In the modern medical landscape, the stability of a health system is often measured by its ability to withstand the unexpected. Whereas most administrators focus on the technical shields of cybersecurity, true healthcare resilience requires a more expansive strategy—one that looks beyond the firewall to the complex web of vendors, consultants, and internal processes that keep a hospital running.
For Ed Gaudet, the CEO and founder of Censinet, the challenge is not just about stopping a breach, but about managing the systemic risk that accompanies every digital handshake. As healthcare organizations increasingly rely on third-party providers, the attack surface has expanded far beyond the internal network, creating vulnerabilities that traditional security measures often overlook.
Gaudet, who brings more than 25 years of software experience to the sector, argues that the industry must move from a reactive posture to a proactive model of governance. By integrating risk management into the very fabric of organizational operations, healthcare leaders can build systems that are not only secure but resilient enough to maintain critical care delivery during a disruption.
The Third-Party Vulnerability Gap
The reliance on external partners is a fundamental necessity of modern medicine, yet it remains one of the most significant blind spots in healthcare security. According to Gaudet, data from the American Hospital Association and the Office for Civil Rights (OCR) “wall of shame”—the public record of healthcare breaches—indicates that half or more of cyber incidents are related to third parties reported by HIStalk.
These third parties include a wide array of entities: software and hardware providers, medical device manufacturers, API vendors, and independent consultants. The risk arises because these external partners often lack the same level of cybersecurity maturity or technical controls as the health systems they serve. When a third party with network access is compromised, the breach can move laterally into the hospital’s clinical or administrative data, potentially disrupting life-saving services.
To address this, Gaudet founded Censinet in 2017 to help providers manage these external risks. The goal is to ensure that every vendor—whether critical or non-critical—is vetted and monitored with the same rigor applied to internal systems.
Expanding from Third-Party to Enterprise Risk
While the initial focus of Censinet was the external perimeter, the conversation around resilience has shifted toward enterprise risk management. This involves looking at the internal vulnerabilities within a health system—the “systemic risk” that can cause a cascade of failures across different departments.
This broader approach falls under the umbrella of Governance, Risk, and Compliance (GRC). In healthcare, GRC is often viewed as a bureaucratic exercise in documentation. Yet, Gaudet suggests a shift toward “actionable governance.” Rather than simply filling out spreadsheets to satisfy a regulator, organizations are encouraged to employ GRC as a tool for real-time decision-making.
The evolution of this approach is supported by a history of strategic growth. In April 2019, Censinet raised $7.8 million in Series A funding, co-led by HLM Venture Partners, to further transform how healthcare providers manage third-party risk.
AI: The New Frontier of Healthcare Risk
The rapid adoption of Artificial Intelligence (AI) has introduced a new set of complexities to the quest for resilience. Gaudet describes the current state of AI adoption in healthcare as the “wild, wild West,” noting that while the potential for clinical improvement is vast, the attack surface is expanding exponentially.
AI changes the nature of the threat in several ways:
- New Vectors: AI tools can create new entry points for attackers if not properly governed.
- Data Privacy: The integration of AI requires the movement of massive amounts of data, often across third-party platforms, increasing the risk of leakage.
- Governance Lag: Technology adoption is currently outpacing the development of regulatory and internal governance frameworks.
In discussions featured on the Risk Never Sleeps podcast, Gaudet highlights a shift in the industry from mere curiosity about AI to a demand for practical implementation and measurable outcomes. The vision for the future includes “agentic capabilities” within GRC frameworks—moving away from passive documentation toward connected, intelligent systems that can alert leaders to risks before they manifest as crises.
The Architect of Resilience: Ed Gaudet’s Background
The push for a more resilient healthcare infrastructure is informed by Gaudet’s extensive background in software and security. Before leading Censinet, he served as the CMO at Imprivata from 2010 to 2013, where he led the brand’s transformation into the healthcare market. He later served as a business unit GM, creating Imprivata Cortext, a cloud-based clinical communications platform.
Gaudet’s expertise extends into the technical foundations of security. he holds patents for secure content sharing, quorum-based authentication, and the management of data objects in distributed contexts. His experience as an executive founder at Liquid Machines (which was acquired by CheckPoint Software) and roles at IONA Technologies and Rational Software provide the blueprint for his current focus on combining product strategy with regulatory compliance.
As a member of the Forbes Technology Council, Gaudet continues to advocate for a paradigm shift where healthcare leaders view risk not as a checklist to be completed, but as a dynamic element of patient safety.
Key Takeaways for Healthcare Leaders
- Look Beyond the Firewall: Cybersecurity is necessary, but resilience requires managing the “systemic risk” introduced by third-party vendors and consultants.
- Audit the “Wall of Shame”: Use data from the OCR and AHA to identify common failure points in third-party relationships.
- Govern AI with Intention: Implement AI governance frameworks early to prevent the “wild west” of adoption from creating unmanageable security gaps.
- Move to Actionable GRC: Shift from passive documentation to connected governance that provides real-time visibility into organizational readiness.
Resources:
- Connect with and follow Ed Gaudet on LinkedIn.
- Follow Censinet on LinkedIn and explore their website.
- Listen to the Risk Never Sleeps Podcast here.
As healthcare continues to integrate more complex AI tools and third-party cloud services, the definition of safety will continue to evolve. The next critical checkpoint for the industry will be the development of standardized AI governance benchmarks that can be applied across diverse health systems to ensure patient data remains secure.
Do you believe your organization’s third-party risk management is sufficient for the AI era? Share your thoughts in the comments below.