list out, this is the user, they work in revenue cycle, they typically access these 12 applications. Here's their manager. Here's what they ... Here's what their device was doing. Here's what the endpoint product stopped. But more importantly, um, the term is starting to come up, I'm sure, I'm sure some of the big organizations will start to brand this, um, but we call it the blast radius. Um, healthcare has so many vulnerabilities. Everyone knows that patching is a huge problem. But what is the actual blast radius if one of your assets gets exploited or, or a user gets exploited? Like, what could it actually do? Would it take down a portion of your environment, or would it just- Mm-hmm prevent that user from doing their job? So we've really switched to this view of like what is the blast radius so that we can work with our IT partners to say, "I really need you to patch these four devices, and here's the reasons why." Yeah. Because if these things go down, it's gonna affect these 35 applications, and it's gonna affect these 1,500 users, and these 1,500 users perform these functions. Um, and then providing that into their ServiceNow or their Freshworks or whatever their platform is, um, ticketing system so that the IT partners can say, "All right. You've made the argument. I feel like we should close this gap." So to me, it's really the trying to keep up with the AI innovation and deployments in healthcare, but then also how can we manage the context and the risk of what is actually important in our environments versus saying we have 5,000 vulnerabilities that have to be fixed. Yeah. Prioritization and context is kind of everything right now, especially with- Yeah ... the AI available to the bad guys to be able to do the things that they're doing today, too, so. , It's definitely an arms race. The, the best... One of the best ways I heard it described is for the last, you know, 40-ish years, it's been humans versus humans. You know, human code versus human hackers or human exploiters, right? And then in the last couple years, it's been humans versus machines. So you've had ransomware groups and threat actor groups that have kind of automated some of the functions when it comes to attacking, and now it's machines versus humans 100%, where the machines are actually doing the scanning and the recon and potentially package deployment. And the next five years it, it's gonna be machines versus machines. Mm-hmm. So you're gonna have machine-written software development code using AI tools versus machines trying to hack into machines, and that's gonna be a completely different, uh, experience than what we, what we've had, um, in this industry for the last, you know, 15, 20 years in healthcare. Man, we do live in interesting times. Adam, I'm really, uh, I'm really glad you were on. I'm looking forward to the solution showcase and, uh, I'll talk to you again soon. I'm sure our paths will cross in person sometime soon. I I appreciate it. Thank you. thanks for joining this executive interview with me, Drex DeFord. Here at This Week Health, we believe every healthcare leader needs a community to lean on and learn from. Build your network at thisweekhealth.com/subscribe, and share all of this with a colleague. Thanks for being here. I'll see you around campus




