Harbi Dhanjal
Vice President of Engineering, Patagonia Health
Join Harbi Dhanjal, VP of Engineering at Patagonia Health, as he discusses safeguarding EHRs, tackling ransomware, staff's role in cybersecurity, and the implications of AI in healthcare.
Can you introduce yourself and explain your role as VP of Engineering at Patagonia Health?
My name is Harbi Dhanjal. I'm the Vice President of Engineering at Patagonia Health. I have over 25 years of experience in healthcare technology, security, and software development. In my current role, I lead our technology teams, including software developers, product designers, compliance specialists, and cybersecurity professionals, in architecting, designing, delivering, and securing Patagonia Health's industry-leading electronic health records SAS platform.
My responsibilities include guiding Patagonia Health's overall technical strategy, overseeing product development cycles, and ensuring that our product meets user expectations in terms of usability and functionality. I also maintain rigorous standards of data security and compliance with healthcare industry regulations like HIPAA, HITRUST, and ONC certifications. One of the most interesting and rewarding aspects of my job is navigating the delicate balance between innovation, which is developing products that help healthcare providers deliver efficient and effective patient care, and maintaining stringent cybersecurity measures to protect sensitive patient data.
Ransomware attacks on healthcare organizations have been on the rise. What strategies can leadership implement to safeguard against such threats?
That's a critical question because ransomware is definitely becoming increasingly sophisticated and frequent in healthcare settings. In my opinion, safeguarding against such threats requires three steps: (1) being proactive, (2) having a response plan, and (3) staff training and culture.To expand on that a little bit, you know, leadership in healthcare organizations must, in my opinion, take a proactive, layered approach to cybersecurity. This begins with conducting regular risk assessments and comprehensive vulnerability scans, which allow us to identify and fix vulnerabilities before they are exploited.
As part of the second step of the strategy, another essential strategy is ensuring robust incident response and disaster recovery plans are in place. It's not enough to have these plans written down; they must also be practiced and tested regularly. Part of this preparation involves conducting simulations of ransomware scenarios. Known as tabletop exercises so that everyone knows exactly how to respond in the event of an attack. Backing up patient data consistently and securely using offline or cloud-based storage solutions is also essential. Regular backup means that organizations can quickly restore operations with minimal disruption before a ransomware attack happens. Cloud redundancy, where cloud data is stored across multiple secure locations, provides additional protection and ensures that healthcare providers can rapidly regain access to critical patient data after a breach.
Lastly, leadership should also focus on fostering a culture of cybersecurity awareness with routine training exercises for all employees, from frontline clinical staff to senior executives. At Patagonia Health, we encourage organizations to align with well-established frameworks such as the NIST cybersecurity framework and guidelines from the Health and Human Services Department. Participation is collaborative, and this helps healthcare providers maintain, inform, and be informed about emerging threats and best practices in defending against ransomware. And I feel like you know, the landscape's evolving, so leadership should.
Always keep an eye on emerging cybersecurity trends like artificial intelligence and machine learning, which have tremendous potential to enhance threat detection and response and potentially open up new vectors of attack. You know, I feel like besides all of this, just staying current with regulations around cybersecurity, such as changes in HIPAA guidelines or the cybersecurity standards is also important.
Could you discuss some of the specific safety certifications that healthcare organizations should look for in an EHR to prevent hacking and data breaches?
Choosing a secure EHR vendor starts by verifying essential security certifications, right? So one critical certification is HITRUST. It is considered the gold standard in the healthcare cybersecurity space. HITRUST certification demonstrates that an organization rigorously adheres to comprehensive healthcare-specific cybersecurity controls, providing healthcare providers with Peace of Mind about vendor availability. Additionally, healthcare organizations should also look for ONC Health IT certification. This certification validates that the EHR vendor complies with federal standards. Security, interoperability, and usability, which include rigorous data encryption practices and secure authentication methods. Another important certification is SOC 2 compliance. SOC 2 is an independent assessment that evaluates whether a vendor maintains stringent controls around security, confidentiality, availability, and privacy.
Choosing a vendor with SOC 2 compliance ensures that they undergo regular external audits to maintain high-security standards. However, you know, I think certifications alone aren't enough, right? Healthcare organizations should also perform their due diligence by reviewing the vendor's security history, requesting documentation about penetration testing and vulnerability assessment, and understanding how the vendor proactively monitors and improves cybersecurity practices. It's also worth discussing that cloud-based DHR solutions have distinct security considerations and often advantages compared to on-premise solutions. Leaders should carefully discuss the vendor's approach to cloud security, including data storage, encryption, and disaster recovery capabilities, and compare it to other solutions to see how it differs from or, in most cases, is better than an on-premise solution.
What is the most common pathway for ransomware to infiltrate a health department?
I feel like one of the most common ways of getting into an organization is through phishing attacks. So phishing is by far the number one, easiest, and most scalable way for hackers to access data. You know people interested in penetrating your system to do this. The advantage of phishing is that it is scalable. To get access to the system, you just need one person in the entire organization to click the link and be compromised, and it is also very easy to do it at scale. One of the other challenges with phishing is that the messaging can be made to look as if it's coming from a reliable source, so user awareness is critical in terms of being able to defend against that. But there are security products out there that can scan your e-mail. If a phishing attempt has been reported by anyone in the organization, it just reclassifies all of the emails as phishing attempts. Outside of that, just awareness of a particular user is the critical step towards that. So, I feel that phishing training should be incorporated into all healthcare organizations, helping staff become more aware and identify threats more easily. And I feel that's a great point. Now you know there's a challenge in healthcare, right?
You know, healthcare, in general, has always been challenged in terms of having enough staff to address the needs of the patient, and the work environment's just stressful and always busy, right? Opportunities that hackers look for where you know you inadvertently or if you are multitasking, you happen to see an e-mail from your boss saying this is urgent and, if you're not paying attention to where it came from or what the underlying address was. If you click on that link, that's all the opportunity they need to get into your system. These malware and phishing attacks have become so advanced that you don't even need to download any software nowadays. It's just as if you click on a link. You know it automatically downloads the software in the background, whether it be on your phone or your laptop or devices, and is then able to go about installing other malicious software that will then cause further harm to your system. So, just that awareness aspect is understated, but it is very important, especially in the healthcare situation where you know everybody's overburdened will work, right?
With AI use becoming more prevalent, how can health departments ensure they aren't putting PHI at risk when using AI tools?
AI is an evolving field, and we are all trying to learn how to work with it, right? At the moment, you know, since it's relatively new, there's a lack of understanding of how AI is using some of the data that's being provided to it from a privacy and security perspective. So as they say, right, there is no such thing as a free lunch. You know, if if the product is free, then the product is the consumer, right? And so that's the same that I feel applies for AI. You know, if there is a tool that is free, it's essentially taking the data that you're entering it to help train its models better. You know, one of the most critical ways of preventing unintentional breaches of PHI is just awareness, right? I mean, asking ChatGPT a question about, you know, say a patient situation, right?
You can ask the same question without including personally identifiable information or PHI. You just have to frame the question so that you remove the PHI when you ask it. So I think general awareness and all these models are also pretty good at interpreting data, whether it's in a screenshot or a document. So I feel like that's another aspect to be aware of. You know, it's just not the text that you're typing into ChatGPT. It's also any documents, images, or anything that you're uploading as part of your asking the question. That can inadvertently leak PHI to ChatGPT, which will then use it to train its model and improve it. Another thing that I've seen across some organizations is that they've started to buy, say, the enterprise version of ChatGPT, which gives you a lot more flexibility in terms of.
You know whether any data is available for them to be trained on. And even for paid subscriptions, ChatGPT actually lets you opt out of, you know, using the data that you are providing it to train its model. That could be another more feasible way of using some of these technologies, right? Is that just go explore the settings that they have, see if there are options to exclude data from being used for model and for training purposes. But I think generally it's more being aware that if you are providing that information, then chances are that it may be used to train the model, and so just being more aware of what you provide them or just reframing the questions in a better way.
