You can’t protect what you don’t know exists
Part of the Telehealth & Healthcare Security Series. Asset management is the foundation of the IDENTIFY function—and the foundation everything else in your security program builds on. See also: The Compliance Trap | NIST CSF 2.0 Guide for Telehealth
When the breach investigator asked for a list of all systems containing patient data, the practice manager opened a spreadsheet with three items: EHR, email, and the billing system. The investigator found seventeen.
It wasn’t malice. It wasn’t negligence in the legal sense. It was simply a failure of imagination—the kind that happens when busy healthcare professionals think “asset inventory” means listing the obvious systems and moving on.
The practice didn’t know their telehealth platform was storing session recordings in a third-party cloud environment they’d never audited. They didn’t realize their scheduling system was syncing patient names, appointment types, and provider notes to the office manager’s personal Google Calendar. They had no idea their patient messaging app retained full chat transcripts—including photos of wounds, medication lists, and insurance cards—with no retention limit and no access controls beyond a simple password.
The attackers knew all of this. They didn’t breach the EHR. They didn’t need to. They walked in through the systems nobody was watching.
Below is the real inventory of a typical small telehealth practice—not the three systems they listed on their risk assessment, but the seventeen that actually contain protected health information. The items marked with a warning indicator are the ones most practices miss entirely.
The disconnect between what healthcare organizations track and what actually contains PHI is staggering. Most practices have a mental model of their technology stack that covers about 20% of the real surface area. The remaining 80%—the integrations, the data flows, the shadow IT—is invisible to them but perfectly visible to anyone scanning for vulnerabilities.
Every one of those “missed” items is a system that stores, processes, or transmits protected health information. Every one is subject to HIPAA. Every one is a potential breach vector. And every one is almost certainly absent from your risk assessment, your Business Associate Agreement inventory, and your incident response plan.
A real asset inventory doesn’t need to be a six-month consulting project. It needs to be practical, repeatable, and organized around the categories that matter. Here are six categories that capture the full scope of your PHI landscape—the framework your practice can work through in a single afternoon.
These are your primary systems: the EHR, telehealth platform, patient portal, and practice management software. For each platform, document: the vendor, where data is stored (their cloud, your servers, or both), who has access (clinical staff, admin, patients), and what PHI it contains (full medical records, demographics, appointment history).
Platforms are usually the only category that makes it onto existing inventories. The goal here isn’t to discover new systems—it’s to document them thoroughly enough that you actually understand your exposure. “We use athenahealth” is not an inventory entry. “athenahealth stores full medical records in AWS US-East, accessed by 14 clinical users via SSO with MFA, backed up by vendor with 30-day retention”—that’s an inventory entry.
System-to-system connections are where PHI flows without anyone watching. Every integration is both a data flow and a trust boundary. Map them all: EHR to lab system, telehealth platform to scheduling, billing to claims clearinghouse, patient portal to EHR, e-prescribing to pharmacy network.
For each integration, ask: What data crosses this boundary? Is it encrypted in transit? Who authorized this connection? Is there a Business Associate Agreement in place? When was the integration last reviewed? Integrations are the connective tissue of your practice—and they’re the connective tissue attackers exploit to move laterally through your environment.
Every user account across every system. This is more than a staff roster—it includes service accounts used by integrations, API keys embedded in applications, shared accounts used by multiple staff members (a bigger problem than most practices admit), and vendor accounts used for remote support.
Cross-reference your identity list with your HR roster. When someone leaves the practice, how many accounts need to be disabled? If the answer is “I’m not sure,” your identity inventory is incomplete. Orphaned accounts—credentials that belong to former employees but remain active—are among the most common entry points for healthcare breaches.
Where does PHI actually move? A patient enters data in the portal. It flows to the EHR. A provider reviews it and creates a note. That note is copied to the billing system. A lab order is generated and sent electronically. Results return. A notification goes to the patient. The visit is transcribed by AI. The transcription is stored—where?
Map every hop. Each transition point is a place where data can be intercepted, misdirected, duplicated, or stored in an uncontrolled location. Data flow mapping reveals the PHI exposure that no system-by-system inventory can capture. The question isn’t “where is the data?”—it’s “where has the data been?”
Every device that touches patient data: workstations in exam rooms, front desk computers, laptops carried between locations, tablets used during visits, smartphones with EHR apps installed, and medical devices that transmit data to the EHR. Don’t forget provider home devices used for telehealth—the personal laptop a provider uses for virtual visits from their kitchen table is an endpoint in your PHI environment whether you manage it or not.
For each endpoint: Is it encrypted? Is it managed (MDM)? Does it have endpoint protection? Can it be remotely wiped? When was it last patched? If a provider’s home laptop is stolen, what patient data is on it?
This is the most commonly missed category in healthcare asset inventories, and it’s growing fast. Telehealth session recordings (video and audio), AI-generated visit transcripts, chat logs from patient messaging, voicemails containing clinical information, and faxes converted to email attachments—all of these contain PHI, and most practices have no idea where they’re stored, who can access them, or how long they’re retained.
Ask your telehealth vendor: Are sessions recorded? Where are recordings stored? Who can access them? What’s the retention policy? Can you delete them? If your vendor uses AI transcription, where do the transcripts live? These questions are uncomfortable because the answers are usually “we don’t know”—and that’s exactly the problem.
The table below provides a starting template for a small telehealth practice. Use it as a framework—your practice will have its own systems, but the categories and questions remain the same.
| Asset Name | Category | Vendor | PHI Types | Storage Location | Access: Who | Access: How | Backup? | Last Reviewed |
|---|---|---|---|---|---|---|---|---|
| athenahealth EHR | Platform | athenahealth | Full medical records, demographics, billing | Vendor cloud (US) | All clinical staff | SSO + MFA | Vendor-managed | — |
| Zoom for Healthcare | Platform | Zoom | Session recordings, chat transcripts | Zoom cloud | Providers | SSO | Vendor-managed | — |
| Surescripts | Integration | Surescripts | Prescriptions, patient demographics | Vendor cloud | Prescribers (via EHR) | API key | N/A | — |
| Quest Diagnostics Portal | Integration | Quest | Lab orders, results | Vendor cloud | Clinical staff | Username / password | N/A | — |
| Patient Portal | Platform | athenahealth | Messages, records, appointments | EHR cloud | Patients + admin staff | Password + optional MFA | Vendor-managed | — |
| Google Workspace | Endpoint / Storage | Emails with PHI, shared docs | Google cloud | All staff | SSO | Google backup | — | |
| Provider Home Laptops | Endpoint | Various | Cached / downloaded PHI | Local device | Individual providers | Device password | Not backed up | — |
| Telehealth Recordings | Recording | Zoom / vendor | Full session audio / video | Vendor cloud | Admin + providers | Platform login | Vendor retention policy | — |
Download this template, fill it in for your practice (it takes about 2 hours), and you’ll know more about your PHI landscape than 90% of practices your size. The “Last Reviewed” column is the most important—an inventory that isn’t maintained is just a historical document.
Can you name every system in your practice that stores, processes, or transmits patient data?
Do you know where your telehealth session recordings are stored and who can access them?
Are your system-to-system integrations documented—including what data flows between them?
Could you produce a complete asset inventory if a breach investigator asked for one today?
Do you know which personal devices your providers use for telehealth, and whether PHI is stored on them?
When was the last time you checked whether a third-party service was storing PHI you didn’t expect?
If you hesitated on any of these questions, the gap between what you think your PHI landscape looks like and what it actually looks like is wider than you realize. That gap is exactly where attackers operate.
National Institute of Standards and Technology. (2024). Cybersecurity framework 2.0. U.S. Department of Commerce. https://www.nist.gov/cyberframework
U.S. Department of Health and Human Services. (2013). HIPAA security rule: Security standards for the protection of electronic protected health information. 45 C.F.R. § 164.308–164.312. https://www.hhs.gov/hipaa/for-professionals/security/index.html
Venuto, J. (2026). The compliance trap: Why ‘HIPAA compliant’ medical groups still get hacked. Hudson Valley CISO. https://www.hudsonvalleyciso.com/govern/gv-rm/hipaa_compliance_trap.html
Venuto, J. (2026). Why HIPAA compliance isn’t enough: A NIST CSF 2.0 guide for telehealth. Hudson Valley CISO. https://www.hudsonvalleyciso.com/govern/gv-rm/telehealth_nist_csf_hipaa_guide.html
Venuto, J. (2026). Protecting Hudson Valley patients: Why telehealth providers are moving from ‘checklist’ to ‘governance.’ Hudson Valley CISO. https://www.hudsonvalleyciso.com/govern/gv-rm/telehealth_hudson_valley_governance.html
Most practices discover systems they didn’t know contained patient data. Find yours before an attacker does.
We’ll help you identify every system, integration, and data flow in your telehealth environment that touches patient data—including the ones you didn’t know about. Walk away with a complete asset inventory and a clear picture of your actual risk surface.
Hudson Valley CISO
A Division of Security Medic Consulting
Fractional CISO Services | Asset Management | Healthcare Security