HIPAA compliance: Why healthcare is defending the wrong data challenge

by Dom Nicastro

HIPAA compliance: Why healthcare is defending the wrong data challenge

by Dom Nicastro

HIM leaders are being asked to protect patient data in an environment that no longer resembles the one HIPAA was originally designed for. Cybersecurity threats have evolved. Data flows have multiplied. Artificial intelligence (AI) tools now touch patient information in ways that bypass traditional electronic health record (EHR) controls.

Yet many healthcare organizations still measure security readiness based on familiar threats, legacy controls, and audit outcomes that reward appearance over effectiveness.

Marty Puranik, founder, CEO, and president of Atlantic.net, and Jeremy Shiner, founder and CEO of Myriad Systems, approach this problem from different angles. Essentially, they say HIM leaders are often defending the wrong assets, in the wrong ways, against threats that have already moved on.

Fighting the last battle in healthcare cybersecurity

Many healthcare cybersecurity programs remain anchored to threats that dominated earlier eras of risk: phishing, basic malware, and perimeter breaches. Those risks still matter, but over-focusing on them can obscure faster-moving threats that are harder to see and easier to underestimate.

Puranik argues that healthcare organizations are over-indexing on phishing and normal malware while under-indexing on newer threats like agentic AI leaking data and malware using AI that adapts and looks more real and customized to the target.

For HIM leaders, the implication is not that phishing no longer matters, but that threat models built around yesterday’s attack patterns leave blind spots. AI-enabled threats are more adaptive, more targeted, and less dependent on the obvious signals traditional security tools are tuned to detect.

This misalignment becomes especially dangerous when leaders believe their organizations are already “mature” from a security standpoint.

Redefining what HIM is actually protecting

HIPAA discussions often default to a single term: protected health information (PHI). In practice, not all data carries the same risk, exposure profile, or operational impact.

From a first-principles perspective, Puranik urges leaders to step back and ask more foundational questions. Beyond PHI, organizations need to decide what parts of their organization they want to isolate and/or protect, he says. This includes basic architectural decisions that are often inherited rather than intentionally designed.

“Does everything need to be online?” asks Puranik. “If so, does it need to be globally accessible? For example, if it's a local doctor login portal, does it need to be accessible from China?”

For HIM leaders, this reframing matters because compliance risk is not evenly distributed. Clinical documentation systems, revenue cycle platforms, legal records, and research datasets all carry different consequences when compromised—and they often require different access models.

Blocking unnecessary access can be simpler and more effective than attempting to counter every potential threat after the fact, says Puranik.

AI outside the EHR creates new HIPAA exposure

That challenge becomes more acute as AI tools proliferate beyond the EHR.

Shiner emphasizes that HIM leaders are now on the front line of AI governance. AI adoption is accelerating because it reduces administrative burden, improves documentation, supports billing accuracy, and helps organizations stay financially viable. But those benefits only materialize when data governance keeps pace.

“It’s now clear that AI outside the EHR creates new risk,” explains Shiner.

Many organizations are adopting AI tools as plug-ins or application programming interface (API)-based services that sit outside of traditional EHR boundaries. These tools can route patient data through multiple systems, some of which were never designed with HIPAA governance in mind.

“When PHI leaves the EHR and moves into third-party systems, it may be routed to centralized databases, pass through vendors that are not covered entities, or reach technology partners without proper Business Associate Agreements (BAA) in place,” says Shiner.

For HIM leaders accustomed to controlling data inside tightly governed systems, these external pathways represent a fundamental shift in risk exposure.

Controls assumed vs. controls verified

One of the most persistent dangers in healthcare security is the assumption that existing controls still work and continue to make sense. Puranik challenges organizations to interrogate their own infrastructure.

“Are the firewalls set up properly?” he asks. “Do the backups actually work? Does what you have in place actually work, and does it even make sense?”

Too often, security configurations are inherited. Puranik notes that when things are set up by individuals who are no longer there, current employees may not know why a particular server or firewall exists.

This creates a dangerous gap between perceived readiness and actual resilience. HIM leaders may be shown dashboards full of green checkmarks, but those indicators can mask deeper failures.

“The staff optimizes for the green checkmarks, not to even make sure the equipment is set up correctly,” says Puranik.

He explains that even if a backup system technically exists, it can still fail when it is needed. For example, if the backup servers aren’t connected to the disk array that they should be, it’s not functional.

Backup strategy and the risk of silent data damage

Backups are often treated as a safety net, particularly in ransomware discussions. However, Puranik warns that healthcare organizations frequently misunderstand what their backup strategies are actually designed to handle.

“Organizations don't test their backups,” he says. “They also don't test to see if the right data sets are being backed up, or they misallocate resources to their backup solution.”

In many environments, backups are optimized for small, routine restores.

“If you are occasionally restoring single files at a time, the setup might be okay,” notes Puranik.

The real problem emerges during rare events.

“Once every 20 years, you need to restore a full server that might end up taking days,” he says. “Healthcare tends to underinvest in the catastrophic and overinvest in the frequently visible problems.”

From an HIM perspective, this becomes even more complex when considering data integrity. Subtle data manipulation may not be detected immediately. In these cases, short backup windows can eliminate the ability to roll back to a known-good state.

Puranik points out that having backups that go very far back can be useful for comparison when data integrity—not just availability—is at risk.

Why “HIPAA-compliant” is not enough

Shiner cautions HIM leaders against accepting the HIPAA-compliant label at face value, as it is often superficial, and it should not replace proper due diligence.

He notes that a BAA with a primary vendor is required, but it is not sufficient.

“It does not automatically cover every system that may touch PHI,” explains Shiner.

Downstream intermediaries, subcontractors, cloud providers, and AI engines may all handle patient data without proper agreements in place.

“Do not accept a ‘HIPAA-compliant’ label without proof,” he warns.

This becomes especially problematic when AI vendors rely on ungated large language models (LLM) accessed via API connections, which inherently bypass these BAA requirements, according to Shiner.

He argues that a safer approach is to work with vendors that host their own models or operate within internally managed HIPAA-compliant environments. This reduces unnecessary data movement and limits exposure to unregulated third parties.

Testing reality instead of tabletop comfort

Both leaders emphasize that preparedness must be tested in conditions that resemble real-world failure, not theoretical exercises.

Puranik suggests flipping the mindset entirely. HIM and security leaders should ask, “If I wanted to make sure that we have a security issue, what would I do?”

That exercise often exposes misconfigured firewalls, compromised legacy devices still online, or access controls that rely on trust rather than verification. Shiner suggests conducting basic social engineering tests.

“Have a random person dress up as a doctor, and see how far they can social engineer their way into your entity,” he says.

For backups and recovery, Puranik recommends more than tabletop discussions.

“Hold a ‘fire drill’ by simulating it actually happening and seeing how the organization responds,” he says.

Shiner reinforces this need for continuous oversight in AI governance. He advises HIM leaders to require full visibility into AI data flows, including requesting a full data flow diagram, identifying every system that touches PHI, and confirming BAAs exist at each level.

Aligning HIM, IT, compliance, and clinical leadership

Misalignment across departments can undermine even well-funded security programs.

“A lot of the industry is focused on acting in ways that align or visibly achieve a goal versus actually doing things to achieve the goal,” says Puranik.

Passing audits often becomes the objective, not improving security posture.

“A weaker posture with an easier-to-pass audit is usually preferred over a tedious one because the security posture is better,” he says.

Both leaders argue that sustainable governance requires broader engagement. Shiner emphasizes education and transparency, while Puranik highlights inclusion.

“The most important part of this is to include everyone in the process,” says Puranik. “Staff need to understand why we are doing this from a high level. The best ideas might come from the people doing the hands-on work, finding problems before they become too big.”

Looking ahead, he believes the biggest change is cultural, not technical.

“I would say you really need to ramp up communication and make it everyone's responsibility,” he says. “Gone are the days of having just a firewall and saying we're secure.”

"Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent of HCPro, or the Copyright Clearance Center at 978-750-8400. Opinions expressed are not necessarily those of RCA. Mention of products and services does not constitute endorsement. Advice given is general, and readers should consult professional counsel for specific legal, ethical, or clinical questions."

Proud Partners

Proud Partners

To embed a website or widget, add it to the properties panel.
To embed a website or widget, add it to the properties panel.
 (edited)