Harbi Dhanjal
Vice President of Engineering, Patagonia Health
Join Harbi Dhanjal, VP of Engineering at Patagonia Health, as he discusses safeguarding EHRs, tackling ransomware, staff's role in cybersecurity, and the implications of AI in healthcare.
Introduction
Can you introduce yourself and explain your role as VP of Engineering at Patagonia Health?
Harbi Dhanjal:
- Vice President of Engineering at Patagonia Health
- Over 25 years of experience in healthcare technology, security, and software development
Current Responsibilities:
- Lead cross-functional technology teams:
- Software developers
- Product designers
- Compliance specialists
- Cybersecurity professionals
- Software developers
- Oversee the design, development, and security of Patagonia Health’s SaaS-based electronic health records (EHR) platform
- Guide technical strategy and product development cycles
- Ensure usability, functionality, and security of products
- Maintain compliance with healthcare regulations (HIPAA, HITRUST, ONC)
Key Philosophy:
"Security is not a barrier—it’s the foundation of trust between healthcare providers and patients."
Ransomware Protection Strategies for Leadership
What strategies can leadership implement to safeguard against ransomware threats?
3 Core Strategies:
Proactive Security Measures
- Regular risk assessments
- Comprehensive vulnerability scans
- Early identification and remediation of weaknesses
Incident Response & Disaster Recovery
- Well-documented and tested response plans
- Tabletop simulations of ransomware scenarios
- Regular, secure data backups (offline/cloud-based)
- Cloud redundancy for rapid restoration
Staff Training & Security Culture
- Cybersecurity awareness for all roles
- Routine training and simulations
- Align with: NIST Cybersecurity Framework and HHS guidelines
Emerging Trends to Monitor:
AI & Machine Learning for:
- Enhanced threat detection
- Potential new attack vectors
- Evolving regulations (e.g., HIPAA updates)
Staff-Level Cybersecurity Best Practices
How can individual staff members safeguard against phishing or malware?
Key Tactics for Individual Defense:
- Security Awareness Training
- Recognize phishing red flags (e.g., urgency, typos, suspicious links)
- Report suspicious activity to IT/security teams
- Recognize phishing red flags (e.g., urgency, typos, suspicious links)
- Password Hygiene
- Use complex, unique passwords
- Update passwords regularly
- Use complex, unique passwords
- Multi-Factor Authentication (MFA)
- Mandatory across systems to prevent unauthorized access
- Mandatory across systems to prevent unauthorized access
Device and Network Security:
- Keep devices (laptops, tablets, phones) up to date
- Avoid using unsecured public Wi-Fi
- Ensure antivirus and OS patches are current
BYOD (Bring Your Own Device) Awareness:
- Follow clearly defined policies to avoid vulnerabilities
- Understand risks tied to wearables and mobile health apps
"Every staff member plays a vital role in protecting patient data. Training and awareness are the best defense."
Essential Security Certifications for EHR Vendors
What certifications should healthcare organizations look for in an EHR vendor?
Top Certifications:
- HITRUST
- Gold standard in healthcare cybersecurity
- Demonstrates adherence to comprehensive security controls
- Gold standard in healthcare cybersecurity
- ONC Health IT Certification
- Validates compliance with federal standards for:
- Security
- Interoperability
- Usability
- Validates compliance with federal standards for:
- SOC 2 Compliance
- Security
- Confidentiality
- Availability
- Privacy
Beyond Certifications: Due Diligence Matters
- Review vendor’s security history
- Request details on:
- Penetration testing
- Vulnerability assessments
- Penetration testing
- Assess proactive security monitoring practices
Cloud vs. On-Premise Considerations:
- Evaluate:
- Cloud security architecture
- Data encryption
- Disaster recovery capabilities
- Cloud security architecture
- In many cases, cloud-based systems offer more robust protection than on-premise solutions
Evaluating EHR Vendors for Ransomware Resilience
What should leadership look for in an EHR vendor to protect against ransomware?
Vendor Evaluation Checklist:
- Transparency in Incident Handling
- Clear protocols for breach response
- Strong SLAs (Service Level Agreements) for recovery times
- Clear protocols for breach response
- Data Backup & Disaster Recovery
- Regular backups with cloud-based redundancy
- Quick restoration capability
- Regular backups with cloud-based redundancy
- Proactive Cybersecurity Approach
- Frequent security updates
- Threat monitoring
- Internal staff training
- Open communication about system improvements
- Frequent security updates
- Track Record & Responsiveness
- Review previous security incidents
- Assess response and recovery time
- Review previous security incidents
- Modern Integration Readiness
- Support for securing:
- Wearables
- IoT devices
- Telehealth platforms
- Wearables
- Support for securing:
"A vendor’s commitment to cybersecurity innovation makes them a better long-term partner."
Common Ransomware Entry Points
What is the most common pathway for ransomware to infiltrate a health department?
Top Entry Point: Phishing Attacks
- Most scalable and easiest attack method
- Relies on one user to click a malicious link
- Messages often appear to be from trusted sources (e.g., leadership)
Risks Amplified in Healthcare:
- Busy, high-pressure work environments
- Staff may click without verifying details
Modern Threat Capabilities:
- No need to download files
- Clicking a link can trigger automatic malware installation on:
- Laptops
- Phones
- Tablets
- Laptops
Prevention Measures:
- Strong phishing awareness training
- Organization-wide scanning and email filtering
- User vigilance remains the strongest line of defense
Protecting PHI When Using AI Tools
How can health departments ensure AI tools don’t put PHI at risk?
AI Data Privacy Concerns:
- AI tools may use your input to train models
- PHI can be exposed through:
- Text
- Uploaded documents
- Screenshots
Best Practices for Safe AI Use:
- Avoid including PHI in prompts
- Reframe clinical questions to remove personal identifiers
- Reframe clinical questions to remove personal identifiers
- Use Enterprise AI Tools
- Enterprise versions (e.g., ChatGPT for business) offer:
- Greater control over data usage
- Opt-out options for model training
- Greater control over data usage
- Enterprise versions (e.g., ChatGPT for business) offer:
- Explore Platform Settings
- Opt out of using input data for model improvement
- Opt out of using input data for model improvement
- Awareness Is Key
- Know what data you're sharing
- Consider how the AI might interpret and retain it
- Know what data you're sharing
AI is powerful, but without awareness, it can become a vector for privacy risks.