Expert Interview: Harbi Dhanjal | Securing Your Health Organization

Harbi Dhanjal

Vice President of Engineering, Patagonia Health

Join Harbi Dhanjal, VP of Engineering at Patagonia Health, as he discusses safeguarding EHRs, tackling ransomware, staff's role in cybersecurity, and the implications of AI in healthcare.

Introduction

Can you introduce yourself and explain your role as VP of Engineering at Patagonia Health?

Harbi Dhanjal:

• Vice President of Engineering at Patagonia Health
  
  
• Over 25 years of experience in healthcare technology, security, and software development
  
  

Current Responsibilities:

• Lead cross-functional technology teams:
  
  
  • Software developers
    
    
  • Product designers
    
    
  • Compliance specialists
    
    
  • Cybersecurity professionals
    
    
• Oversee the design, development, and security of Patagonia Health’s SaaS-based electronic health records (EHR) platform
  
  
• Guide technical strategy and product development cycles
  
  
• Ensure usability, functionality, and security of products
  
  
• Maintain compliance with healthcare regulations (HIPAA, HITRUST, ONC)
  
  

Key Philosophy:

"Security is not a barrier—it’s the foundation of trust between healthcare providers and patients."

Ransomware Protection Strategies for Leadership

What strategies can leadership implement to safeguard against ransomware threats?

3 Core Strategies:

Proactive Security Measures

• Regular risk assessments
• Comprehensive vulnerability scans
• Early identification and remediation of weaknesses

Incident Response & Disaster Recovery

• Well-documented and tested response plans
• Tabletop simulations of ransomware scenarios
• Regular, secure data backups (offline/cloud-based)
• Cloud redundancy for rapid restoration

Staff Training & Security Culture

• Cybersecurity awareness for all roles
• Routine training and simulations
• Align with: NIST Cybersecurity Framework and HHS guidelines

Emerging Trends to Monitor:

AI & Machine Learning for:

• Enhanced threat detection

• Potential new attack vectors

• Evolving regulations (e.g., HIPAA updates)
  
  

Staff-Level Cybersecurity Best Practices

How can individual staff members safeguard against phishing or malware?

Key Tactics for Individual Defense:

• Security Awareness Training
  
  • Recognize phishing red flags (e.g., urgency, typos, suspicious links)
    
    
  • Report suspicious activity to IT/security teams
    
    
• Password Hygiene
  
  • Use complex, unique passwords
    
    
  • Update passwords regularly
    
    
• Multi-Factor Authentication (MFA)
  
  • Mandatory across systems to prevent unauthorized access
    
    

Device and Network Security:

• Keep devices (laptops, tablets, phones) up to date
• Avoid using unsecured public Wi-Fi
• Ensure antivirus and OS patches are current
  
  

BYOD (Bring Your Own Device) Awareness:

• Follow clearly defined policies to avoid vulnerabilities
• Understand risks tied to wearables and mobile health apps

"Every staff member plays a vital role in protecting patient data. Training and awareness are the best defense."

Essential Security Certifications for EHR Vendors

What certifications should healthcare organizations look for in an EHR vendor?

Top Certifications:

• HITRUST
  
  • Gold standard in healthcare cybersecurity
    
    
  • Demonstrates adherence to comprehensive security controls
    
    
• ONC Health IT Certification
  
  • Validates compliance with federal standards for:
    
    • Security
    • Interoperability
    • Usability
• SOC 2 Compliance
  
  • Security 
  • Confidentiality 
  • Availability
  • Privacy

Beyond Certifications: Due Diligence Matters

• Review vendor’s security history
  
  
• Request details on:
  
  • Penetration testing
    
    
  • Vulnerability assessments
    
    
• Assess proactive security monitoring practices
  
  

Cloud vs. On-Premise Considerations:

• Evaluate:
  
  • Cloud security architecture
    
    
  • Data encryption
    
    
  • Disaster recovery capabilities
    
    
• In many cases, cloud-based systems offer more robust protection than on-premise solutions
  
  

Evaluating EHR Vendors for Ransomware Resilience

What should leadership look for in an EHR vendor to protect against ransomware?

Vendor Evaluation Checklist:

• Transparency in Incident Handling
  
  • Clear protocols for breach response
    
    
  • Strong SLAs (Service Level Agreements) for recovery times
    
    
• Data Backup & Disaster Recovery
  
  • Regular backups with cloud-based redundancy
    
    
  • Quick restoration capability
    
    
• Proactive Cybersecurity Approach
  
  • Frequent security updates
    
    
  • Threat monitoring
    
    
  • Internal staff training
    
    
  • Open communication about system improvements
    
    
• Track Record & Responsiveness
  
  • Review previous security incidents
    
    
  • Assess response and recovery time
    
    
• Modern Integration Readiness
  
  • Support for securing:
    
    
    • Wearables
      
      
    • IoT devices
      
      
    • Telehealth platforms
      
      

"A vendor’s commitment to cybersecurity innovation makes them a better long-term partner."

Common Ransomware Entry Points

What is the most common pathway for ransomware to infiltrate a health department?

Top Entry Point: Phishing Attacks

• Most scalable and easiest attack method
  
  
• Relies on one user to click a malicious link
  
  
• Messages often appear to be from trusted sources (e.g., leadership)
  
  

Risks Amplified in Healthcare:

• Busy, high-pressure work environments
  
  
• Staff may click without verifying details
  
  

Modern Threat Capabilities:

• No need to download files
  
  
• Clicking a link can trigger automatic malware installation on:
  
  
  • Laptops
    
    
  • Phones
    
    
  • Tablets
    
    

Prevention Measures:

• Strong phishing awareness training
  
  
• Organization-wide scanning and email filtering
  
  
• User vigilance remains the strongest line of defense
  
  

Protecting PHI When Using AI Tools

How can health departments ensure AI tools don’t put PHI at risk?

AI Data Privacy Concerns:

• AI tools may use your input to train models
• PHI can be exposed through:
  
  • Text
  • Uploaded documents
  • Screenshots

Best Practices for Safe AI Use:

• Avoid including PHI in prompts
  
  • Reframe clinical questions to remove personal identifiers
    
    
• Use Enterprise AI Tools
  
  • Enterprise versions (e.g., ChatGPT for business) offer:
    
    • Greater control over data usage
      
      
    • Opt-out options for model training
      
      
• Explore Platform Settings
  
  • Opt out of using input data for model improvement
    
    
• Awareness Is Key
  
  • Know what data you're sharing
    
    
  • Consider how the AI might interpret and retain it
    
    

AI is powerful, but without awareness, it can become a vector for privacy risks.