Healthcare and PHI

Healthcare platforms often handle protected health information, strict vendor obligations, and audit-sensitive workflows. Treat PHI exposure as a platform design constraint, not only an application concern.

PHI boundaries

Identify:

• Systems that create, receive, store, process, or transmit PHI.
• Integrations with EHR, billing, scheduling, or care systems.
• Logs, analytics, backups, and exports that may contain PHI.
• Non-production environments with copied or synthetic data.
• Vendors and subprocessors that touch PHI.

Control expectations

Healthcare environments usually need strong controls for:

• Access management and MFA.
• Least privilege and periodic access review.
• Encryption in transit and at rest.
• Audit logs for access and administrative actions.
• Data retention and deletion.
• Backup and restore testing.
• Incident response and breach notification.
• Vendor agreements and evidence.

Engineering practices

• Use synthetic data in development and tests.
• Prevent PHI in logs, traces, prompts, and screenshots.
• Restrict production data exports.
• Use environment and data classification tags.
• Review third-party integrations for PHI flow.
• Document break-glass access and review usage.

Watchouts

• De-identified data can still be re-identifiable in context.
• Debug logging can accidentally become a breach path.
• AI tools must be approved for the data they receive.
• Backups, queues, dead-letter topics, and caches are part of the PHI boundary.