MCP — Model Context Protocol — gives a model client structured access to tools and data sources. In healthcare ops, the capability is enormous and the risk surface is real. The right starting set is conservative.
The safe-starter set I default to for healthcare ops engagements:
- Tavily / web search — read-only, no PHI exposure, gives the model fresh external information.
- Drive / SharePoint (read-only) — scoped to specific folders. Operations playbooks, templates, internal docs. No patient files.
- Email (drafts only) — model can compose; only humans send. The "drafts only" constraint is enforced server-side, not in the prompt.
- A custom internal-data MCP — built for the specific operational data the workflow needs, with hard scopes and audit logging.
What I avoid in the starter set:
- General-purpose database access — too easy to over-scope.
- EHR access via MCP early on — possible, but it's a separate engagement with its own safety story.
- Slack with full read/write — too much organizational context, too easy to expose.
Each of these can come in later, but the goal in the first 30 days is leverage with a small risk surface. The full version of this post — including the build-vs-buy decision tree for custom MCP servers — is part of the Healthcare AI Automation Playbook.