Webinars Detail Page

Clix Webmaster on 05/07/2026

← Back to All Webinars

Webinars Detail Page

In this episode, Tom Furr, CEO and Founder of PatientPay, discusses how the Shift in ACA enrollment is driving more high deductible health plans.

Highlights of this episode include:

  • How the reduction in ACA enrollment numbers are affecting out-of-pocket payments
  • How should providers prepare for this change in coverage
  • Long-term projections

Subscribe Today!

Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast.  We’re pleased to welcome Tom Furr. Tom is the CEO and founder of PatientPay, the leading patient payments partner for acute, ambulatory, and specialty care organizations. Prior to founding Patient Pay, Tom was the CSO and COO and board member at MobileSmith Health. He was also a co-founder and president of Kinetics Inc., an early online commerce provider for small businesses with partners such as Wells Fargo, First Union, and Netscape. In this episode, we’re discussing the shift in ACA enrollment and how it’s driving more high-deductible health plans. Welcome, and thank you for joining us, Tom.

Tom Furr: Hey, thanks for having me, Kelly.

Kelly: All right, well, let’s go ahead and jump in today. So how is the reduction in ACA enrollment numbers affecting out-of-pocket payments for providers?

Tom: Yeah, obviously, the Affordable Care Act was in the media a lot back in December. And so, it kind of got me thinking of, well, if these people leave the ACA, does that mean they’ll be uninsured, or do they move back to the employer insurance? And so, I started looking at the data out there and it’s quite interesting. It’s obviously, as of, I think, a week or so ago– and these are all numbers from Google Gemini. So, if they’ve changed, blame it on Google. But there was about 1.4 million people that had– or 1.2, 1.4 million that had left the ACA. And the ACA has kind of grouped within the private insurance market. And so, the private insurance market had been growing from ‘24 to ‘25. It was up about 1.4 million folks that were subscribing to insurance and are paying for insurance. And so, the question is, if they’re uninsured, there’s a different way to approach it if you’re a hospital or you’re an ambulatory group or what have you. If it’s insurance, what is that insurance going to look like? And so, what the numbers, the stats are looking at right now is, at least according to Google Gemini, so don’t blame me, the folks that are dropping off of the affordable moving over back to business insurance. Now, not all of them, obviously, but a vast majority of them. So, then the question is, okay, if all of these people are moving over to back to their employer-sponsored insurance plans, and are they all jumping into a fully high-end insurance plan? Is it a high-deductible plan? And because dealing with that versus uninsured, now you got to deal with claims and adjudication, and then you can only start billing at that point, or trying to do estimations on the front end of any services that are rendered.

And it was the numbers…I found them very interesting, at least on the high-deductible plans that are out there. And in 2024, there was give or take 27 to 29% of covered lives were using a high-deductible plan. That number grew to 33% in 2025. So, it was up, call it, 4 or 5%. And the estimation is now with more people moving over to their employer-sponsored insurance, that the companies now are having to find a way to help control costs in healthcare. And right now, it’s estimated it’s going to grow at least 20% in 2026. So, you could have upwards of 40% of people in employer-sponsored health plans now using high-deductible plans. And the other interesting stat was that 59% of employers out there are trying to find ways to control costs, unfortunately. And this is one of the ways to do it. So, it has been kind of an eye-opening experience because PatientPay obviously helps medical groups, hospitals, other folks in healthcare collect more dollars. And if you’re doing it on an uninsured patient, you want to catch them before they come in, you want to offer discounts, you want to incent them to do it. But if they’re moving to high-deductible plans, there’s a different strategy more on the back end, some on the front end with estimation. So, we’ve been digging into the numbers, and it’s been, to be honest, really quite eye-opening compared to the narrative that was kind of given back in December of last year on the potential that could happen with the shift in the Affordable Care Act. A lot of numbers, so I’m sorry to bore you with all the stats and everything.


Kelly: No, no, I mean, those are great numbers. I mean, it is very eye-opening. I have a high-deductible plan, so I can totally understand what you’re saying. But how should providers prepare for this change in coverage?

Tom: Well, that’s the next thing is, as we know, deductibles are becoming more and more a larger part of the dollars that are paid to providers out there. And the individuals now as a standalone, the largest payer into the system of healthcare, assuming you look at individual versus UnitedHealthcare versus Blue Cross and so forth and so on. So, there are lots of areas that need to be addressed in healthcare that, to be honest with you, haven’t been because they didn’t need to, but it’s continuing to become a material part of healthcare. And there’s a couple things that are necessary when it comes to the patient. And one, front and center is clinical care, and to have the best clinical care is priority number one. But priority number two is having a good experience with this portion of it. And for younger folks out there, you see that they are very interested in being able to pay things easily, understand bills, all the different components of what they live in outside of healthcare, right? They are able to go to Shopify to buy stuff. They’re able to do Instagram and buy stuff. I mean, it’s just a part of their day in life that allows them to, if they want to buy something, they can buy it. They can buy it easily. They don’t have to get checks out or get paper statements in the mail. And so, it’s important that medical groups and hospitals allow for patients, one, to understand going in with their eyes wide open on sort of what’s going to be expected of them. It’s kind of like when you take your car in to get fixed. You don’t know exactly what it’s going to be, but at least you have an idea of what it’s going to look like.

And then have an easy way for patients to pay these bills that can be through payment plans, electronically, all the different areas that help them to handle, quite frankly, some big bills. And it’s not that people don’t want to pay, not everyone, of course, but most people want to pay their healthcare bills. There are challenges when it comes to understanding those bills. There are challenges when it comes to paying those bills. There are all kinds of challenges. So, to make it as frictionless as possible for them to understand the bill and to make it as frictionless as possible for them to pay the bill in whatever manner they have. And as you know, Kelly, if you have a high-deductible plan, you most likely have an HSA account with it, hopefully, because it’s tax-free. And you also know that you have limited dollars that are put onto that by hopefully you and your company. So even though they want to pay $1,000 bill, they might only have $200 a month on that card that they can pay towards that. So, they might need a six-month payment plan to accommodate that. And so, to be able to help the patient, one, understand the bill. And one of the things that one of our groups uses, they allow us to integrate the EOB into the patient bill. So now you’re looking at your insurance EOB, you’re looking at your bill, you go, “Okay, these match up, check.” I understand I owe it. Number two, I have an HSA card. Do I even know how much is on this HSA card? So, to give them the ability to understand the total dollars on that card is important. And then three, to give them the ability to pay it based on the limited dollars that are put onto that card each month.

All of these things sound simple, but in healthcare today, it’s pretty challenging. And to be honest with you, I have the HSA card. I have a high-deductible plan. And inevitably, my wife will call me and say, “Can I use this card? Because I don’t want it to, quote-unquote, ‘bounce’?” It’s just you don’t have enough money on it. Right. So I have to log in, look it up. Then I call her back and I say, “Yeah, it’s only a $500 bill. We have it in there.” But if it’s a much larger bill than that, we might not. So, it’s a complex world out there in healthcare and to try and make it as easy to understand and easy to pay is kind of, we feel, mission critical.

Kelly: Completely agree. And I love what you said about making it as frictionless as possible. I can totally support that. So, what are the long-term projections for patients signing up for these high-deductible health plans?

Tom: Yeah, the assumption is that they could be at 50% of the total market within the next three years or so, at least from what I’m seeing. And the expectation is it’ll continue to grow from there. So, it’s a material part of the medical group’s dollars that they collect. And as you know, if you’re a primary care group, you’re now having to collect these dollars because the patient potentially hasn’t hit their deductible yet earlier in the year. And later in the year, you don’t have as much challenging in some instances. But it’s definitely an area that is growing and will continue to be challenging based on the complexities of healthcare. But there are ways to simplify it.

Kelly: Great. Well, having it simplified is always a good thing. Well, thank you, Tom, for sharing your insights with us on the shift in ACA enrollment and how it’s driving more high-deductible health plans. You know, if a listener wants to learn more or contact you to discuss this topic further, how best can they do that?

Tom: Yeah, so our website is https://www.patientpay.com/, P-A-T-I-E-N-T, P-A-Y dot com. My email is tf@patientpay.com. And then our telephone numbers on our website if you’d like to call, but I’d be happy to talk more and learn more about this from others out there.

Kelly: Awesome. Well, thank you so much for joining us, and thank you all for joining us for this episode of The Hospital Finance Podcast. Until next time…

[music] This concludes today’s episode of The Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.holdings/podcasts. The Hospital Finance Podcast is a production of Besler Holdings.

If you have a topic that you’d like us to discuss on The Hospital Finance Podcast or if you’d like to be a guest, drop us a line at update@besler.com.

Subscribe Today!

Quick Links

About
Team

Podcasts

Solutions

Medicare Appeals

Contact Us

Contact

©2026  Besler Holdings Terms of Use | Privacy Policy | Corporate Compliance

Medicare Cost Report Appeals and Reopenings–What You Need to Know Webinar [PODCAST]

Kelly Wisness on 05/06/2026

In this episode, Kristin DeGroat, Besler Holdings’ Chief Legal Officer, provides us with a glimpse into Webinar, Medicare Cost Report Appeals and Reopenings: What You Need to Know, presented live on Wednesday, May 13, at 1 PM ET.

Highlights of this episode include:

  • What is this webinar about?
  • Who would benefit most from this webinar and why?
  • Key takeaways
  • Best practices

Kelly Wisness: Hi, this is Kelly Wisness. We’re pleased to welcome back Kristin DeGroat, Besler Holdings’ Chief Legal Officer. In this episode, Kristin will provide us with a glimpse into Besler Holdings’ first webinar, Medicare Cost Report Appeals and Reopenings: What You Need to Know, live on Wednesday, May 13, at 1 PM Eastern Time. This is our first in our Medicare Cost Report Appeals and Reopenings Series.

Welcome back and thank you for joining us, Kristin.

Kristin DeGroat: Well, thank you for having me back.

Kelly: Well, let’s go ahead and jump in today. So can you tell us what’s this webinar about?

Kristin: So, we’re going to talk about the Provider Reimbursement Review Board, at least a background of that. And then we’re really going to focus on what you need to do to preserve your appeal rights as well as your reopening rights, which are different and are handled differently. And we’ll get into a little bit of the differences and provide some best practices.

Kelly: Awesome. Sounds like it’s going to be a great webinar. So, who would benefit most from this webinar and why?

Kristin: So, most people immediately think, “Oh, this is just for reimbursement people.” But actually, people in patient financial services, even executives that maybe don’t deal with the cost report and appeals and reopenings and really don’t get into the depth. But there are data elements that we need, which usually come from patient financial services. There are cost report elements needed. And again, you need the buy-in at the top so that they understand what it takes and maybe the costs associated with filing appeals and/or reopenings.

Kelly: Well, that makes a lot of sense. So, what will be some of the key takeaways from the webinar?

Kristin: So, the key takeaway, I think, really will be, “I can have an appeal that preserves my rights, and I can have a reopening at the same time.” Most people don’t realize that. And so, I think that’s beneficial where it’s an issue that can be settled. So, the problem we’ve got with the board, right, in filing appeals is that they often take a number of years. And so, the reopening may be the faster route, not always, but maybe the faster route to getting the dollars.

Kelly: That makes sense. And yeah, I didn’t know that you could do an appeal and a reopening at the same time, so I’m sure others don’t know that as well. So, what best practices do you have for those going through an appeal or reopening?

Kristin: So don’t take any chances. Don’t just assume you’re going to be able to appeal or reopen. You need to understand the specifics of those rules and how they apply to your cost report. Protest, protest, protest, protest, that is the key. And again, file your reopenings, even if you have an appeal.

Kelly: Those are some great best practices. Thanks for sharing those with us. So why is having an external partner important for this very complex and often long process?

Kristin: The change in rules between the cost report rules, the reopening rules, the board’s rules. There are many pitfalls. And if you don’t understand how they fit together, you could lose your right to appeal or reopen. So, you’ve got to understand how that comes together. And having an external partner that focuses on the rules, the changes, ensuring that everything is filed properly, that you have the right tools to ensure that your appeal rights are protected.

Kelly: No, that makes a lot of sense. Sounds like finding the right partner is important for this process. Well, thank you–

Kristin: Definitely.

Kelly: Yeah, so thank you so much for joining us, Kristin, and for giving us this glimpse into Besler Holdings’ free webinar, Medicare Cost Report Appeals and Reopenings: What You Need to Know.  Join us live on Wednesday, May 13th, at 1 PM Eastern Time. And as a bonus, you can also earn CPE. Thanks again, Kristen.

Kristin: You’re welcome. Looking forward to seeing everyone Wednesday.

Kelly: Sounds great. And thank you all for joining us for this episode of the Hospital Finance Podcast. Until next time…

[music] This concludes today’s episode of The Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.holdings/podcasts. The Hospital Finance Podcast is a production of Besler Holdings.

If you have a topic that you’d like us to discuss on The Hospital Finance Podcast or if you’d like to be a guest, drop us a line at contact@besler.holdings.

Using Tech to Boost Patient Care and Streamline Operations [PODCAST]

Kelly Wisness on 04/29/2026

In this episode, Beth Raboin, Founder & CEO of Global Medical Virtual Assistants, discusses using tech to boost patient care and streamline operations.

Highlights of this episode include:

  • What is a medical virtual assistant?
  • Where do hospitals typically see the most meaningful cost savings or efficiency gains when using the medical VAs?
  • How GMVA ensures medical virtual assistance remain fully HIPAA-compliant and safeguard patient information while working remotely
  • How the virtual assistant model scale for larger hospital systems or multi-facility organizations compared to smaller practices
  • Where’s the best place to start to ensure long-term ROI?
  • What other hospital departments are a good fit for medical virtual assistance?

Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast. We’re pleased to welcome Beth Raboin. Beth is leading GMVA in vision in the day-to-day business operations securing the functionality of the business to drive extensive and sustainable growth. Combining her strong leadership and determination with over 22 years of corporate experience in the private and public sector of surgical device, pharmaceutical, and specialty pharmacy industries, she keeps the company moving forward with high-level strategy while understanding the details of day-to-day execution to ensure steadfast success.

Prior to Beth’s corporate and entrepreneur experience, she competed as a full athletic scholarship athlete as a Division 1 gymnast at the University of Florida, where she graduated with a Bachelor of Science in Health Sciences.

In this episode, we’re discussing using tech to boost patient care and streamline operations. Welcome, and thank you for joining us, Beth.

Beth Raboin: Oh, thank you so much for having me, Kelly. I’m so excited to be here.

Kelly: We’re excited to have you. So, let’s go ahead and jump in. So, for listeners who may be newer to the concept, what exactly is a medical virtual assistant? And how do they differ from traditional outsourcing models?

Beth: Yeah, oh thank you so much. Starting with a big question there, Kelly. So, first of all, medical virtual assistants are additional staff that you can bring into your hospital or medical practice to help facilitate some of the back office work that needs to happen. So, we do not do clinical care. Medical virtual assistants do all of the clerical and/or administrative patient care that happens behind the scenes. So that’s the differentiator between your typical in-hospital setting versus bringing in a medical virtual assistant. And how we’re different from other models is you’re not outsourcing. You’re not sending and outsourcing all of the work elsewhere. That’s not how it works. We are actually more like an insource. We’re additional staffing that’s brought into your medical practice and/or hospital to do the work that needs to get done within your tools, within your systems, within your workflows. And so, we’re actually integrated as part of the team.

Kelly: I love that. It’s so intriguing. From a financial standpoint, where do hospitals typically see the most meaningful cost savings or efficiency gains when using the medical VAs?

Beth: Oh, gosh. Well, so we’re a fraction of the cost of what it would be to hire someone here in– within the hospital system within the United States. We are outside of the United States, so we’re mainly in the Philippines where the cost of living is lower. So therefore, the cost structure for our business model is also lower. And where they can utilize our services is just, it’s endless. Where we’re seeing where we’re a huge asset– for example, we just were onboarded this past year with a huge healthcare hospital system on the West Coast. They brought us just in to do patient access to fill in some open appointments, making sure patients are going to show up to their appointments, and then backfilling the appointments within the schedule that those patients were not going to show up to. And they saw an immediate, an immediate, I think it was like $2 or $3 million difference in their bottom line just within two quarters. So that’s just one simple example. We’ve also been brought in heavily within the hospital systems, within revenue cycle management. Collecting dollars is critical for hospital systems, making sure that denied claims are in fact paid. And so the resubmittal of claims, following up on denied claims, making sure that patient balances are paid, all of that. So that also is a really big– a really great place to be able to bring in our staff to help and augment the way things are being done within that hospital.

Kelly: Wow, I mean, so some significant savings there. That’s awesome. So how does GMVA ensure medical virtual assistance remain fully HIPAA-compliant and safeguard patient information while working remotely?

Beth: Yeah, well, so there’s a few different ways we do that. Number one, we’re hiring professionals, right? We’re hiring people who have a bachelor’s degree, a bachelor’s degree, typically in nursing. They understand healthcare. They understand HIPAA and PHI. And so, they’re put through obviously a HIPAA certification class, so they’re HIPAA-certified, but that’s not enough. That’s just not enough to ensure patient information is– it’s just not enough to make sure patient information is protected, right? So, we put in additional safeguards and everyone works remotely, they’re not working within a call center, they’re working from their home. So, we’ve put additional software security on their computer systems to make sure that they’ve got a closed network that they’re working within. So, they’re logging directly into the client’s EMRs, directly into the client’s tools, and we need to make sure that there’s no nefarious actors or viruses are able to penetrate the system. So, we’ve got a pretty substantial, what we call a blue box on their computer, and they’re working within the safeguards of that system. It’s amazing. It’s been one of the things that we heavily invested in just to ensure that we’re protecting patient information. But beyond that, we’re also protecting the tools of our clients because we all know that viruses and/or nefarious actors are working consistently to try to break into hospital systems, break into hospitality, break into banks, and any possible way that they can try to penetrate a closed off system. So, we do everything within our power to make sure that we’re keeping patient information protected.

Kelly: Yeah, I know HIPAA compliance is so important. And for lack of a better term, it’s an epidemic that we’re just kind of hitting. We’re being hit with all these bad actors all the time. So, it’s just a constant issue, isn’t it?

Beth: Oh, constantly. So, I mean, we’re all getting them even into our private email addresses, work email addresses, people sending over what you think looks like a real invoice, but it’s not a real invoice. You click on it, before you know, you’re in trouble. So yeah, we’re trying to do the absolute best we can to keep up to date on protecting any and all software that we’re logging into.

Kelly: Definitely, yeah. So how does the virtual assistant model scale for larger hospital systems or multi-facility organizations compared to smaller practices?

Beth: Yeah, I mean, the scaling is one of the things that we’ve really become a specialist in. What we do is the onboarding of our services can be– that’s where you have more skin in the game, and there’s a good six to eight weeks of training us on your tools, your systems, your strategies, your service level agreements that we work out with you. That’s where really that’s some of the hurdles you need to get over in the beginning. Once we do that, we have all the training materials necessary to then scale with you, so your team is no longer having to do the training, right? So, scaling has really been one of the wonderful things that we can do really quickly and efficiently. And hospital systems for sure– like I said, I had mentioned one particular hospital system. We had another hospital system we also started with last year that just wanted to start with 10 medical virtual assistants. And within a month’s time, they were like, “Wow, this is really working out amazing.” And they’ve already scaled up over 75. And so we’re able to be able to do that for them and really kind of keep up with the pace of what’s necessary and intending to bring in really great talent to be able to do and meet the service level agreements that we’ve come up with along with our client to make sure that we’re bringing nothing but the best in terms of patient service. So yeah, it’s been an interesting, fun business model. I love the scaling piece of it. It’s one of the things that we’ve I’m really great at. And it is different for a large practice or a large medical system versus a smaller practice. Smaller practices, they just don’t see the huge patient volume that a large system would see. And so, but we can still manage and handhold them through bringing on one, two, three virtual assistants. But in a hospital system, we can bring in 25, 50, 75, 150 virtual assistants and scale and keep them and manage them.

Kelly: Yeah, that sounds pretty awesome. I mean, I love what you said about scaling with you. That seems like something that you got that is very valuable. So, for a CFO or revenue cycle leader considering medical virtual assistance for the first time, where’s the best place to start to ensure long-term ROI?

Beth: Yeah. I mean, of course, one of the first places you would want to start– any one of us would want to start is where we can make an immediate impact to the bottom line, so whether that’s patient balances, whether that’s following up on denied claims, whether it’s submittal of claims. As we become more and more infiltrated into some of the hospital systems, we’re learning that there’s large amounts of balances that are still not on the balance sheet, that just have not been paid to the bottom line yet. That’s where we can make an immediate impact. How we are different than other outsourced companies is we don’t take a fee for that. That’s not how we function. We don’t get a percentage of what is collected. That’s just not what we do. We are additional staffing. We are butts in seats to do the actual work. And so that also is a really great benefit to the hospital or medical system because then they’re not losing part of that revenue to an outside source. And so that also is an additional part of the way we function in terms of bringing an additional asset to the team without getting a part of what those payouts would look like or a percentage of those fees.

Kelly: That sounds pretty awesome. Beyond those revenue cycle teams, what other hospital departments are a good fit for medical virtual assistance?

Beth: Most definitely anything within specialties. Specialties are really where we shine. We have extensive training internally for particular specialties. So, our medical virtual assistants are very well versed in the types of procedures that they’re going through, whether it’s in neurology or it’s the cardiac unit or it’s in the fertility space. We become quite versed in being able to have those conversations with patients or internally with the existing staff, knowing the medical terminology is there. We understand the patient journey. We understand the procedures that are taking place. We understand the medications that the patients are being given. So, when it comes to be doing prior authorizations for patient medication or prior authorizations for getting diagnostic care or getting the procedures done, we can do all of that. So, we really fit really nicely in every piece of the model within revenue cycle management, if you include prior auths and insurance verification as part of that journey. We can do all of that. But patient facing, patient access is also something we’re really, really fantastic, and we have a great fit within models of the patient access.

Kelly: Yeah, that makes a lot of sense. Well, thank you so much, Beth, for sharing your insights with us on using tech to boost patient care and streamline operations. If a listener wants to learn more or contact you to discuss this topic further, how best can they do that?

Beth: Yeah, we’d love you. Just go right to our website. You can find so much information. So, it’s https://gmva.com/, and that’s Global Medical Virtual Assistants dot com. And we’ve got voice recordings there of what our virtual assistants sound like. We have podcasts like yours, Kelly, will be on there kind of listening to hear what we’ve done or what we do, as well as a whole host of other resources, and also a way to be able to quickly schedule a strategy session to have a meeting with us and have a Zoom call with us to get a better understanding of how we can fit into your model.

Kelly: Great. Well, thank you for providing that for us, Beth. And thank you all for joining us for this episode of The Hospital Finance Podcast. Until next time…

[music] This concludes today’s episode of The Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.holdings/podcasts. The Hospital Finance Podcast is a production of Besler Holdings.

If you have a topic that you’d like us to discuss on The Hospital Finance Podcast or if you’d like to be a guest, drop us a line at contact@besler.holdings.

The AI Security Blind Spot That Healthcare Can’t Afford to Ignore [PODCAST]

Kelly Wisness on 04/22/2026

In this episode, Vrajesh Bhavsar, CEO & Co-founder at Operant AI, discusses the AI security blind spot that healthcare can’t afford to ignore.

Highlights of this episode include:

  • What’s the AI risk that most hospital leaders still don’t fully appreciate
  • Zero-click vulnerability
  • How autonomous AI fundamentally can challenge the compliance model healthcare
  • Why traditional security tools struggle to keep pace with the way AI actually moves data inside a health system
  • What the real financial and reputational costs are when a healthcare AI deployment goes wrong
  • What the first steps are to take to understand their actual exposure

Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast. We’re pleased to welcome Vrajesh Bhavsar. VJ is an engineer with a Master’s in Computer Science from USC and over 20 years of experience building hardware and software products. VJ built core technologies for iOS and Mac OS, including dynamic tracing, data protection, and secure enclave at Apple. He holds eight patents in distributed systems, data, and security. He is passionate about building technology-first businesses that drive positive human impact at scale.

In this episode, we’re discussing the AI security blind spot that healthcare can’t afford to ignore. Welcome, and thank you for joining us, VJ.

Vrajesh Bhavsar: Hey, thank you for having me.

Kelly: Well, let’s go ahead and jump in. So, AI is being deployed across healthcare at a remarkable pace. From a cybersecurity standpoint, what’s the risk that most hospital leaders still don’t fully appreciate?

VJ: That’s a great question. And it’s such an exciting time that we are living in. There are so many new innovations coming to the entire space. And the impact of AI in so many different areas gets really exciting for a lot of industries where this kind of innovation is needed. And, of course, healthcare has so many different areas where AI can be applied, but also there are a lot of risks that come in when you are exposing this kind of critical area of safety and care to this kind of new innovation. And so the big risks that we see in a lot of interactions we are having is how when you have a lot of kind of new innovation getting sprinkled across use cases and areas where you didn’t really understand the full scope and things are operating without a lot of visibility, especially in the deep areas where sensitive data is in question and you have patient information as well as ways that a lot of the third party systems are going to interface with these things. That’s where there are so many risks that it’s not fully understood and appreciated.

And the thing that really gets people is that we are used to kind of operating with these innovative systems in kind of traditional systematic ways, that A plus B results in something. But in the world of non-determinism, where there are a lot of new attacks coming in, the level of risk really, really goes to the roof. And the kind of attacks that have come through in terms of prompt injection or zero-click, and a lot of things that have been reported across the industry, and we have done some of the work ourselves. It really throws people back into like, “Oh, wow, I didn’t realize that this can really exfiltrate the data at such scale and such speed.” And the level of protections and defenses that people had through traditional tools are now out of question.

Kelly: Yeah, it’s definitely an interesting time in healthcare and AI, and there’s a lot to consider there. You recently discovered a zero-click vulnerability that can silently extract complete patient records without leaving a trace. What does that mean in plain terms, and why is it a signal of a much larger industry problem?

VJ: That’s a very interesting question. And I think as an industry, we have been trying to get everyone to kind of understand that, “Hey, don’t respond to random emails, don’t share credentials, don’t go chase random links and all that, right? But what’s happening in the world of AI is that without users taking any of such risky actions, now you can have a massive exposure and that’s what zero click refers to. And what we discovered is that a lot of these AI systems as they are interfacing with so many different data sources and all the records and all that, they can actually go take the credentials and access that you have given them and try to be helpful in ways that can actually result in data exfiltration and leakage at a massive scale. And so, what we are finding is there are the kind of attacks that come through in AI systems that are prompt injection or jailbreak attempts. And those things are getting embedded in documents, in ways that are invisible to the human eye, but those instructions mean a lot to what an AI system or an agent bot is going to do.

And that’s where, now, you are bringing– you have so many, so much intelligence baked into these AI stacks that they are trying to be super helpful and trying to kind of take all these instructions that are embedded and the users didn’t do anything wrong, but this is where some of the attacks that are coming through. Some of the ones that we have discovered and the industry has discovered, even Anthropic reported several different types of attacks. And there is a lot of education needed in the industry to really kind of understand the scale and scope of what these intelligent, non-deterministic systems bring in these critical environments.

Kelly: Completely agree. There’s definitely a lot of education required for us. VJ, HIPAA was built for predictable human-reviewed workflows. How does autonomous AI fundamentally challenge the compliance model healthcare has spent decades building?

VJ: I know. This is where we are really passionate about like there is so much to be done, and I know HIPAA is trying to catch up on a lot of the new innovation. But at the end of the day, there is kind of like an inert way in which HIPAA assumes there are human accountability layers behind all the different decisions that are getting made. And I think that’s the thing that gets thrown out the window when you bring in agentic AI. And in these environments where you are passing responsibility, you’re passing autonomy, you’re passing decision-making capabilities to agents and at a speed of machine speed at which you can access so many different systems all at once and try to be helpful. That’s where there is no mechanism in place to even understand what these systems are trying to do. And beyond understanding, you need to actually govern and bring controls into these environments, right? And I think that’s kind of the core to a lot of the challenges and what we refer to it as runtime visibility and runtime controls.

And when these agents are getting born and they are trying to figure out, like, “Okay, what are the instructions given to me?” And I’m going to try to make sense of that. I’m trying to access the systems that are available to me, and sometimes they overreach. And that’s when these breaches happen. That’s when, kind of, unexpected consequences happen. That’s when you end up with a non-compliant system. So, I think there is a lot to be done. I think the industry was still just catching up on what was happening in the world of microservices and all the API ecosystem. And now we have leaped directly into agentic environments. And I think that requires a full depth understanding of what all things are happening to stay compliant.

Kelly: Yeah, there’s definitely a lot of things happening right now, and I know HIPAA complicates things as well. So why do traditional security tools struggle to keep pace with the way AI actually moves data inside a health system?

VJ: Yeah, this is where we have gone through such massive waves in the last 30, 40, 50 years, right? And AI agents, and that’s a big, big one, that is going to completely change how security tooling and security requirements would work. But as you think about when cloud came about, there was a very bare bones kind of understanding of, okay, how am I protecting different network systems and databases? And this is very, very early on when you had your data centers, and firewalls came about to actually stop access to different parts of the data system, where different parts of the data center where you might have databases or critical data that you want to protect from different attacks. And over the years, we had usage of mobile and now usage of APIs, and there are so many different technologies have come into play, and you need a different approach for all these different technology adoptions that are going on.

And so, as you think about what is happening in the layers of APIs, in the layers of AI, in the layers of agent, you kind of need a very different AI layer firewall, right? The traditional things that used to be at the network layer, just trying to make sure that computer A doesn’t talk to computer B, it now needs to translate in the way that, hey, agent A cannot talk to agent B or agent A cannot talk to the patient record systems, or it needs to get permission from a human before it does that. And all those things are happening at such scale. We see so many stats about thousands of agents running and doing all these things every day in every enterprise. And so, when such speed and scale is at play, you’re going to need a different tool, a different system to tackle these systems, and it cannot be just a manual process. That’s kind of where a lot of the traditional tools fall apart because they relied on kind of checking the external boundaries, but they don’t know what is going on inside these environments. The tools used to be, oh, I’m going to scan code and try to make sure there is no threat lurking inside.

But when the code is being generated in real time by these agents, they’re coming up with new API endpoints on their own. They’re coming up with MCP servers on their own. And so, what do you do when this new code is getting generated on the fly? What do you do when intent and instructions can drift and can change over time? And that’s where you need something that is understanding what kind of actions are going on and make sure that you’re going to stay compliant as well as not bring more threats and risks into your system.

Kelly: Makes a lot of sense. Thanks for explaining all that for us. Beyond regulatory exposure, what’s the real financial and reputational cost when a healthcare AI deployment goes wrong? And is the industry pricing that risk correctly?

VJ: Look, there are a lot of people trying to understand a lot around pricing the risk and what to do in care of the benefits and kind of threats that come through. And I feel like we’ll learn a lot over the coming couple of years that how this translates in practical life, but definitely there’s a big shift needed, right? With the scale at which these agents can access the number of records, that’s really scary to be honest. There are different types of compliance rules and regulations around like, “Hey, XYZ number of records breached results in XYZ kind of fine.” Well, but also when you have the loss of trust, let’s say patients were trusting some EHR system or some hospitals and other systems with their private information that now suddenly when you have a massive scale breach, that trust is lost, there will be a lot of questions around like, well, do I want to be passing on all my data to the system that has a lot of security risks. But beyond that, there were a year or two ago, a couple of years ago now, where there was a massive outage at airports and airlines where some cybersecurity vendor was not able to deploy things properly.

And those type of operational risks that come in that can really bring down some of these systems and healthcare being such a critical infrastructure requires a level of kind of risk analysis before you put in AI into these environments where if something goes wrong, it can terribly, terribly bring down the entire infrastructure. And I mean, I think those things are obviously questions that a lot of the leaders are thinking through. A lot of the security teams that we talk to, the legal, financial teams that we interface with. And so those are things that are still kind of in flux and hopefully we’ll find ways to keep bringing innovation while also kind of bringing in the right guardrails and safety measures along the way.

Kelly: Yeah, no, definitely agree with all that. And what you were talking about, the lost trust really resonated with me because it seems like once that trust is lost, it’s hard to regain. VJ, for a CCO or Chief Compliance Officer who has already deployed AI across their organization, what are the first steps they should take to understand their actual exposure?

VJ: There’s a classic saying: You can’t secure what you can’t see, right? And I think in the world of AI and agents and APIs, I think a lot of leaders are realizing that discovery means a completely different thing at this point. A lot of teams have had engineering observability tools or some form of access visibility and all that. But I think what we are seeing is that as teams try to understand like, “What is going on? Okay. My teams have already deployed all this AI. They are using all these AI tools, or they have deployed agents in certain ways. Just getting visibility into what’s going on. That’s where everyone has to start.”

And being able to do that in all these different use cases and areas, so whether it’s employees using AI clients and talking to different AI systems and trying to, whether it’s private or public kind of exposure, there is a lot to be done in just understanding that exposure. When you have your EHR information or EHR systems as well as your other cloud environments, whether they are running on hybrid, private, there are a lot of different systems. People have to start with what are the AI models running? What are the agents running? And we’ve come across teams that feel like, “Oh, yeah, I have XYZ tool that gives me AI, SPM, and I know the five models that I’m running.” And when we actually go show them like, well, actually it’s not five. It’s like 97.

That really shocks people. And that type of sprawl has happened so fast in the last year or two that getting access to the telemetry that gives you that type of visibility, it’s something that is actually available, right? It’s such a daunting task to know what is going to come through. With kind of full visibility, we call it discovery. We talk about getting the right telemetry from the layers at which AI operates, layers at which agents talk to different agents and systems over APIs and MCPs. And if the leaders are uncomfortable kind of knowing like, “Do I really know how many things are running?” and that’s kind of the big gap that you have to start closing, and from there, you can set up the right processes around detecting the risks and then defending and controlling and governing all these different systems that are in your purview.

Kelly: Well, thank you so much for providing all that great information and for sharing your insights with us, VJ, on the AI security blind spot that healthcare can’t afford to ignore. If a listener wants to learn more, contact you to discuss this topic further, how best can they do that?

VJ: You can reach us on our website, operant.ai, and I’m also reachable on email directly, vrajesh@operant.ai. Thank you so much.

Kelly: Awesome. Thank you for providing that. And thank you all for joining us for this episode of The Hospital Finance Podcast. Until next time…

[music] This concludes today’s episode of The Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.holdings/podcasts. The Hospital Finance Podcast is a production of Besler Holdings.

If you have a topic that you’d like us to discuss on The Hospital Finance Podcast or if you’d like to be a guest, drop us a line at contact@besler.holdings.