Security

Data Risk Management Best Practices for Healthcare

Healthcare organizations must embed proactive, systemwide data risk management into AI and digital strategies to protect sensitive information, ensure compliance and enable secure, scalable innovation.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

As healthcare organizations adopt artificial intelligence for clinical decision-making, diagnostics and patient engagement, they face growing scrutiny over how they manage the underlying data powering these advances.

With high-value health data increasingly targeted by cybercriminals — and internal systems under pressure to support interoperability, AI modeling and analytics at scale — the need for robust, proactive data risk management is reaching a critical juncture.

Healthcare CIOs and IT leaders must not only ensure sensitive patient information is protected but also create secure, compliant environments that allow data to flow safely into the AI models and decision support tools that define modern medicine.

This requires health systems to embed data protection into every layer of their architecture, not as a barrier to innovation but as an enabler.

Click the banner below to read the recent CDW Cybersecurity Research Report.

Why Data Risk Management Is Critical in AI-Driven Healthcare

Healthcare organizations working to leverage AI tools and predictive analytics are often expanding their use of cloud, remote access and digital services, all of which increase the complexity of securing patient data.

“AI can’t function effectively without access to reliable, high-quality data sets,” says Shannon Murphy, senior manager of global security and risk strategy at Trend Micro. “But the more data you feed it, the more surface area you create for risk.”

She warns that risk management strategies must evolve in lockstep with these ambitions, because AI creates more opportunities for exposure with every new tool or endpoint.

Henry Vernov, principal product manager for healthcare at Citrix, reinforces the urgency of reducing exposure points, particularly for environments where clinicians and staff access sensitive systems from multiple devices or locations.

“When patient data moves across devices, apps and clouds, every step introduces risk if it’s not locked down at the workspace level,” he says.

For healthcare organizations deploying AI across multiple clinical workflows, the integrity and protection of those data exchanges is paramount.

Data Challenges Facing Healthcare Organizations

Healthcare organizations face four central challenges when it comes to data, says Nicholas Jackson, director of cybersecurity services at Bitdefender. These include fragmented legacy systems, operational realities that drive unusual risks, highly sensitive data and a heavy compliance burden.

“Healthcare environments are built on a mix of outdated infrastructure and newer tools from various vendors,” he says. These systems often don’t communicate well, creating data silos and inconsistent standards that complicate integration and governance.

Jackson notes that in a critical setting like an operating room, it’s often impractical for each clinician to log in to personal accounts in the middle of a procedure.

“Shared or generic access is sometimes used out of necessity, increasing risks around data integrity, insider threats and accountability,” he says.

Meanwhile, HIPAA, the General Data Protection Regulation and other mandates require strict control over health data.

“Applying these consistently across fragmented systems in on-premises and cloud environments, along with varied user practices, is a significant ongoing challenge,” Jackson says.

The goal should always be security, risk management and compliance all working together seamlessly, not as separate operations.”

Nicholas Jackson Director of Cybersecurity Services, Bitdefender

Best Practices for Managing Data Risk in Healthcare

Adam Winston, WatchGuard field CTO, says policies that govern the use of AI applications need to be implemented internally within organizations.

“General-purpose tools employed by end users should not be used to process or upload protected health information or intellectual property; instead, look for purpose-built products that adhere to the HIPAA rules or are targeted for automating some of these tasks,” he says.

Jackson says organizations should start by classifying and mapping their data: “If you don’t know what you have or where it resides, you’re operating blind.”

“From there, embed privacy and security — such as endpoint protection and extended detection and response — into your systems from the start, not as an afterthought,” he says.

Regular risk assessments, strong access controls, encryption and continuous staff awareness training (not once a year) should be standard practice.

“These aren’t optional; they should be considered mandatory for protecting sensitive health data and are key elements of security management,” Jackson says.

Aligning Risk Management With Innovation and Compliance

From Murphy’s perspective, the benefits of AI ingenuity and adoption in the healthcare industry appear to outweigh the risks.

“I’m extremely encouraged by the innovation happening within my healthcare client segment, including research hospitals and university-affiliated hospitals,” she says. “These institutions are not being cavalier about their adoption, but they are being incredibly aggressive.”

Operationally, and taking cybersecurity into account, having full lifecycle data security posture management drives dual positive outcomes: reduced breach potential and smoother AI experiences.

“Risk management is a proactive strategy, and proactivity maintains an ability to stay on the bleeding edge,” Murphy says. “It’s a philosophical strategy that can extend to your security and compliance practice from your innovation practice.”

In this way, she says, security is a massive enabler of innovation, allowing organizations to move quickly and safely, with less technical debt.

Jackson adds that when risk frameworks are integrated early in the design and development phases, they support faster, more secure innovation.

“Compliance becomes a natural outcome, not a last-minute scramble, which reduces longer-term headaches and challenges,” he says. “The goal should always be security, risk management and compliance all working together seamlessly, not as separate operations.”

Kobus Louw/Getty Images