Patients Taught Me This, Not Healthcare

By Corey Mueller
Featured image for Patients Taught Me This, Not Healthcare

By Corey Mueller

It’s 7:23 on a Tuesday. Forty-seven phishing reports landed in the queue overnight, and the third one in is wrong. I can’t tell you why yet.

The display name reads as a senior executive — first name, last name, title — exactly the way it appears in our directory. The body is short and urgent: a quick wire request. Can you confirm before 9? I’m walking into a meeting.

But it’s wrong.

So I open the headers. The display name says one thing; the address underneath says another. The trusted name is masking a free Gmail address with no history in our environment, sending through a bulk relay we’ve blocked twice already this quarter for the same trick.

The user who reported it almost replied. They told me later they were halfway through composing a confirmation when something pulled them back — the request didn’t sound quite like the executive whose name was on it. They paused, looked again, and clicked the report button instead of reply. Almost. That’s the part of the story that won’t let me mark this one benign and move on.

I write up the indicator, build the detection, push the rule, and ping the user back to thank them for trusting their gut.

I didn’t learn to work like that in a SOC.

Healthcare Didn’t Teach Me These Habits. Patients Did.

After three years in cybersecurity — eight months at an MSSP, a layoff, two and a half years climbing through a financial-services SOC, and a recent move into security engineering — I’ve come to think they’re the most valuable thing I brought with me out of medicine.

There Are Two of Them. They’re Old Habits. They’re Not on Any Job Description. And They Keep Saving Me.

Habit One: Don’t Leave Until It’s Actually Fixed

For most of twenty-two years I worked in nuclear medicine and PET/CT scanning across southern Michigan. The job, technically, was imaging. The job, actually, was making sure that when a sick person showed up for their scan, the scan happened.

That sounds simple right up until the scanner won’t talk to the hospital’s PACS at six in the morning in a parking lot. The field engineer is two states away. And there’s a woman in the waiting room who’s been thinking about her results for a week.

The field engineer isn’t coming. So you pick it up yourself: networking, software, the machine’s mechanical guts. Not because you wanted a second career as a tech, but because the alternative is a cancer patient in her car, wondering if her scan is going to happen today.

You learn something on a mobile scanner you don’t learn in a classroom: the only person who’s coming is you.

That habit follows me into the SOC every day. From the outside, it looks small: the alert nobody else is going to chase. The signal that’s easy to mark benign and move on. The Tuesday afternoon where I stay an extra hour because something doesn’t smell right. Same habit. Different equipment.

Cybersecurity has a quiet “close the ticket and move on” culture. I understand why — alert volume and fatigue are real, time is finite, and SOCs run on triage.

But I don’t subscribe to it. The ticket isn’t closed when it’s marked closed; it’s closed when it’s actually fixed.

Habit Two: Treat the Person Like a Patient, Not a Ticket

The other thing you learn in nuclear medicine is how to talk to scared people.

A PET/CT scan is not a comfortable experience. You inject someone with a radioactive tracer, lay them flat in a tube, and ask them to hold still for half an hour while a machine maps where their cancer is or isn’t. They are not relaxed. They have questions, and most of those questions are some version of Am I going to be okay?

You learn to deliver scary technical content calmly. You get good at translating clinical language without condescension. You learn to disagree with a doctor — sometimes, when it matters — without making them feel small. And you learn this: someone facing a frightening thing does not need more alarm. They need calm clarity.

That habit comes into security with me too. In practice, it’s the user who clicked the phishing link and is mortified. The executive whose account got popped at 11 PM and is convinced their career is over. The analyst at the next desk having a rough Tuesday. You don’t help any of them by treating them like a category. You help them by treating them like a person in a hard moment.

Cybersecurity loves to call users “the weakest link.” I don’t subscribe to that one either. People who report what looked weird are the strongest link in any program I’ve ever worked on. They deserve better than condescension when they raise their hand.

So That’s the Foundation. And That’s What I’m Going to Be Writing About Here.

I owe both habits to people who didn’t know they were teaching them. Patients who, on some of the worst days of their lives, taught me how to slow down, how to stay until the work was done, and how to talk to a scared human being without making it worse. I think about them often.

This Blog Is What I’m Going to Do with What They Gave Me.

Detection Engineering, with a Clinician’s Eye.

If any of this resonates — if you’ve ever changed careers, worked alerts at odd hours, or tried to bring more humanity into a technical job — I’m glad you’re here.

In the next posts, I’ll write about the practical side of that mindset: building detections that hold up in the real world, running investigations that don’t stop at the easy answer, and communicating security work in a way that helps instead of harms.

Welcome.

Views expressed here are my own, not those of my employer.