AI Security & Governance for Healthcare
For the leader whose organization is adopting AI scribes, ambient documentation, or embedded EHR AI faster than anyone is governing it. Inventory the AI you actually have, put boundaries around it, and build the governance cadence that keeps the answer current.
Early-access pricing — final pricing set at launch. Secure checkout via Stripe.
Who this is for
Practice/hospital leaders rolling out clinical AI; healthcare-tech teams adding AI features
What you walk away with
- A shadow-AI discovery method for browser, SaaS, and EHR surfaces
- A per-tool intake covering BAA, audit logs, NPP, and patient consent
- An AI acceptable-use policy mapped to NIST AI RMF that staff won't route around
- A quarterly governance cadence you can actually sustain
Curriculum
Module 1
Finding the AI You Actually Have
Sanctioned is not inventoried. Discovery across browser, OS, SaaS, and the EHR — and the interview technique that surfaces shadow tools without a witch hunt.
- 30 min
Shadow-AI Discovery
Run a discovery pass that finds embedded and unsanctioned AI before it finds you.
- 30 min
The Data-Flow Map
Trace what each tool ingests, retains, and shares — down to the subprocessor layer.
Module 2
The Intake Discipline
One intake per tool, per vendor: BAA coverage, §164.312(b) audit-log validation, NPP language, and the consent script the front desk can actually deliver.
- 30 min
BAA Gaps in AI Contracts
Find the silence in AI vendor agreements: prompt logs, QA transcripts, training use, subprocessors.
- 30 min
Audit Logs and Patient Consent
Validate exportable audit evidence and stand up the six-question consent script.
Module 3
Governance That Holds
The AUP staff won't route around, the approved-tool catalog, and the quarterly cadence — mapped to NIST AI RMF and the Generative AI Profile.
- 30 min
Policy and the Approved-Tool Catalog
Write an AI acceptable-use policy with a sanctioned alternative for every real need.
- 25 min
The Quarterly Cadence
Run the standing review that catches new AI surface before it becomes load-bearing.
Module 4
If You Ship AI: Product-Side Basics
For teams putting LLMs in front of patients or customers: the OWASP LLM Top 10 threat classes and what a pre-launch review must exercise.
- 30 min
LLM Threat Classes That Matter
Recognize prompt injection, data exfiltration, and agent scope creep in your own architecture.
- 25 min
The Pre-Launch Review
Scope a product security review that tests the failure modes your users will actually hit.
Early-access pricing — final pricing set at launch. Secure checkout via Stripe.