The Future of Patient Safety, AI, and Cybersecurity with BJC HealthCare VP & CISO Matt Modica
On the 23rd episode of Enterprise AI Defenders, hosts Evan Reiser and Mike Britton, both executives at Abnormal Security, talk with Matt Modica, Vice President and Chief Information Security Officer at BJC HealthCare. BJC HealthCare is one of the largest non-profit healthcare organizations in the United States, operating 14 hospitals across Missouri and Illinois. BJC has over 30,000 employees and over 4,200 doctors across its network. In this conversation, Matt discusses the unique challenges of securing patient privacy in a digital world, new opportunities and risks in healthcare with recent AI advancements, and aligning security practices with an AI-enabled future.
The healthcare industry is undergoing a digital transformation, but with that comes unique cybersecurity challenges. Hospitals operate 24/7 critical infrastructure, manage highly sensitive patient data, and face strict regulatory requirements, all while ensuring uninterrupted patient care. Unlike financial institutions or tech firms, healthcare organizations must secure patient data and life-critical systems. At BJC HealthCare, where over 12,000 outpatient visits, 650 surgeries, and 50 births occur daily, cybersecurity goes beyond compliance; it's about ensuring continuous patient care without disruption. Matt emphasizes the unique pressures of healthcare security, where the margin for error is virtually nonexistent. "Getting security right every single time is the expectation," he explains that even accidental data disclosures can have significant regulatory and operational consequences. Given the volume of patient interactions and the complexity of healthcare networks, maintaining strict access controls and data integrity is an ongoing challenge. Beyond regulatory compliance, cybersecurity teams must balance security measures with hospital efficiency. Security cannot create bottlenecks that hinder medical professionals in providing care, making usability and accessibility just as important as protection.
Like other disruptive technologies, AI is beginning to reshape healthcare, offering exciting opportunities to improve efficiency and new risks that require careful oversight. In partnership with Washington University, BJC is exploring AI-driven clinical tools, automated documentation systems, and AI-assisted diagnostics to enhance patient care and reduce administrative burdens on physicians. "One of the first clinical AI use cases we're working on is how do you allow the physician and the caregiver to be more efficient," Matt explains. "And not just from a cost savings perspective or a revenue perspective. It's about work-life balance. It's how doctors can pay more attention to the patient while in the room rather than typing on the keyboard." AI tools can capture thousands of patient histories and provide real-time insights, potentially leading to faster diagnoses. However, Matt cautions that reliance on AI must be balanced with human oversight to prevent errors, emphasizing the importance of validating AI-generated medical recommendations before applying them to patient care.
Traditional security models must evolve as healthcare systems update and adopt cloud-first and AI-powered solutions. The rapid expansion of SaaS platforms, third-party integrations, and API-driven workflows has created a fragmented security landscape that requires a new approach to identity management, data access, and risk mitigation. "You can't build walls high enough anymore," Matt explains. "We have many walls in many locations, and we need to focus on where our responsibility ends and where third or fourth parties begin." The shift to cloud-based healthcare services has blurred security perimeters, making third-party risk assessment and vendor security policies more critical than ever. AI is also changing the nature of cyber threats. Phishing attacks are becoming more sophisticated, with AI-generated emails that are harder to detect. Attackers are leveraging voice-cloning technology to impersonate executives and employees, targeting help desks and credential-based authentication systems. Traditional security awareness training is no longer enough; organizations must incorporate AI-driven risk analysis and adaptive security protocols to keep pace. Matt sees AI as a critical tool for improving security education. By leveraging large language models, organizations can personalize security training to different employee roles—helping frontline caregivers, administrators, and IT staff understand security risks in ways that resonate with their day-to-day responsibilities.
AI is reshaping the healthcare industry, and cybersecurity strategies must evolve to keep pace. While AI brings tremendous opportunities for efficiency and patient care, it also introduces new risks that require strong governance, oversight, and risk management. Matt emphasizes that cybersecurity is not just about protecting data; it's about ensuring patient safety, maintaining trust, and securing the future of healthcare innovation. "What we are doing will change, but we still need defenders," he says. "We still need people to protect the organization—how we do that will be different." By leveraging AI responsibly, strengthening regulatory compliance, and creating adaptive security strategies, healthcare organizations can confidently navigate the future, ensuring that their systems and patients remain protected.
