Groschl Tightening Up Biomed Cyber at Texas Children’s, Notes Communication Key to Success

When Gordon Groschl assumed the dual role of CISO & Director of Healthcare Technology Management at Texas Children’s Hospital eight months ago, part of his purview was one of the trickier (and fast evolving) niches of healthcare IT – biomedical equipment.

Groschl, an 18-year veteran of the organization, now oversees a large network of over 70 biomedical professionals, tasked with securing some of the most sensitive and interconnected devices in modern medicine.

“The role of a biomed technician is fundamentally changing,” Groschl said. “Everything is on the network now. Everything wants to exchange data. And that means cybersecurity can no longer be an afterthought.”

Unlike traditional IT assets, medical devices such as MRIs and infusion pumps often come with strict vendor-imposed limitations that prohibit standard security controls like endpoint detection software or domain integration. Many of these devices were not engineered with software lifecycle management in mind, Groschl noted, and frequently outlive the operating systems they ship with.

“You’re essentially inheriting vulnerabilities you can’t patch the way you would in the IT world,” he said. “That changes everything.”



The scale of the challenge is significant. Texas Children’s operates in the largest medical complex in the United States, the Houston Medical Center, and has expanded operations into Austin, with nearly 200 clinics and urgent care centers across both metropolitan areas. “We provide critical care for children and women, and the footprint just keeps growing,” Groschl said.

From Facilities to Firewall

Historically, biomedical engineering teams reported to facilities departments, focusing on mechanical upkeep and operational maintenance. At Texas Children’s, however, that reporting structure was reassessed years ago, and biomed now sits firmly under the IT umbrella. With Groschl’s recent appointment, the hospital made a decisive shift by placing an IT-native leader—not a clinical engineer—at the helm.

“We’re trying to accelerate our IT maturity curve,” he explained. “And to do that, you need cybersecurity DNA at the top.”

Groschl acknowledged the cultural transition that comes with that change. While the biomed team boasts seasoned veterans—many with decades of hands-on equipment experience—most are not trained in digital security or access management. That skills gap has created an opportunity for what Groschl calls “mutual learning.”

“They’re teaching me the clinical realities. I’m helping them navigate IT governance,” he said.

In an effort to institutionalize that learning, Groschl and his leadership team spent the first three months conducting a detailed audit of the department’s cyber-readiness. Two areas stood out immediately: vulnerability management and access controls. Most of the medical devices weren’t domain-joined, and many lacked standardized login protocols.

The team also discovered inconsistent approaches to identity verification. “You can’t just rely on passwords,” Groschl said. “We’ve seen firsthand how attackers are using AI to impersonate people. We even ran a red team test using deepfake audio from YouTube—and it worked. That was a wake-up call.”

To address these issues, Groschl hired a dedicated IT lead for biomedical security and implemented dashboards to monitor progress. “It’s a flywheel now,” he said. “We’ve started the loop of continuous improvement.”

The department is also engaging a managed service provider that specializes in biomedical security. “These firms understand the unique vendor relationships, device constraints, and FDA regulations,” he said. “They’re not trying to secure laptops—they’re built for this.”

Vendors,