Digital tools are reshaping how healthcare is delivered, but making sure the systems behind it are secure is a challenge facing providers, a leading health law expert warns.
Catherine Deans, a partner at law firm Dentons and co-lead of its health law practice, says the sector’s rapid move toward digital platforms is increasing both opportunity and exposure.
From electronic patient records to AI-assisted note-taking, “healthcare has always been an early adopter of technology,” she says. “But that also makes it vulnerable to more sophisticated ways of exploiting the information it holds.”
The nature of that information raises the stakes, Deans says. Every day, healthcare providers collect personal data, from clinical notes to identifying details such as addresses and national health index numbers. Unlike other forms of personal information, health data is inherently private and, in the wrong hands, highly valuable.
“It’s not just about embarrassment or privacy,” Deans says. “Health records often contain enough information to enable identity or financial fraud as well.”
That sensitivity is reflected in the law. Health information is governed by its own framework under the Health Information Privacy Code, with clear obligations around how it is collected, stored and accessed. But what “reasonable security safeguards” look like in practice is less straightforward, particularly as technology evolves.
The shift from paper records to digital systems has introduced new layers of complexity. Where files were once stored in locked rooms, data is now held across interconnected systems, often involving third-party providers.
Artificial intelligence is adding another layer again. Tools that transcribe consultations or assist with record-keeping are becoming more common, offering clear efficiency gains. But they also create new, and sometimes poorly understood, points of risk.
“We don’t necessarily know where the exposure points are with AI,” Deans says. “That means organisations need to be constantly asking questions about how these tools work and how information is being stored and protected.”
At the same time, the threat landscape is shifting. As digital systems become more advanced, so do the methods used to breach them, with cybercrime often enabled by the same technologies driving innovation.
“It’s not going away, and it’s only becoming more sophisticated,” she says.
That creates a tension. There is pressure to adopt new tools quickly, particularly those that promise better outcomes or more efficient care. But without ongoing risk assessment and oversight, that progress can outpace the safeguards needed to support it.
“The obligation to store information securely isn’t a one-off exercise,” Deans says. “It’s an ongoing responsibility.”
Crucially, this is no longer something that can sit solely with IT teams. While they play a central role, responsibility sits at a governance level.
“You can’t just delegate this to IT and check in once a year,” she says. “Those responsible for governance need to be actively asking questions and making sure the right safeguards are in place.”
That means understanding how data is handled from the moment it is collected, through to how it is stored, accessed and, where relevant, shared with third parties. It also requires a level of due diligence around the systems organisations rely on, particularly when external providers are involved.
The consequences of getting this wrong are not abstract. In some cases, breaches can directly affect care and Deans points to incidents where health records have been altered, raising the risk of incorrect treatment or medication.
More commonly, breaches involve the extraction of large volumes of data, which can then be used for fraud or blackmail. But the longer-term impact is often less visible.
“Patients place a huge amount of trust in the system,” she says. “If that trust is undermined, it can lead to people disengaging from healthcare altogether.”
At scale, that loss of confidence can have broader consequences for the health system.
Rebuilding trust after a breach is possible, but it takes transparency. Organisations need to be clear about what happened, what information was affected, and what steps are being taken to address it. Just as importantly, patients need to be told what they should do in response.
Looking ahead, Deans sees two risks standing out: the growing sophistication of cybercrime and the pace of technological change.
Both point to the same underlying challenge. As systems become more advanced, the room for complacency shrinks.
“The risk is not keeping up,” she says. “Organisations need to make sure they are constantly checking their systems, their practices, and their procedures.”
Digital healthcare will continue to evolve. The question, Deans believes, is whether the systems designed to protect it can keep up.
To learn more about Dentons’ capabilities in the Healthcare space, please click here