Protecting patient data starts with knowing where it’s stored

Patient data is often stored or processed outside the country where it was collected. When that happens, the data falls under the laws of the country where it resides. Depending on those laws, local governments may have legal access to that data. For healthcare organizations and CISOs, knowing where data lives and who controls it is key to keeping it safe.

The flow of medical data through foreign infrastructure

Despite growing national security concerns and government restrictions, Chinese military-linked companies remain deeply embedded in the U.S. digital supply chain, according to Bitsight.

Smart Meter warned healthcare providers and the public about this growing threat. Many connected medical devices route sensitive patient data through Chinese-operated servers before it reaches U.S.-based healthcare systems.

The U.S. Cybersecurity and Infrastructure Security Agency recently discovered that the Contec CMS8000 patient monitor and its relabeled counterpart, the Epsimed MN-120, transmit sensitive patient data to a hard-coded IP address linked to a Chinese university and contain a backdoor capable of downloading and executing unverified files.

“Sensitive patient data is core to safe and effective patient care. In my mind, failing to protect it is tacit acknowledgment that safe and effective patient care isn’t a priority. As far as how to segment and protect it, I think it’s easiest to identify the boundaries of where that data should travel and the stores that should house the data, and then try to exclude it from elsewhere,” said Aaron Weismann, CISO at Main Line Health.

Regulatory pressure

U.S. healthcare providers have to follow HIPAA, which sets rules for how patient data is stored, shared, and protected. In Europe, GDPR goes even further. It demands consent, limits how much data can be collected, and gives people more control over their information.

While HIPAA only applies to healthcare, GDPR covers all industries and applies to anyone handling data about EU residents, even if the company isn’t based in Europe.

Failing to follow these rules can lead to heavy fines and legal consequences. More importantly, it can damage the trust patients place in their healthcare providers.

In April 2025, a new rule from the U.S. Department of Justice took effect to prevent foreign adversaries from accessing Americans’ sensitive data, especially health information, by imposing strict controls on how such data is stored, shared, and transferred across borders.

Willful violations carry severe penalties, including fines up to $1 million and potential prison sentences of up to 20 years. These penalties show how serious the government is about protecting patient data.

During a 90-day enforcement discretion period leading up to the rule’s effective date, the DOJ will generally avoid civil penalties against entities making genuine efforts to comply. However, deliberate breaches remain subject to immediate enforcement.

What can CISOs do

Select providers with local data centers. This reduces exposure to foreign jurisdictions and keeps patient data subject to domestic privacy laws.

Evaluate vendor data practices. Review how third parties manage, store, and transfer patient data to ensure compliance with residency and security requirements.

Define and enforce data-residency policies. Establish firm requirements on where sensitive health data may be stored or processed, and verify that every team and partner meets them.

Implement technical safeguards. Apply access controls, encryption, and network segmentation to protect data in motion and at rest.

Monitor compliance and flag risks. Use tooling and oversight to spot policy breaches or suspicious activity, then act to contain threats.

Stay current with laws and threats. Track changes in regulations such as HIPAA, GDPR, and new DOJ data-transfer rules, adapting practices as needed.

Lead security awareness efforts. Provide training and guidance so staff handle sensitive data safely and follow established protocols.

Data sovereignty demands the same focus as cyber threats

Data sovereignty requires the same attention as ransomware, insider threats, or zero-day exploits.

As geopolitical tensions rise, and with recent strained relations between major powers, data has become a valuable currency in these conflicts. Health data is among the most sensitive personal information a person owns. Therefore, every country and organization needs to handle it carefully.