Double The Exposure

Written By L Trotter II

TL;DR

Patient portals and health apps are exploding. 78% of patients who were offered online access to their medical record used it in 2024, and 65% of those did so through a smartphone health app. That’s huge for digital health, but it also increases your HIPAA and cybersecurity risks. In this post, I break down what’s fueling this surge, the blind spots I see inside scaling health tech companies, and how to close the gaps before regulators or hackers find them first.

The Problem with Scaling

I’ve worked with health tech teams who have airtight security for EHR integrations.

Access controls, encryption, and breach notification all squared away.

Then they rolled out a new solution such as a patient portal and things started slipping.

The patient portal was built using a separate API stack.

It was managed by a different engineering team.

Their were no vendor security reviews.

Their was no risk assessment.

No new business associate agreements (BAAs) signed with app developers.

(Yes, your contractors that manage systems with PHI need to sign BAAs.)

In short, they were scaling fast with a few missteps.

How Patient Portals & Health Apps Escalate Your Risk

Patient portal use has nearly doubled over the last decade according to the Office of the Assistant Secretary for Technology Policy.

Mobile health app use is booming too.

Nearly 60% of patients now use a health app to manage care.

That’s great for outcomes.

But bad for risk.

PHI isn’t just in one place anymore.

It’s flying across systems, APIs, vendors, and devices.

And that’s where HIPAA compliance breaks.

Most health tech teams build compliance around their core product.

The patient portal.

The telehealth platform.

The first EHR integration.

But as the company grows, PHI doesn’t stay there.

It spreads.

It flows through mobile apps, billing platforms, analytics, and IoT.

If your HIPAA program wasn’t built to protect all of that, you’re exposed.

Even if your flagship product is air tight.

This is exactly why I push teams to run the HIPAA Exposure Audit.

It shows you if your compliance posture actually matches the way your data moves today.

👉 Grab the self-guide here

What This Looks Like on the Inside

Here’s what I’ve seen inside fast-growing health tech companies:

❌ BAAs missing for new vendors receiving PHI.

❌ No dual auth on the patient portal side.

❌ Logs aren't stored long enough.

❌ No risk assessment completed to identify risks from mobile or FHIR integrations.

And when hackers hit.

OCR won’t only investigate the new app.

They’ll comb through everything, including your flagship product.

Scaling Patient Engagement Without Sacrificing Security

So how should a health tech leader address this?

Extend Security Oversight

Get your vCISO or compliance lead in the room before patient-facing code gets green-lit.

Lock Down Third-Parties

Update your vendor list, ensure BAAs are current, and validate security controls.

(Yes, even for that new patient SMS tool or analytics dashboard.)

Conduct a Risk Assessments

HIPAA requires regular assessments and new products reset the clock.

Centralize Monitoring & Logging

If you can’t see app activity across all platforms, you can’t protect it.

The HIPAA Exposure Guide

Most teams I work with fail at HIPAA because compliance never scaled beyond their first product.

That’s why I put together the free HIPAA Compliance Exposure Guide.

It's built for growth-stage digital health companies ready to uncover these blind spots.

It goes beyond the generic checklists to show you:

✅ Where you might be missing BAAs.

✅ How well your access controls really protect new PHI streams.

✅ If your incident response plan is ready for a multi-product breach.

👉 Download it here

Let’s Open This Up

What’s your biggest worry as health care goes digital?

Is it having your PHI stored in the cloud?

Vendors you’ve never heard of handling your data?

Or all the breach headlines making you wonder who you can trust?

Drop a comment.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Next

Cybersecurity Is Patient Care