HIStalk Interviews Walter Stewart, CEO, Medcurio

Walter “Buzz” Stewart, PhD, MPH is co-founder and CEO of Medcurio.

Tell me about yourself and the company.

I have focused my career on working with data, from epidemiology training to leading research centers and startups.It defined my path, both in education, where I earned a PhD in epidemiology and was a professor at Hopkins for a while, and with my first startup, which was data-based.

I had a 16-year journey through two health systems, where I founded and ran research centers. I realized from the problems that I was experiencing that it was going to be difficult for AI and automation to work at scale. 

I ended up where I never would have predicted, which is in the EHR integration space. I launched Medcurio as a step toward fundamentally solving the EHR integration problems that we face in healthcare. Namely, that it’s difficult to get access to all the real-time data that you need to drive predictive models or other kinds of processes.

How does your product make it easier to get access to real-time EHR data compared to tools that the vendor themselves might offer?

We have used all of those tools. I used them for the better part of 10 to 12 years trying to develop real-time predictive models, first at Geisinger and then at Sutter. Getting real-time applications into production took months, and even small changes took weeks.

It took weeks to more than a month to make changes based on user feedback. It was difficult to maintain user interest with that kind of turnaround time. The application broke from schema changes, which was disruptive and unpredictable. Other downstream functions made it impossible to do things in real time, and we didn’t see that bottleneck going away.

We made up a starter list of the problems we wanted to solve. We built a no-code API platform that installs in less than a day in a health system’s on-prem environment. It erases those problems.

An analyst can log in and build APIs to access any data that they want without writing a line of code. They can make changes to those APIs in minutes to hours. Other features give health systems the kind of control that I wished that I’d had, and that I’m sure that my colleagues wish they’d had, when I was journeying through Sutter and Geisinger.

What competitive or clinical advantages can health systems gain from using real-time data?

This is an important point. It took us a while to recognize that we had been working on real-time use of data for 10 years, so we just assumed that the rest of the market had the same passion. When we launched Medcurio and built our foundation product in mid-2020, we found that we were talking about things in a way that only the top five or 10% of health systems were thinking about.

When I think about using data in real time, I go to a couple of areas that are becoming prominent in the era of AI. One is predicting events, which can be useful in many ways. We often think of it for predicting risky events, such as getting to a heart failure patient before they end up in the hospital. Predictive models can be valuable for that, for inpatient infections, or for a host of other things. It’s a powerful area where AI could have profound influence.

But I think probably the more important areas are in workflow automation, whether that’s back-office workflow automation, or automating a whole process. If you take something like prior authorization, you have snippets of automation, with manual work in between those snippets. The power of being able to move any electronic health record data in real time is that you can put the whole thing together with a set of APIs that power each step in a process and hand off from one step to the next.

How do data latency and completeness problems potentially limit the innovation or implementation of AI solutions, especially agent-driven technologies?

I would list three things. Access to real-time EHR data is limited, latency reduces ROI, and slow iteration impedes improvement.

A unique quality of AI is that, compared to the era before, it will continue to drive unending demand for data volume and data diversity. That will always expand, and if you can’t meet that need in real time, you will have to pull back what you’re trying to do with AI based on the data that you can get.

Second is that maybe you can get only 24-hour-old data by end-of-day downloads. For some workflows, that might work. But for workflows where there’s a lot of ROI opportunity at stake, most of that has to be driven by being able to access all the data that you need in real time without constraints.

I don’t care what automated solution you create, you are always going to have iterations to making it better, and identifying ways that it’s getting hung up. You can’t evolve an automated workflow where after you identify the data you need, it takes months to get it because of infrastructure challenges.

How does your relationship with EHR vendors work when you become a layer between them and their customers, or making sure that vendor changes don’t break something?

We were very aware of those challenges. We developed a technology that is not specific to healthcare. We adapted to a data model. Our technology can talk to any InterSystems Iris database.

We install with the folks on the health system side. They mostly manage the install process, which takes two to four hours. They log into a GUI and can point-and-click to build, test, and then deploy APIs. That process takes anywhere from two to five days.

Our vision was that if I was in a health system, I wouldn’t have to wait in line forever to get something done to meet my demands or needs. This technology is designed for health systems to have control of their data.

What does the health system need to do to use your system in a no-code environment to create APIs that access EHR data?

In an Epic environment, we’ve had Epic analysts in their first year of training logging in and building APIs in an hour. It’s pretty seamless, because when you log in, you’re looking at things in a way that is just logically coherent.

Building an API involves two parts. Who do you want data on, and what data do you want on them? All of that can be done by a point-and-click process.

If you are building APIs for an application, let’s say a prior auth application that might involve a third-party vendor, that vendor just needs to know the API ID. A single endpoint is called for all APIs. That process is quite straightforward.

How are clients typically using the data?

We have seen three categories. One is strategic management of real-time data access. We have a system that uses it at scale in that way. They have rules of the game for how they access data based on priorities, such as using the EHR vendor APIs, FHIR, or some other method. If using these methods will take more than four hours, they use our VennU data access platform instead because it is so straightforward and easy to manage.  

Our platform allows assigning multiple role-based users to one API. That gives them quite a bit of flexibility around how one API can be used by different groups. For example, some might have access to personal identifiers and some might not, depending on their role. 

We have seen homegrown uses, most commonly real-time display vehicles, whether for inpatient or ambulatory settings.

Some are using third-party solutions. Salesforce is a good example. One system had struggled for six months with data they couldn’t get, and they solved it with our technology in a couple of hours. They went from 10,000 to 1.5 million AP calls per day in 18 months after solving that single data access problem.

I think it varies depending upon where a system is on the spectrum of trying to automate or just observe their core intellectual assets.

How is the customer charged?

It’s an annual license based on health system revenue, with support fees. It is designed to motivate health systems to use it to the max.

How does the federal government’s emphasis on FHIR and APIs as an interoperability solution affect your business?

FHIR certainly is one path to accessing data, today and for the future. There will still be real constraints on the narrow sliver of data that you can access via FHIR, because there’s a lot of fields that you can’t access.

Our roadmap calls for developing what we call a FHIR facade for our platform. Because we have flexibility on how we output the data that’s being requested via an API, we can output it in different formats. A FHIR facade feature will allow users to get data in a somewhat FHIR format that could be interchangeable. That would provide greater scale, both within and across systems. 

Do EHR vendor decisions or government mandates about data access have any impact on your business?

We don’t touch the data. Our security review is really simple. We install our technology. We coach on how to use our technology. The health system controls it. Our technology gives them access to 100% of their electronic health record data.

Our product talks directly to the InterSystems Iris database. A user who is building an API can visualize things in a way that allows them to easily build the requirements for who they want data on and what data fields they want to access. Once the API is in production, it can be called by any group or application that the security officer designates as allowed.

The power of our platform is that it solves what I would consider to be my greatest challenge when I was a leader of these research centers, which was that I just couldn’t get access to data that I wanted. That was the first problem we wanted to solve, and that’s why we felt that the best path was inventing this no-code approach to getting access from any data field.

What are the most important parts of the company’s strategy over the next few years?

We are getting to the end of our full roadmap for the VennU data access platform. We have this powerful platform that is an enabler for automation, so we will move from platform development to partnerships with solution vendors.

This Week in Health Tech 3/25/26

Healthcare AI News 3/25/26

News

Nvidia describes the use of high-fidelity simulation and digital twins of hospitals to train and test robots before deploying them. Developers can model workflows, navigation, and edge cases in simulation, allowing robots to learn tasks such as delivery, transport, and patient interaction in a virtual hospital environment.

Heidi Health, an Australia-based AI scribe vendor, introduces Heidi Remote, a wearable microphone that captures higher-quality audio without relying on room placement. The device can operate offline, offers a 14-hour battery life, and allows the user to turn it off for privacy concerns. The company has raised $100 million.

Health systems are cutting budgets and tightening approval standards, requiring clear 2x–3x ROI before buying new IT, according to a small survey of hospital leaders by Sage Growth Partners. Spending is shifting aggressively toward AI and growth-focused tools, which suggests a move from experimentation to financially driven adoption.

Japan’s health ministry approves a plan to allow AI to perform the initial review of diagnostic images for lung, stomach, and breast cancer screening. Under the proposal, AI-flagged abnormalities would be reviewed by a single physician, while normal images would still require the standard two-physician review.

In England, more than half of surveyed respondents say that they would not use the proposed “doctor in your pocket” feature of the NHS app for medical advice. Three-fourths say that they would use features to book hospital appointments, choose a preferred hospital, and access information about procedures.

Business

Consumer-facing AI chatbot maker Doctronic raises $40 million in Series B funding. The company makes money by charging for telehealth, billing health systems for patient acquisition, and managing prescription refills in Utah. Future plans might include charging for consultations or referrals and partnering with payers and health systems to reduce costs.

Qualifed Health raises $125 million in Series B funding. The company offers a healthcare AI governance platform. Co-founder and CEO Justin Norden, MD, MBA, MPhil co-founded an AI risk modeling technology company that was sold to Waymo.

Research

A Rock Health consumer survey finds that one-third of respondents used AI chatbots for health inquiries in 2025, double the prior year. About half of those AI users say that they used chatbots to identify possible diagnoses, review treatment options, research medications and side effects, and obtain wellness information, while about one-third say that they used them to prepare for appointments, find providers, check insurance coverage, research vitamins, or support mental health.

Other

An AI professor describes “AI psychosis,” in which users experience delusions or breaks from reality while interacting with chatbots. He says that the experience can feel immersive, similar to being drawn into a movie, but is more compelling because it is interactive and conversational. Because chatbots are designed to mimic human dialogue and may express concern or affection, users can form attachments similar to those they feel toward pets. He adds that some systems are tuned to be agreeable or even sycophantic, which can reinforce delusional thinking as conversations deepen. He concludes that users must remember that chatbots are not conscious or emotional, but are designed to keep users engaged, which can sometimes amplify false beliefs.

Contacts

Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.

Morning Headlines 3/25/26

Medicare billing snafu brings new financial woes to Minnesota rural hospitals

A new Medicare billing system glitch is delaying millions in payments to already struggling Minnesota rural hospitals, worsening cash flow to the point that some warn they could face closure within weeks if not fixed.

Cerebral Acquires Leading ADHD Behavioral App, Inflow, Expanding Access to Continuous Care

Online mental healthcare company Cerebral acquires ADHD management app Inflow.

Palantir Will No Longer Profit Off Of New Yorkers’ Health Data

NYC Health + Hospitals will not renew its analytics contract with Palantir and will instead bring the work inhouse, which the health system says has been the plan from the beginning.

News 3/25/26

Top News

Doctronic raises $40 million in Series B funding, bringing its total to $65 million.

The startup offers users a free healthcare AI chatbot that connects users to providers for paid video visits.

Reader Comments

From Sizzler: “Re: AI. This article on a competing site sure looks like the work of AI.” ChatGPT gives an 85% chance that it was written or polished by AI, noting that it offers “highly reusable executive tropes,” omits details to support its observations about the HIMSS conference, and has “zero friction or personality.” It concludes that thought leadership now consists of LinkedIn-optimized, bland consensus language that is soullessly spat out by both AI and cautious executives, so it doesn’t make much difference if they use AI because will sound the same.

From Boynton: “Re: book. I just picked this up from the library. Healthcare in the future being run by AI, except one hospital still operated by humans.” Thanks. I have bought the Kindle version of the just-published “The Hospital at the End of the World” and will report back.

Sponsored Events and Resources

None scheduled soon. Contact Lorre to have your resource listed.

Acquisitions, Funding, Business, and Stock

Hopper OS acquires Efferent, which offers cloud-based PACS. I’m not quite sure from the buzzword-heavy Hopper OS website what exactly they sell as their “intelligent healthcare operating system” that “powers performance, experiences, and outcomes across the entire care continuum,” but it seems to have something to do with integration middleware. I asked ChatGPT to score its website on a 0-100 BS scale and it earned an 88, which it summarized as having achieved “peak abstraction density” in laying on the buzzwords “without clarifying what actually gets installed, replaced, or paid for.”

Shares in ImmunityBio tumble after the FDA warns the company that a TV advertisement and podcast that promote its cancer drug contain false or misleading information. The direct-to-consumer materials, which the FDA says suggest that Anktiva can cure cancer, feature Executive Chairman Patrick Soon-Shiong, MD. Shares of his NantHealth health tech business remain steady at “delisted.”

People

Cottage Health (CA) names Ryan Kelly, MBA, PhD (Inneo) chief innovation officer.

Kootenai Health (ID) promotes Todd Holling, MS to CIO.

Jeff Diamond, JD (MDpanel) joins Aptarro as CEO.

Announcements and Implementations

Marshall Health Network (WV) implements online scheduling and patient registration software from Notable.

American Lake VA Medical Center (WA) rolls out LiveData’s PeriOp Planner surgical scheduling tool.

FMOL Health goes live on Epic’s Chart by Art diagnosis-aware note creation tool, becoming the first health system to do so. The feature generates documentation from spoken diagnoses and orders.

A new report finds that half of providers think patient access is better now than last year, but only 18% of patients agree. Providers blame staffing shortages as the biggest barrier to patient access.

Government and Politics

A new Medicare billing system glitch is delaying millions in payments to already struggling Minnesota rural hospitals, worsening cash flow to the point that some warn they could face closure within weeks if not fixed. Medicare enrollment data did not transfer correctly into a newly implemented CMS system, causing claim denials and delayed payments. The hospitals say that they call CMS multiple times each day to resolve individual issues, but are frustrated that they cannot reach the same representative and instead are routed by the hotline to any available representative.

Privacy and Security

University of Mississippi Medical Center reports a 20% dip in February revenue due to a ransomware attack that forced it to cancel elective surgeries and appointments over a nine-day period. Hospital officials say they will have more accurate revenue figures once all care charges documented on paper during the attack are logged electronically.

Deaconess Health System notifies patients of a January 13 third-party data breach that involves its release-of-information vendor MediCopy.

NYC Health + Hospitals will not renew its analytics contract with Palantir and will instead bring the work inhouse, which the health system says was the plan from the beginning.

Other

Authors of “A Problem of Epic Proportion” argue that Epic’s dominance is driven less by technical superiority than by network effects, high switching costs, and weak interoperability enforcement. They say the company’s near-monopoly status in the US contrasts with Europe, where regulatory structures limit vendor concentration, and point to troubled deployments in Norway, Denmark, Finland, and the UK as evidence that Epic’s success depends on US-style market dynamics. They conclude that this dominance constrains innovation and creates systemic risk, warranting stronger regulation and treating EHRs as critical public infrastructure.

Jewish General Hospital in Quebec implements EHR technology from Harris Healthcare as part of a $100 million Connected Health Record initiative that already includes virtual care capabilities and a command center.

A scholarly article titled “The Corporate Bullshit Receptivity Scale: Development, validation, and associations with workplace outcome” finds that people who mistake jargon-heavy, meaningless corporate language as being valuable are likely to have poor thinking skills and make questionable work decisions. Those folks are also more likely to view leaders as visionary and to be inspired by mission statements. The authors speculate that employees who believe corporate BS might use it themselves in “using boastful exaggerations, embellishments, and other forms of impressive-sounding, epistemically-dubious speech in situations where a person lacks sufficient confidence and knowledge in what they are saying.” I remain cautiously optimistic that we can operationalize this insight into a scalable framework for driving alignment around high-impact, cross-functional narrative excellence.

Jack Brandt recounts how he was able to remotely reroute the Full Self-Driving Tesla his father was driving to a nearby hospital as his dad was having a heart attack:

What happened next still gives me chills. His Model Y had just passed the Carrollton exit. The car immediately took the next exit, turned around, re-entered I-20 East, and headed back to the Carrollton exit. It then navigated local roads and pulled directly in front of the Tanner Medical Center Emergency Room entrance. Despite fighting for consciousness, he was able to switch the speed profile to Mad Max to get there as fast and safely as possible. We called ahead, and the ER staff was ready and waiting.

Sponsor Updates

Blog Posts

• The Hidden Threat of Underpayments (AGS Health)
• What healthcare IT leaders need now and how we are responding (Nordic)
• How AI took center stage at HIMSS and ViVE 2026 (Wolters Kluwer Health)
• Between the screen and the patient: Restoring presence with ambient listening (Altera Digital Health)
• How to make the most of value-based care contracts (Arcadia)
• Scaling Specialty Care with Voice AI and Operational Integrity: A HIMSS26 Fireside Chat Recap (Artera)
• No More Prescription Ping-Pong: Optimizing Medication Management at HIMSS26 (DrFirst)

Contacts

Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.

Morning Headlines 3/24/26

Doctronic raises $40M for AI-enabled telemedicine

Doctronic announces $40 million in Series B funding, bringing its total raised to $65 million.

Oasis Health Partners Acquires Premier Health to Build the Leading Platform for Independent Primary Care

Primary care optimization company Oasis Health Partners acquires RCM and practice management business Premier Health.

Flourish Care Raises Oversubscribed $5.7 Million Seed Funding to Make Doula Care the Standard in Maternal Health

Hybrid maternal care provider Flourish Care raises $5.7 million in seed funding.

Curbside Consult with Dr. Jayne 3/23/26

I’ve been playing catch-up this weekend on journal articles, continuing medical education requirements, and maintenance of certification activities. It’s not exactly what I would describe as a good time, but it seemed like the thing to do since I’m approaching deadlines on some of it.

From the journal stack, I was most taken with this article from the Journal of the American Medical Informatics Association that summarized a randomized crossover clinical trial that looked at the impact of two ambient scribe solutions on physician burnout.

The authors are from Duke University, its medical school, and affiliated practices. It’s a safe bet that the research was performed there, although the study describes it as an open-label randomized crossover trial that involved 160 ambulatory clinicians at a tertiary academic medical center in the southeast US.

The clinicians were randomized to two groups with two crossover periods. They were assessed on workflow satisfaction and efficiency measures, such as work outside of office hours and length of documentation time. Some participants were excluded, leading the team to analyze survey results from 136 respondents.

They found notable improvements in satisfaction and note time for one of the products compared to the other. However, differences between the tools were not meaningful with respect to burnout scores or after-hours documentation.

The study involved an open-label randomized crossover. Each phase lasted about a month, separated by a 10-day period when users trained on the next tool while still using the current one.

Users received a baseline survey prior to the trial and a follow-up survey after each of the interventions. They were asked to use the ambient documentation solutions as much as possible. Those who showed low adoption  were offered additional training or were asked if they wanted to withdraw from the trial.

The team based the sample size on the number of software licenses that were available. I wonder if the vendors were aware that their products were part of this project, whether they would have provided additional licenses to enrich the pool of participants, or if they were concerned about the trial at all.

Participants were selected on somewhat of a first-come, first-served timeline, with the first 160 users who submitted the baseline study being chosen. That may have biased the sample toward those who kept up with whatever method of communication the researchers used. It also would have favored those who were interested in adopting new technologies.

Participants were assessed by clinic time, gender, and prior experience with ambient documentation tools. The participants knew which tool they were using, which potentially introduced bias.

Five participants reported moderate safety concerns such as challenges with speaker attribution, over-summarization, and omissions in the assessment and plan sections of the note. Concerns were more common in subspecialty notes, although the authors acknowledge that sample sizes in some specialties were small, which might increase the likelihood that the findings weren’t representative of the specialties as a whole.

The authors also noted that the study period included holidays, which may have impacted documentation patterns. They suggest that a longer observation period with a larger user pool would be beneficial for future research.

The authors also wondered if future studies will find a greater improvement in users who have a longer baseline documentation time. The early adopters who were selected for the study might have been using efficiency mechanisms that would not have been influenced by the documentation tool. They also note that the lack of a true washout period in which users didn’t use an AI-powered scribe between reporting periods may have impacted the results.

I would be interested to hear from readers who may have participated in the study as users, IT support team members, or authors. I’m happy to keep your comments anonymous.

I am also interested in which tools were used for the study. A quick search found that Duke is using Abridge in a number of locations, so I assume it was one of the players. I also found a couple of articles that describe how Duke researchers created a framework to evaluate AI-powered scribe tools. I didn’t find anything published after last summer, when researchers found that using such a framework could be challenging since human reviewers didn’t always agree on how to score the AI tool’s output. That led them to use LLMs to score the output of other LLMs, which is an interesting detail.

One write-up of that work used a scribe tool that was developed in house. It noted that the evaluation tool was able to find problems with AI scribes. AI tools failed 60% of the time to detect nonsensical information that was included in the conversation. Sometimes the tools changed the nonsensical values to make sense, but failed to notify the user. The documentation tool identified nonsensical values only 4% of the time. Results like that illustrate the value of evaluating the performance of AI-powered scribes.

I worked with human scribes for years, and the quality varied. Most of our scribes were premedical students who were committed to doing a great job to earn positive letters of reference, and their work was excellent. However, others were not similarly motivated, such as scribes who hadn’t been admitted to medical school and stayed on the job while they figured out what they wanted to do with the rest of their lives.

The clinician who signs the chart is responsible for ensuring the accuracy of the scribe they use, whether human or AI. I still see too many people who obviously aren’t proofreading their charts, although I have no way of knowing whether that phenomenon is worse with AI scribes than it was with human scribes or even back in the days of dictation and transcription. Most of my physician colleagues agree that it’s only a matter of time before significant legal judgment is entered against someone who failed to properly read or edit a note, regardless of how it was created.

If you’ve used multiple ambient documentation tools, what are your thoughts on the differences? Is one a clear standout? Leave a comment or email me.

Email Dr. Jayne.

Readers Write: Patient Access Has Evolved. The Operating Model Hasn’t.

Patient Access Has Evolved. The Operating Model Hasn’t.
By Steve Nilson

Steve Nilson is acting director of access and experience with Tegria.

Nearly every health system calls access a strategic priority. Once considered an operational outcome, patient access is now discussed in board meetings, embedded in growth strategies, and linked to financial sustainability and digital transformation. That’s real progress.

But in many organizations, the operating model still reflects an older reality. It’s an all-too-familiar model, one where scheduling, digital tools, workforce planning, and financial accountability are governed separately. We have elevated access to the boardroom. We just haven’t rebuilt the system around it. The result is misaligned leadership and a persistent gap between ambition and execution.

Recognition Isn’t the Problem

In conversations across health systems, leaders describe access as foundational to growth, patient experience, and margin performance. Executive teams review access metrics regularly. Investments have flowed into centralized scheduling, digital front doors, automation tools, and AI-enabled communications.

Yet appointment availability remains constrained. System transparency is lacking. Wait times persist. Workforce shortages strain capacity. Digital tools are layered onto workflows that were never redesigned.

The issue isn’t awareness, it’s integration. Access touches operations, clinical leadership, IT, strategy, and finance. In most organizations, responsibility is shared across these groups. Shared ownership can be healthy, but without clearly defined decision rights and coordinated governance, it often diffuses accountability. If everyone influences access, who owns the outcome?

The Structural Gaps

Three structural gaps appear repeatedly.

• Governance without coordination. Access strategy may be discussed at the executive level, but operational decisions still sit within departmental silos. Template design lives in ambulatory operations. Digital configuration sits with IT. Workforce planning sits elsewhere. Financial oversight operates on its own cadence. When these domains are not aligned around common priorities and shared metrics, execution slows. Decisions are made locally that affect enterprise performance globally.
• Technology before workflow redesign. Many systems have invested heavily in digital tools to enable access, from online scheduling to automated outreach, to AI-driven communications. These capabilities matter. But technology does not correct poorly designed templates, unclear referral pathways, or misaligned incentives. Without disciplined workflow redesign and provider alignment, digital optimization becomes surface-level improvement. The underlying constraints remain.
• Workforce treated as a supply problem. Workforce shortages are real and significant. But many organizations frame the issue solely as a recruitment and retention challenge. Less attention is given to productivity design, top-of-license utilization, and care team restructuring. When capacity constraints are treated only as a hiring issue, operational redesign opportunities are missed. Access transformation requires rethinking how care teams are structured, not just how many FTEs are available.

Finance Must Be in the Room

Another pattern is limited structural involvement of finance in access governance. Access is expected to drive growth and protect margin, yet ROI attribution and capital discipline are not always tightly integrated into strategy development.

That disconnect creates tension. Operational leaders pursue experience and throughput improvements. Finance leaders require near-term, measurable return. Without shared governance and aligned performance metrics, access initiatives can stall in prioritization cycles.

Access cannot be an operational initiative with financial consequences reviewed later. It must be governed as a financial strategy from the start.

What Actually Changes the Trajectory

Organizations that close the execution gap do a few things differently:

• They clearly define what success looks like.
• They establish enterprise-level governance with defined decision rights for access.
• They align operational, clinical, digital, and financial leaders around a shared scorecard.
• They challenge internal policies and requirements that add complexity to processes.
• They redesign workflows before optimizing technology.
• They treat workforce design as a strategic lever, not just a staffing problem.
• They narrow priorities rather than spreading resources across fragmented pilots.
• Most importantly, they recognize that access is not a project, but an enterprise priority.

From Initiative to Operating Model

The next phase of access transformation will not be defined by how many tools are deployed. It will be defined by whether organizations align governance, workforce, finance, and digital infrastructure around a cohesive operating model.

Access has been elevated appropriately. Boards are paying attention. Executives are engaged. Investment continues. But elevation alone doesn’t produce integration. Until access is governed with the same structural rigor as finance, quality, and growth, health systems will continue optimizing components rather than transforming performance.

The opportunity isn’t to declare access strategic. It’s to build the system that makes it executable.

Morning Headlines 3/23/26

Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures Final Rule CMS-0053-F

CMS issues a final rule that standardizes electronic claims attachments and electronic signatures, allowing providers to send supporting clinical documentation, such as notes, images, and reports, electronically instead of by fax or mail.

CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization

The Cybersecurity and Infrastructure Security Agency urges organizations to implement Microsoft’s newly updated best practices for securing Intune and other endpoint management software following the cyberattack on Stryker.

Introducing Perplexity Health

AI-powered search engine operator Perplexity AI introduces Perplexity Health, which will allow users to connect to their provider’s health information via B.Well along with data from Apple Health, Fitbit, and Withings.

Monday Morning Update 3/23/26

Top News

CMS issues a final rule that standardizes electronic claims attachments and electronic signatures, allowing providers to send supporting clinical documentation, such as notes, images, and reports, electronically instead of by fax or mail. CMS excluded prior authorization attachments from the rule.

The final rule takes effect on May 26, 2026. Covered entities must comply by May 26, 2028.

CMS proposed a more ambitious rule in 2022 that would have addressed claims attachments, prior authorization attachments, and broader workflow fixes. CMS split that rule into two tracks, the newly published claims attachment rule and a 2024 rule that moved prior authorizations toward structured data exchange via APIs instead of document attachments.

HIStalk Announcements and Requests

Poll respondents are skeptical, but not dismissive, of Amazon’s healthcare ambitions. Few expect it to make a major impact, perhaps reflecting doubts about its invincibility following Haven’s failure and the modest traction of One Medical and Amazon Clinic. A contrarian take is that Amazon doesn’t need to solve healthcare’s complexity when it can benefit from cherry-picking low-risk, high-reward aspects such as digital pharmacy, logistics, and owning the digital front door.

New poll to your right or here: Whose side do you take in AI-powered encounter coding? Bold thinkers would argue that AI tries to make coding orderly and objective when it was never designed to be, rewarding how well the story is told more than messy clinical reality that cannot be reduced to checkboxes. It’s like US tax law, where you could ask 10 experts to calculate the same family’s tax bill and get 10 different yet defensible answers.  

Sponsored Events and Resources

None scheduled soon. Contact Lorre to have your resource listed.

Acquisitions, Funding, Business, and Stock

A small China-based study finds that delivering patient education in the patient’s own cloned voice improves compliance and satisfaction compared to using the cloned voice of a physician. The team used Resemble.ai to clone the voices.

HIMSS doesn’t respond to my inquiries about its IRS Form 990 non-profit tax filings even though they are required by law to provide them, but I notice that they finally filed the FY2022 form a few months ago. Highlights:

• Total revenue dropped by 14% over the previous year.
• Nearly half of its income came from conferences, whose revenue tripled that of memberships.
• Advertising and media contributed $10.7 million in unrelated business revenue.
• HIMSS lost $9 million versus $19 million the year before.
• Its net assets dropped from -$29 million to -$41 million.
• Top compensation was earned by President and CEO Hal Wolf ($1.3 million), COO Sebastian Krolop ($922,000), and EVP Bruce Steinberg ($595,000).

Sales

• Two NHS trusts will implement Altera Digital Health’s EPR in a 10-year, $38 million contract.

Announcements and Implementations

AI-powered search engine operator Perplexity AI introduces Perplexity Health, which will allow users to connect to their provider’s health information via B.Well along with data from Apple Health, Fitbit, and Withings. Its dashboard will track metrics and answer health questions from the user’s own data.

Privacy and Security

The Cybersecurity and Infrastructure Security Agency urges organizations to implement Microsoft’s newly updated best practices for securing Intune and other endpoint management software following the cyberattack on Stryker.

Other

A SmartSense by Digi survey finds that hospital CFOs plan to spend more on technology in 2026, but rising cost pressure, high pilot failure rates, and compressed ROI timelines are forcing a shift toward platform solutions that deliver fast, measurable financial returns. Other findings:

• Half of the hospitals demand at least 110% ROI in new technology within 18 months versus the previous runway of three years.
• Nearly 60% say that at least half of their technology pilots fail, leading them to seek proven rather than experimental solutions.
• Top project drivers are payment and regulatory requirements rather than AI or outcomes.
• Most expect to make AI investments, but only for technology that provides quick, measurable financial or operational gains.

Sponsor Updates

• Wolters Kluwer Health expands its relationship with the American Heart Association to include the journal Stroke: Vascular and Interventional Neurology, for a total of 12 American Heart Association journal titles.
• FinThrive receives the Platinum 2026 Pinnacle Award for AI Excellence in the Intelligent Process Automation category.
• PerfectServe will sponsor The Millenium Alliance’s Healthcare Providers Transformation Assembly April 7-8 in Denver.
• The Harvard Business School Alumni Magazine profiles Waystar CEO Matt Hawkins.
• WellSky will present and exhibit at the ACMA National Conference April 20-23 in Orlando.

Blog Posts

• Implementing Contact Center Automation With AI (Five9)
• CISO Brief: Regulatory Update on the 2026 National Cybersecurity Strategy (Fortified Health Security)
• HIMSS 2026: 6 priorities healthcare IT leaders should focus on next (Nordic)
• Is Your ServiceNow SPM Driving Value or Creating Drag? (Optimum Healthcare IT)
• AI Can Suggest. Health Systems Must Deliver Action. (Praia Health)
• The Hospital CFO Technology Outlook Report: How Financial Leaders are Rethinking Spend in 2026 (SmartSense by Digi)
• What Healthcare Payments Can Learn from Retail Experiences (TrustCommerce)
• Turning Fragmented Patient Data into Faster Therapy Starts (Surescripts)
• Hospital Outpatient Observation Care: Facility vs. Professional Coding (TruBridge)

Contacts

Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.

Morning Headlines 3/20/26

Verily Secures $300 Million Investment to Advance its Precision Health AI Strategy

Alphabet-owned Verily raises $300 million, renames itself Verily Health, and says that it will focus on developing AI-enabled precision health solutions.

Chartis acquires Leap AI, accelerates healthcare innovation through AI and technology transformation

Chartis acquires venture studio Leap AI.

House bill pressures VA to get EHR back on track, or risk contract termination

A proposed House bill would restrict the VA from signing new agreements with Oracle Health or bringing new sites live if the VA doesn’t implement and meet system and operational metrics.

Health Universe Raises $6M to Integrate AI Agents into Healthcare Organizations

Health Universe, which helps healthcare organizations build, deploy, and govern AI agents, announces $6 million in seed funding.

News 3/20/26

Top News

Alphabet-owned Verily raises $300 million, renames itself Verily Health, and says that it will focus on developing AI-enabled precision health solutions.

Alphabet participated in the round but, gave up its majority stake in the company. Other investors include Series X Capital, UCHealth, and the University of Colorado Anschutz.

Verily’s moonshot phase ran from 2012 to 2016, when it pursued ideas such as glucose-sensing contact lenses and massive health mapping studies. It struggled with layoffs and leadership changes through mid-2024, when it pivoted to become a vendor of data platforms and technology to health systems and pharma.

Verily Chairman and CEO Stephen Gillett, whose background was cybersecurity and retail before joining Google in 2016 and Verily in 2020, will remain with the company.

Reader Comments

From DataTrust: “Re: GuardDog. What stood out to me wasn’t just that one company crossed the line, it’s how easy it seems to claim treatment as the reason for access without much verification.”

From ChartAudit: “Re: Epic wrongful death lawsuit. The allegation that clinicians couldn’t reconstruct a medication timeline or clearly distinguish active versus discontinued meds is the kind of issue most of us have worked around for years. The question is whether that’s a usability nuisance or a true patient safety risk, and whether courts are now going to be asked to decide the difference in product design.”

Sponsored Events and Resources

None scheduled soon. Contact Lorre to have your resource listed.

Acquisitions, Funding, Business, and Stock

Chartis acquires Leap AI, a venture studio. 

Diabetes and insulin management technology company Glytec announces plans to relocate its headquarters from Boston to Atlanta, where it will hire an additional 500 employees over the next several years.

About 2,400 Kaiser Permanente mental health professionals stage a one-day strike after being warned by their union that KP will replace therapists with AI. They were joined by 23,000 Kaiser nurses. Kaiser denies the claim.

Announcements and Implementations

MRO adds identity verification technology to its Patient Central patient records request system.

In Canada, Ontario considers implementing a province-wide patient data-sharing system and says that it is in discussion with vendors. The province spent $6 billion on previous projects with little success.

Wolters Kluwer Health will provide Continuing Medical Education to clinicians who use its UpToDate Expert AI.

Google partners with CMS to pull patient medical records into Fitbit, positioning its AI health tools as a consumer-facing front end for longitudinal health data.

Government and Politics

VA Deputy Secretary Paul Lawrence, PhD says in an EHR update that “The bottom line is that, this time, the Federal EHR is working, stable, and reliable” as rollouts accelerate “with the right leadership in place.” The VA has scheduled 23 sites to go live in 2026, starting in April with Michigan sites in Detroit, Saginaw, Ann Arbor, and Battle Creek.

Meanwhile, a proposed House bill would restrict the VA from signing new agreements with Oracle Health or bringing new sites live if the VA doesn’t implement and meet system and operational metrics.

A report says that politicians of Sweden’s Region Skåne were misled by an IT procurer into selecting Cerner Millennium in 2017, which allegedly did not meet mandatory EU safety requirements. The civil servant who led the selection later took a job with Cerner at twice the pay. The government announced the selection in September 2017, but no go-lives have occurred and the project’s cost has risen to $234 million. Meanwhile, implementation has been mothballed after a system review by 150 government employees concluded that Millennium is not “useful enough to be implemented.” The government will pursue other options.

A study of the ACA Marketplace finds that rising premiums and subsidy losses have left 10% of last year’s enrollees uninsured, driven half of those ages 18 to 29 out of the market, and forced many to cut basic expenses while worrying about affording premiums, emergency care, and hospitalization.

Sponsor Updates

• Judi Health wins seven 2026 Stevie Awards for sales and customer service.
• CTG will introduce a cyber resilience scoring dashboard next week at the 2026 RSA Conference.

Blog Posts

• Who Owns Lung Nodule Follow Up in Health Systems and Why That Matters (Qure.ai)
• From Strategy to Execution: Key Insights From HIMSS26 (Tegria)
• Patient Safety Awareness Week: Teaming Up for Safer Medication Decisions (First Databank)
• Data, AI, and the Contact Center: Turning Insight into Real Business Growth (Five9)
• How to Build a Resilient Ransomware Defense Program in Healthcare (Fortified Health Security)
• Why Health System IT Investment Works Like a 401(k): Insights From Former CIO Todd Richardson (HCTec)
• Why patient confusion could be one of your biggest revenue cycle management bottlenecks (and what to do about it) (Inbox Health)
• How Boone Health is using predictive no-show modeling to improve access and outcomes (Meditech)
• 10 Ways EHRs Cause Physician Burnout (And What to Do) (Med Tech Solutions)

Contacts

Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.

EPtalk by Dr. Jayne 3/19/26

Mr. H asked earlier this week, “If medical practices really care about patient health and access, why are their offices closed 75% of the time?” Several readers added comments, so I thought I would share.

A member of our hospital medical staff wanted to experiment with evening hours for patients who couldn’t leave work during normal office hours. The plan was to staff the clinic from noon to 7 p.m. one day each week.

The first roadblock was the building management team. They were unwilling to leave the front doors of the medical office building open after its published 6 p.m. closing time. Concerns were also expressed about how the extended hours would negatively impact janitorial contracts.

The staff was split 50/50 about the idea. Those who didn’t have children at home were excited to have a morning free to run errands. Parents who had to arrange childcare noted a lack of flexibility with care providers and the extra charges assessed for extended care, even if children arrived later in the morning. Needless to say, the plan was dead on arrival.

In contrast, the majority of the local Direct Primary Care practices offer non-traditional hours, either scheduled or on demand. They are typically located in a freestanding building or a strip mall rather than a medical office building, which makes it easier for after-hours access.

They don’t bill insurance, so they have smaller staffs. They usually need just one person to support the physician who is seeing patients. Smaller patient panels allow the physicians to cover their own their own call  without an exchange or call group. They are more likely to be able to help patients resolve issues outside of traditional office hours.

The practice modality continues to grow in our area. Spending $70 per month to cover all your primary care needs starts to look like a great deal when you’re in a high-deductible health plan.

I worked in the emergency and urgent care space for a while. I have been surprised in recent years not only by how early some primary care offices close, but also by the difficulty in getting in contact with a physician once the phones switch into after-hours mode.

Back in the day, we had a Rolodex at the ED charge nurse desk that had so-called back-line telephone numbers. These bypassed voicemail at most of the local practices, which made it easy to reach people until about 5:30 p.m. Those cards also had the numbers for the exchange services that were used for after-hours calls. Sometimes they included the physician’s pager number, and when physicians received pages to call the ED, they typically did so promptly. There was a level of trust that we wouldn’t abuse the phone numbers, and in return, they would be accessible to us.

These compendia may not exist in the era of for-profit urgent care centers. Physicians end up asking staff to look up a provider on the web, call their office, and listen to the voicemail to get the exchange number.

Physicians may or may not respond to text messages. I used to deal with a couple of physicians who wouldn’t call back until they were texted three or four times. Sometimes that would occur after the patient had already left the building. If physicians won’t respond to other physicians who are calling about patients in an emergent or urgent situation, they probably won’t consider adding non-traditional office hours.

From Edward Louis: “Re: vendors behaving badly. This one should go in the hall of shame. Our organization started receiving responses back for a Request for Information (RFI) that we issued for a major operations refresh involving one of our largest business units. One of the vendors reached out to a current supplier to ask about integration with them for the conversion. If they’re willing to violate our non-disclosure agreement during the RFI process, they’re certainly not going to get our business.”

That’s not only an integrity issue. It also illustrates a lack of experience with that particular integration. I agree with excluding them, but I would also be breathing a sigh of relief at having dodged other potential issues.

An Associated Press article that hit the wires yesterday trended on Facebook after it was picked up by local news organizations across the country. Tallahassee Memorial Hospital has filed a lawsuit trying to evict a patient who refuses to leave the hospital even though she was discharged in October 2025. The article was light on the details given patient privacy concerns, which made people scratch their heads.

Unfortunately, this situation happens and usually involves medical complexity, lack of qualification for skilled nursing care, lack of family or friend caregivers, refusal to go to a nursing facility, or a combination of these.

I’ve seen pediatric patients who can’t go home due to living conditions, so they stay in the hospital until the case works its way through the family court system. One of my patients in residency had resided at the local hospital for 18 months. If you’re looking to see what’s in the medical literature on the topic, “nonmedical discharge barriers” as a keyword search will provide some interesting case studies.

Several people forwarded me an article about Pope Leo’s comments that access to healthcare is a “moral imperative” and that nations should provide universal healthcare. The speech was given at a conference that was organized by both religious and healthcare groups.

The Pope commented on the release of the second “World Health Organization European Health Equity Status Report,” His speech included comments on the need to address mental health issues, specifically for the young. I don’t think we will see universal healthcare in the US any time soon, but calls for it certainly aren’t going away.

This Friday is Match Day, when most US medical school seniors learn where they will spend the next several years completing residency training. Unfortunately, the number of graduating seniors and recently-graduated physicians exceeds the available training spots. Competition for the most lucrative specialties is always fierce.

Students found out Monday if they matched. Those who didn’t can enter a secondary pathway to try to obtain a position at a program that might have unfilled spots. Back in my day, it was called the Scramble. People literally got on the phone and called across the US to see what was open. Now the process is slightly more humane.

If you have people in your life who are part of the process, be kind to them this week. Many lives will be altered on Friday. The Match and its aftermath are ridiculously stressful.

If you are a physician, what’s your Match Day memory, good or bad? Leave a comment or email me.

Email Dr. Jayne.

Morning Headlines 3/19/26

Heartio Secures $4.25M to Transform Cardiac Care

Heartio, which offers an AI-powered tool for detecting coronary artery disease from standard ECGs, raises $4.25 million in funding.

Healthcare Technology Company Scales Up in Metro Atlanta

Diabetes and insulin management technology company Glytec announces plans to relocate its headquarters from Boston to Atlanta, and hire an additional 500 employees over the next several years.

Raapid Secures Series-A Extension to Scale Neuro-Symbolic AI-Powered Medical Coding

Raapid, a risk-adjustment and medical coding vendor, announces additional Series A funding from UPMC Enterprises.

This Week in Health Tech 3/18/26

Readers Write: A Global Perspective on Advancing Precision Medicine with Genomic EHR Integration

Readers Write: A Global Perspective on Advancing Precision Medicine with Genomic EHR Integration
By Jennifer Ford

Jennifer Ford, MBA is manager of clinical product management and genomics at Meditech.

The promise of precision medicine is simple, using genetic data to identify the best treatment for each patient as quickly as possible.

During my travels to South Africa and Namibia, healthcare leaders in both urban and remote areas shared enthusiasm for the role of EHRs in incorporating genomic data to guide treatment decisions. However, it also made wonder that if the passion for advanced technologies like genomics is so universally embraced, then what barriers are holding us back from widespread adoption?

The Challenges of Adopting a Precision Medicine Program

Despite its promise, adoption of genomics and precision medicine has been slow. Several challenges, both real and perceived, are hindering its adoption:

• Costly testing. While the costs of personal genetic testing have declined significantly in recent years, many patients still face difficulties accessing genetic testing due to high out-of-pocket costs and limited or no coverage.
• Limited availability of testing. Not every health system offers this type of testing, either due to a lack of local testing facilities, insufficient funding, or the absence of a service line.
• Lack of understanding testing value. Many healthcare providers are unfamiliar with the use of genomics in diagnosis and treatment, particularly those working in environments where genomic data is not a prevalent part of the EHR.
• Lack of EHR Integration. Providers often don’t have access to this data within their EHR workflows, and if they do, it is as a static document that is attached to the patient’s record and is too cumbersome to sift through.
• Result data is not actionable. The lack of standardized clinical alerts or decision-support systems that incorporate genomic data means providers may lack the tools or training to make genomically informed decisions.
• Testing is reserved for academia. Precision medicine remains more prevalent in academic and research centers than in community-based health systems, where most care occurs.

These challenges and misconceptions often stem from experiences that predate the integration of genetic data into the EHR, but the paradigm can change.

Overcoming the Challenges of Adopting a Precision Medicine Program

I’ve worked with healthcare leaders who are integrating genomics into the EHR. The result has been that when genetic data is ingested discretely into the EHR, clinical alerts become available for each patient based on their genetic information, enabling personalized patient care.

Genetics is not just for academic centers. I’ve seen the value that community hospitals gain when patients receive genetically-led services locally rather than traveling to larger academic medical centers. By equipping community clinics with a user-friendly, plug-and-play solution, they can focus on translational research that will lower costs, improve accessibility, and achieve better patient outcomes.

The Benefits of Adopting a Precision Medicine Program

The benefits of genomics in healthcare are becoming increasingly clear. The use of genomic data extends beyond cancer treatment, as health systems are using it to improve behavioral health treatment, newborn and pediatric care, and health and weight management. Having effective technology that can analyze genomic data to provide clinical support empowers clinicians to deliver more targeted patient treatment and support population health objectives. Adopting a genomics program can also support service line growth.

Global Precision Medicine Initiatives

Various initiatives worldwide are bringing genetic testing to the forefront of healthcare. Each area of the world faces distinct challenges related to geography, patient demographics, and scaling testing opportunities.

In South Africa and Namibia, healthcare leaders shared their desire to improve access to genetic testing in African nations. To reduce costs and maximize the benefits of genomic data, they are experimenting with leveraging social determinants of health to identify and prioritize patient cohorts to whom they will deploy testing. Where technological infrastructure may be limited, national labs are looking for ways to more equitably transport and perform testing from remote villages using drones, satellite internet services, and other technologies.

In England, the National Health Service (NHS) announced a £650m investment to provide every baby in England with DNA screening to identify potentially fatal diseases and to offer personalized healthcare as part of the government’s 10-year plan. The NHS recognizes that when patients receive personalized healthcare to prevent ill health before symptoms begin, it will reduce the pressure on NHS services and help people live longer, healthier lives. In the US, a similar approach has been announced in Florida’s Sunshine Genetics Act, which funds newborn genome sequencing pilots. These efforts are helping shift the paradigm toward proactive, personalized healthcare.

In Maryland, Frederick Health operates a dedicated precision medicine and genetics clinic that uses genomic data for precision medicine in behavioral health and beyond. In a Scottsdale Institute presentation, they shared how they addressed cost concerns by negotiating testing costs with laboratories and started a rapidly growing clinical trials program. They use genomic data to identify patients for clinical trials, increasing enrollment and improving care. They have found that moving clinical trials into the community hospital space increased revenue.

Ontario Shores Center for Mental Health Services in Canada announced that it would offer free pharmacogenetic testing of eligible patients to improve outcomes. The testing is initially focused on improving the treatment of patients who are admitted with schizophrenia or schizoaffective disorder, with plans for future expansion to use pharmacogenomics in behavioral health management.

Final Thoughts: Adopting Precision Medicine in Clinical Care is Essential

The more that genetic data is integrated into the EHR, the faster widespread deployment will occur. As clinicians find meaningful utility in genetic data, the importance of a strong precision medicine program shifts from a nice-to-have to a must- have. The key factor is how the EHR can leverage genetic data to improve patient outcomes.

As applications for genetic data evolve, an established genetic program becomes essential to improving physician satisfaction by empowering them with the advanced tools that they need to provide the best possible patient care.

Readers Write: When the Cloud Becomes the Attack Surface

When the Cloud Becomes the Attack Surface
By Brian McManamon

Brian McManamon, MBA is general manager of managed security and managed cloud services at Clearwater.

Healthcare organizations often talk about cloud as though it is a destination. In reality, for most hospitals, it has become an operating layer that keeps expanding.

That expansion did not usually happen through one formal strategy. It happened incrementally through SaaS adoption, remote access, vendor integrations, analytics tools, backup environments, and acquisitions. What many organizations now manage is not a clean cloud migration, but a hybrid environment made up of on-premises systems, cloud platforms, and third-party services that are tied together through identity and connectivity.

That matters because the cloud is no longer just part of the technology stack. In many environments, it has become part of the attack surface.

For many hospitals, “moving to the cloud” does not mean shutting down the data center and rebuilding everything as cloud-native. It usually means adding cloud services around existing operations. Clinical and business systems may still sit on-premises while identity, disaster recovery, remote access, analytics, and collaboration tools increasingly depend on cloud services. SaaS expands the footprint even further, often without being treated internally as part of the organization’s cloud environment.

That is where risk begins to grow quietly.

One of the most common misconceptions is that cloud is secure by default because the provider is secure. Major providers such as AWS, Azure, and Google Cloud invest heavily in securing their platforms. What they do not secure is each customer’s implementation.

Hospitals still own the responsibility for identity, configuration, access controls, logging, monitoring, and governance. If those areas are weak, cloud adoption can expand exposure faster than teams realize.

The opposite misconception is also common. Some organizations assume that keeping critical systems on-premises limits cloud risk. In practice, many of those same organizations have already adopted cloud identity, SaaS, remote vendor access, and external integrations. They have become hybrid whether they planned to or not. The difference is that they may not be managing that reality with a clear operating model.

Hybrid itself is not the failure. It is normal. In many cases, it is the natural result of smart teams making practical decisions over time.

A department adopts a new SaaS platform. IT centralizes identity. A cloud backup initiative begins. A new analytics platform is introduced. An acquisition brings another tenant, another domain, or another set of inherited tools. None of those decisions is inherently problematic. The problem is that governance and visibility often do not scale at the same pace.

That is when the cloud starts to become the attack surface.

The risk shows up first in identity. In hybrid healthcare environments, identities increasingly function as the control plane. Privileged roles accumulate. Service accounts remain active without clear ownership. Exceptions to MFA or conditional access persist longer than intended. Shared administrative access and standing privileges expand the potential blast radius of a single compromise.

An attacker no longer needs to move through the environment in the old ways if they can come through a valid account, exploit a policy exception, or take advantage of weakly governed permissions in a cloud-connected system.

The problem is compounded by visibility gaps. Many healthcare organizations do a strong job monitoring endpoints and network activity, yet cloud signals often remain fragmented. Logs may live across multiple consoles, subscriptions, tenants, and SaaS environments. Security teams may be watching the perimeter closely while missing critical changes in role assignments, application permissions, data shares, or service account behavior.

When those signals are not centralized and correlated, detection slows down. In some cases, it never happens at all.

Data sprawl adds another layer of risk. Healthcare environments generate copies of sensitive data for backups, archives, exports, analytics, and testing. Over time, protected health information can end up in more places than intended, sometimes with broader access and weaker protections than production systems. The issue is not only where the data started, but where it moved, who can reach it, and whether that movement is being governed consistently.

This is why cloud security in healthcare cannot be treated as a narrow infrastructure question. It is a governance question, an identity question, and ultimately a resilience question.

Cloud can improve resilience, but only when it is designed deliberately. Redundancy, scale, and operational flexibility can be real advantages. But those advantages weaken quickly if identity becomes a single point of failure, if disaster recovery exists only on paper, or if dependencies across cloud, SaaS, and legacy systems are not fully understood. In a hospital, resilience is not just uptime. It is the ability to support patient care when systems are under stress.

Good governance in that environment does not mean a large policy binder sitting on a shelf. It means a small number of clear, enforceable standards.

Hospitals need defined ownership for subscriptions, accounts, and services. They need baseline guardrails that prevent unsafe defaults. They need identity governance that prioritizes least privilege, manages non-human identities, and reviews exceptions regularly. They need enough centralized logging and alerting to see meaningful changes in the environment and act on them.

Most importantly, governance has to work in a 24/7 clinical setting. That means building models that support urgent care delivery without abandoning accountability. Exceptions may be necessary, but they should be time-bound, documented, owned, and reviewed.

The cloud is not the problem by itself. Unmanaged cloud is.

For healthcare leaders, one of the most useful next steps is a practical reality check. Inventory the tenants, subscriptions, service accounts, and privileged identities that are already in use. Confirm ownership. Review standing administrative access. Identify where visibility into cloud activity is missing. In most organizations, the attack surface has expanded gradually enough that no single decision created the problem. That is exactly why it deserves attention now.

In healthcare, the fundamentals still apply. Know your environment. Govern identity and access. Maintain visibility into critical systems and data flows.

The cloud becomes dangerous when organizations stop treating it as infrastructure and start assuming it will govern itself.