StackAware

7 security and governance steps I recommend for AI-powered health-tech startups to avoid hacks and fines: 1. Pick a framework -> The Health Insurance Portability and Accountability Act (HIPAA) is non-negotiable if you handle protected health information (PHI). Look at the security, privacy, and data breach notification rule requirements. -> If you want a certification (incl. addressing HIPAA requirements), HITRUST is a good place to start due to origins in healthcare. The AI security certification gives you solid controls for these types of systems. -> If you are looking to cover responsible AI as well as security/privacy, ISO 42001 is a good option. Consider adding HIPAA requirements as additional Annex A controls. 2. Publish policies Longer != better. Use prescriptive statements like "Employees must XYZ." If there are detailed steps, delegate responsibility for creating a procedure to the relevant person. Note that ISO 42001 requires an "AI Policy." 3. Classify data Focus on handling requirements rather than sensitivity. Here are the classifications I use: -> Public: self-explanatory -> Public-Personal Data: still regulated by GDPR/CCPA -> Confidential-Internal: business plans, IP, etc. -> Confidential-External: under NDA with other party -> Confidential-Personal Data: SSNs, addresses, etc. -> Confidential-PHI: regulated by HIPAA, needs BAA 4. Assign owners Every type of data - and system processing it - needs a single accountable person. Assigning names clarifies roles and responsibilities. Never accept "shared accountability." 5. Apply basic internal controls This starts with: -> Asset inventory -> Basic logging and monitoring -> Multi-factor authentication (MFA) -> Vulnerability scanning and patching -> Rate limiting on externally-facing chatbots Focus on the 20% of controls than manage 80% of risk. 6. Manage 3rd party risk This includes both vendors and open source software. Measures include: -> Check terms/conditions (do they train on your data?) -> Software composition analysis (SCA) -> Service level agreements (SLA) 7. Prepare for incidents If your plan to deal with an imminent or actual breach is "start a Slack channel," you're going to have a hard time. At a minimum, determine in advance: -> What starts/ends an incident and who is in charge -> Types of incidents you'll communicate about -> Timelines & methods for disclosure -> Which (if any) authorities to notify -> Root cause analysis procedure TL;DR - here are 7 basic security and governance controls for AI-powered healthcare companies: 1. Pick a framework 2. Publish policies 3. Classify data 4. Assign owners 5. Apply basic controls 6. Manage 3rd party risk 7. Prepare for incidents What else?

Who should own AI governance? I've seen it run by: -> Security -> Privacy -> Legal Even data science teams themselves. And there is an emerging 5th option showing promise, which I talk about in this clip ?? --- Need more AI governance tips? Go to my profile (Walter Haydock) and ring my bell ??!

"We wake up one day and our vendors now all have AI." ?? A common security leader concern. What to do: -> Check terms, conditions, & privacy policies regularly -> Build a database to track risks and remediations -> Apply industry-leading AI governance expertise Easy right? Well, if you don't have the skills or bandwidth to do this, I've got good news: StackAware's AI risk assessment database! With 200+ risks (and growing) identified, it is THE single source for vendor-specific AI issues. Try it free for 7 days:

Want transparent AI? Check out this clip for 5 ways to make it happen: And StackAware's free guide is here: https://lnkd.in/gzP4-s5b

"We're risk-on. But I want be sure we're not risk-stupid." ?? What the CISO of a $75M ARR SaaS firm told me about his company's approach to AI. He continued, saying "I know we can do do this well. But I'm also keenly aware we can do this poorly." This sums up the challenges facing companies in 2025: -> The competition is heating up -> Executives are pushing to use AI -> Employees feel pressure to increase productivity At the same time: -> Data leakage risks abound -> Regulators are turning up the heat -> Customers demand to know how you use their info Bringing new tools, models, and products online quickly but also securely is the name of the game here. StackAware can help. And to demonstrate our value, we'll start for free. So check out our 7-module AI governance model at govern [dot] stackaware [dot] com

3 reasons health-tech companies choose HITRUST over SOC 2 to accelerate sales and avoid fines: 1. Scalability HITRUST offers certifications at 4 different levels: -> e1 -> i1 -> r2 -> AI As your firm grows, so will its security needs. An early e1 certification addresses customers concerns from the start without a massive compliance program. You can "graduate" to i1 or r2 to show greater maturity as you store and process more sensitive data like protected health information (PHI). And if you are developing artificial intelligence products, the AI security certification is a purpose-built, externally-assessable framework. With SOC 2 you can get Type I or II attestations (not certifications) on control design (that's all for Type I) and operating effectiveness (Type II). You could expand the Trust Services Criteria [TSC] (security, confidentiality, processing integrity, availability, and privacy) reviewed, but customers (and many SOC 2-audited companies) don't understand what these mean. HITRUST's structure is well-known in the healthcare industry, making enterprise sales easier. 2. Flexibility HITRUST (as of version 11.4) maps to 61 authoritative sources, which allows you to demonstrate compliance with laws and regulations like HIPAA's rules for: -> Privacy -> Security -> Breach notification There are few ways to guarantee safe harbor from regulatory action through external certification, but having an outside expert check your work is the next best way to avoid it. SOC 2 attestations focus on the TSC and don't look at specific regulatory requirements. For example, even if you get attested for the privacy TSC, that doesn't mean the auditor is saying you are GDPR or CCPA compliant. 3. Quantified results Organizations with HITRUST certifications reported a 0.59% incident rate in 2024. Conversely, Munich Re's Global Cyber Risk and Insurance Survey for 2024 found 47% of the interviewed participants (out of 7,500) had suffered one. While compliance isn't security, security often IS compliance. Without a breach to investigate in the first place, the likelihood of expensive fines are low. Separately, some cyber insurers offer a 25% credit to r2-certified organizations because of the reduced risk. No data exists for either breach rates or insurance discounts for SOC 2-attested companies. TL;DR - Health-tech companies should look at HITRUST over SOC 2 because of its: 1. Scalability 2. Flexibility 3. Quantified results Are you?

Need an AI governance advisor "in a box" to accelerate deal closure and reduce the risk of hacks and fines? Get one with the 1st month FREE! Here is what is included: -> Editable copies of all StackAware info products -> Security and governance posture audit -> Unlimited risk assessment API queries -> 60 mins per month of 1:1 consulting -> 72 hour SLA on written questions So if you are security, compliance, data, or AI leader in: -> Financial services -> Healthcare -> B2B SaaS DM me "ADVISOR" by end of today and I'll send over the promo code. (no GRC products or other consultants)

Thrilled to welcome Noah G. Susskind to StackAware! Noah joins us from McKinsey & Company, where he spent almost 8 years and most recently served as a Senior Security Manager. At StackAware, he'll be Head of AI and Cybersecurity, while dual-hatting as General Counsel. Leveraging over a decade of information security and compliance experience, Noah will lead delivery of our AI governance services. I'm excited about this next stage of growth and couldn't be happier to bring Noah onboard.

This is my last day on the internal Cybersecurity team at McKinsey & Company. I’m grateful for the hundreds of friends, sponsors, and other colleagues I met over nearly 8 years here—too many to name. My next role will be Head of AI and Cybersecurity, and General Counsel, at StackAware. I’m psyched to join founder Walter Haydock working on AI, Cyber, and Privacy.

On Monday, a health-tech CISO and StackAware customer explained the key business driver for our work: "The goal of building this governance program is so that we don't have to revisit it on a contract-by-contract basis...so we can scale our business ambitions for AI without making life a living hell for the folks in legal." Proprietary AI is a massive competitive advantage, but closing enterprise deals is complex: -> Customers have security/ethical concerns -> Contractual restrictions make life painful -> Regulators are getting more aggressive So instead of re-inventing the wheel every time, why not just be like my client and build a repeatable process? If that sounds good, I'll get you started with StackAware's free healthcare AI governance model. So if you are a security, compliance, or data leader in health-tech and want access: DM me "HEALTH." (no consultants)