Mahaska Health CIO Bob Berbeco is navigating the intersection of AI innovation, regulatory
compliance, and evolving cyber threats to build a resilient, people-first technology
environment that protects patient data and strengthens the trust that healthcare depends
on.
Project Overview
Mahaska Health is a critical access hospital based in the Midwest, with approximately 720
employees and over 90 physicians. As CIO, Bob Berbeco leads all organizational technology —
including servers, desktops, data science, AI initiatives, cybersecurity, and informatics — with
the overarching goal of enhancing patient care and operational efficiency. With decades of
experience across healthcare technology, predictive analytics, process optimization, and
operational leadership, Bob brings a deeply disciplined, process-driven approach to some of
healthcare's most complex and fast-moving challenges. Mahaska works with an external
managed Security Operations Center, including a continuous monitoring SOC partner, to extend
its internal security capabilities around the clock.
Business Challenges and Solutions
Healthcare organizations like Mahaska Health operate at the crossroads of several
compounding pressures. Patient data is among the most sensitive and valuable information a
bad actor can target, yet the diversity of systems — from clinical applications and billing
platforms to IoT-connected medical devices — creates an expansive and difficult-to-manage
attack surface. Ransomware and phishing attacks are a daily reality, and the consequences of a
breach extend far beyond financial loss to include reputational damage, care disruption, and
regulatory exposure under frameworks like HIPAA and NIST.
Bob's approach to these challenges is built around three pillars. The first is process discipline —
maintaining a living risk matrix that documents every known vulnerability, assigns priority
levels, decomposes risks into actionable items, and tracks mitigation through regular
checkpoints. The second is a layered external security model that includes penetration testing,
security scorecards, and a 24/7 third-party SOC that continuously monitors the environment for
active exposures. The third, and what Bob considers equally critical, is education. Phishing
remains the dominant attack vector, and with a workforce ranging from clinical staff to
administrative teams, Mahaska runs monthly online security training with follow-up testing and
leadership accountability to keep every employee alert. Bob has made himself personally
accessible to staff, sharing his cell phone number across the organization so that no question
goes unanswered and no suspicious email goes unreported.
On the AI front, Bob advocates for "purpose-built AI" — deploying artificial intelligence only
where there is a clearly defined organizational problem to solve, with proper governance,
guardrails, and measurable KPIs. Current efforts focus on revenue cycle management, where AI
is being embedded into denial management processes to augment billing staff knowledge and
improve both efficiency and outcomes. Looking ahead, Bob sees an AI-driven "cold war" in
cybersecurity, where attackers and defenders are increasingly deploying AI against each other,
making proactive education and adaptive tooling more important than ever.
For IoT and medical devices — a particularly complex challenge in healthcare — Bob
emphasizes supply chain visibility, ensuring that IT has a seat at the table when clinical devices
are procured and that all connected devices are captured in the organizational risk matrix.
