“For me, healthcare is the center of all 16 critical infrastructures. Because if you can fix healthcare, you can fix everything else.”
Who They Brought In
Janine Medina is the Director of Operations at SOCSoter, and she might have the most varied path to cybersecurity of anyone in this series. She started in tech twenty years ago as an administrative assistant at a nursing home for nuns, moved into industrial control systems managing building infrastructure, then spent years doing clinical informatics across most of the hospitals in New York. She built electronic medical record workflows for surgical oncology, navigated the Meaningful Use era in healthcare IT, worked in banking and finance, consulted for the government on healthcare cybersecurity, and spent time in the medical device manufacturing space focused on regulatory compliance across the 16 critical infrastructures. She joined SOCSoter as Director of Operations and now functions as the connective tissue between sales, marketing, tech, and cybersecurity. Her job, in her own words, is to make one hand understand what the other is doing.
What Got Loud
- Why MSPs telling their healthcare clients they are HIPAA compliant with just an antivirus and a firewall is not just wrong, it is putting those clients on a federal breach list they do not know exists
- HIPAA 2.0 is already being drafted and it is not just about privacy anymore. It is about your full cybersecurity stack, your devices, your redundancy, and whether you can survive an incident
- The Three Little Pigs framework for explaining MSP security posture to clients who do not speak cyber. Straw, sticks, or brick. Most organizations think they have brick
- What happens to your healthcare data, your house deed, and your financial accounts when you die and nobody is watching
- Why healthcare is the Rosetta Stone for all of cybersecurity and the industry that gets attacked most because of it
The Rundown
Janine’s entry point into the episode is a framework she arrived at the morning of the recording.
She calls it the Three Little Pigs model and it is exactly what it sounds like.
A company with no real protection is a house of straw. Add some tools without cohesion and you have sticks. A properly architected security posture is brick. The big bad wolf, automated, fast-moving, and indifferent to your business size, can level the first two. The third one makes him work. It is a blunt and effective way to explain to any client why tooling without architecture is not security.
The HIPAA conversation is where Janine gets direct. She is watching MSPs tell their dental and optometry clients they are HIPAA compliant while running nothing more than basic endpoint protection and a firewall. Those clients are not compliant. They just do not know it yet. When something goes wrong they end up on the HHS Office of Inspector General breach list, facing per-record fines, billing disruption, and reputational damage that is very hard to recover from. Janine’s position is that the MSPs doing this are not being malicious. They just have not read the regulation. “Talk to me,” she says, “or just read the regulation.”
HIPAA 2.0 raises the stakes further. The incoming framework is not just about data privacy. It extends to medical devices, security perimeters, redundant systems, and incident response timeframes. The Joint Commission is developing a cyber readiness accreditation for hospitals on top of that. Janine’s read is that the smaller independent practices, dentists, optometrists, private clinics, are the most exposed because they have no hospital system infrastructure behind them and no clear roadmap for what compliance is supposed to look like at their scale.
One of the sharper moments in the episode comes when Janine reframes the entire cybersecurity communication problem through language. Healthcare and cybersecurity already share a vocabulary. A virus behaves the same way whether it is biological or digital. It enters a system, duplicates, spreads. Her argument is that if the industry just started using that shared language, the normalization of security conversations in healthcare settings would move significantly faster.
“If we just had better conversations of what a virus is, it’s almost the same thing. Everybody will understand each other.”
The episode closes on something most security conversations skip entirely: what happens to your data after you die. House deeds are being signed over to strangers who read obituaries and file fraudulent paperwork. Loans are being taken out against properties. Medical records sit in systems for seven years after your last visit with no one actively protecting them on your behalf. Janine’s point is not to induce panic. It is that survivability, the protection of your data and your assets across your entire life, is a cybersecurity conversation the industry has not started having loudly enough yet. closed with something that doesn’t get said enough:
Real Talk
If you are an MSP and you have ever told a healthcare client they are HIPAA compliant without a thorough controls review, this episode is worth your time before the next audit finds that out for you. HIPAA 2.0 is coming and it will not be optional.
Catch It
Listen to the full episode on Apple Podcasts, Spotify, or wherever you get your podcasts. If this conversation made you think twice about your own security posture, let’s talk. Visit socsoter.com.

