OpenSource AI Pro

After the Breach: A 90-Day Data Defense Playbook for Hospital and Health System IT

Hospital IT teams are fielding board questions after peer-institution breaches. Here's the 90-day plan that doesn't require replacing your EHR.

OpenSource AI Pro7 min read

After the breach — a 90-day data defense playbook for hospital and health system IT

The breach notification arrived on a Tuesday. By Thursday, the board chair was asking your CISO for a report. By Friday, the general counsel wanted to know which systems held patient-adjacent data, who could reach it, and what the audit trail looked like.

If you've been in that room — or you're watching it happen to peer institutions and wondering when it arrives at yours — this is the playbook for the next 90 days.

Not a multi-year EHR replacement program. Not a SOC certification initiative. A focused, sequenced set of moves to close the highest-exposure gaps in your non-EHR operational stack, in a timeframe that actually responds to the board's timeline.

This is an operational perspective on data governance patterns, not legal or compliance advice. Your specific HIPAA obligations depend on your organization, its workflows, and the data you handle — confirm them with your own compliance team and legal counsel.

Why the EHR isn't the problem

Healthcare was the single largest breach category in the California Attorney General's breach notification database in Q1 2026 — roughly 760 reported incidents from provider groups, clinics, and health-adjacent organizations. The pattern across those disclosures is consistent: the data that gets exposed is usually not core clinical records from a major EHR. Those systems are budgeted, audited, and contractually ringed. They get scrutiny.

The exposure lives one layer out. The departmental coordination tracker. The research project management tool. The quality assurance workflow in a shared spreadsheet. The scheduling coordination board in Smartsheet. The referral management database someone built in Airtable three years ago.

When Regional Health Systems suffered a data security incident in 2024 affecting patient records, their first announced response was comprehensive data governance and audit trail implementation — because audit trail gaps were where the incident exposed them, not the EHR itself.

HIPAA's audit control standard (§164.312(b)) applies to any system that maintains or transmits ePHI — not just the EHR. Operational tools that touch patient-adjacent workflows inherit that requirement.

The three gaps OCR investigators find first

When the Office for Civil Rights opens an investigation, the first data requests typically surface three gaps:

1. Incomplete audit trails outside the EHR. Can you produce a complete, timestamped, exportable log of who accessed or changed a specific patient record across every system that held it? Not just the EHR — every system. Most organizations can't.

2. Access controls that weren't maintained. Who had access to patient-adjacent data in your operational tools as of the incident date? Not who should have had access — who actually did? Former employees, contractors, and shared logins show up here.

3. Untracked copies. How many copies of the sensitive data exist across SaaS platforms, exports, and shared drives? Each copy is a separate breach surface and a separate audit question.

The EHR answers the first question. Your operational stack — if it's built on SaaS tools you don't control — usually can't answer the second or third.

The 90-day plan

Days 1–30: Inventory the non-EHR exposure surface

The EHR team already knows the EHR's access model. Your job in the first 30 days is to map everything else.

Deliverable: A system-by-system list of every operational tool that holds patient data, patient-adjacent data (scheduling, referrals, research participant records, quality metrics), or data used in care coordination. For each one, answer:

  • Is it SaaS or self-hosted?
  • Does it have an exportable, timestamped audit log you own?
  • Who has access today — including former staff and external contractors?

This inventory is the evidence base for everything that follows. It's also what you'll hand to your compliance team and general counsel when they ask.

What you'll find: The count of systems is always higher than expected. The audit trail coverage is always worse than assumed.

Days 31–60: Migrate the highest-exposure workflows

The EHR replacement is a multi-year capital project. Skip it — that's not what this is.

Target the non-EHR operational workflows where a breach would cause the most pain: departmental ops trackers, research project management, quality assurance workflows, scheduling coordination, referral tracking. These are typically:

  • Running in SaaS tools (Smartsheet, Airtable, Monday, shared spreadsheets)
  • Holding data that doesn't belong there from a HIPAA perspective
  • Operating with no timestamped audit log you own
  • Accessible to more people than they should be

The move: Migrate these workflows onto a self-hosted operational data layer — infrastructure you control, with automatic timestamped logging for every row change, role-based access controls down to the field level, and data residency under your governance.

A major European university hospital did exactly this: moved from manually synced compliance tracking to an automated, timestamped, self-hosted audit trail across departments. When regulators ask for records, the logs are complete and continuous — not assembled under deadline pressure. A fiduciary accounting firm built a compliant tracking layer in weeks, with no developer, while keeping existing systems running in parallel.

You don't need to replace everything. Replace the highest-exposure workflows first. For most health systems, that's 3–5 workflows that can be migrated in a focused sprint.

Days 61–90: Make it defensible and communicate it

Closing the technical gap is necessary but not sufficient. The board, general counsel, and your compliance office need to be able to say something in response to the next inquiry.

Days 61–75: Test the audit trail end-to-end. Run a simulated OCR inquiry scenario: if investigators asked for a complete access and change log for a specific patient record across all systems, can you produce it? What gaps remain?

Days 76–85: Brief your compliance officer, general counsel, and (if appropriate) the CISO on what the health system can now demonstrate. Document the access control model. Confirm deletion and retention policies are enforced by the system, not by manual process.

Days 86–90: Prepare the external communication. You don't need to publish a detailed technical brief — but a short, factual statement to trustees, medical staff leadership, and (if appropriate) patients about the steps taken is part of managing the aftermath of any peer-institution breach event.

What this doesn't solve

This plan deliberately addresses the operational data layer, not the full HIPAA security program. It doesn't replace:

  • A formal HIPAA risk analysis — required under §164.308(a)(1), and something your compliance team should be running regardless.
  • Technical safeguards for the EHR itself — those live in the EHR vendor's BAA and your implementation team's security configuration.
  • Business Associate Agreements — every SaaS vendor handling ePHI needs one, and your inventory work in Days 1–30 may surface gaps here.

What it does address is the layer of exposure that most breach investigations find — and that most organizations haven't closed because it lives outside the EHR and never got the same scrutiny.

The structural fix

The 90-day plan is a response. The structural fix is architectural: stop putting patient-adjacent operational data in SaaS tools you don't control.

This is operational workflow tooling, not an AI model for PHI. What it means in practice: the workflows that track patients, participants, cases, quality metrics, and care coordination run on infrastructure you own, with audit logs you produce, under access controls you enforce. The data physically stays where your governance requires it to stay.

OpenSourceAI deploys on your infrastructure — on-prem, private cloud, or a VPC you control. The same workflows your teams run today, on a substrate that puts the audit trail and access controls back in your hands.

If you want to map this plan to your specific operational environment and identify the highest-exposure workflows to move first, book a workflow review. We'll walk the inventory with you.

This article is an operational perspective on healthcare data governance patterns, not legal or compliance advice. HIPAA compliance is an organizational achievement that depends on your specific workflows, data, and controls — not a product property. Confirm your obligations with your own counsel and compliance team.