Skip to main content

Data-centric Security for Healthcare Compliance

by Mike Pittenger on Tuesday March 21, 2017

Contact Us
Free Demo

Focusing security efforts on sensitive data to meet healthcare regulatory requirements

I’ve written previously about why data-centric security makes a lot of sense. One reason not discussed, however, is regulatory requirements. For organizations operating in the healthcare market, federal and state requirements such as HIPAA make a data-centric approach the most sensible.

Many people view Personal Health Information (PHI) as the most private of all data. Medical records include intimate details about a patient’s life, and are required to deliver quality healthcare. However, if leaked, the information could cause disrupt a patient’s life, including employment opportunities. While organizations can remove bogus charges for a victim of a stolen credit card (and thus “undo” the damage), the same is not possible when a person’s private health records are released.

Long gone are the days when a single doctor was the sole healthcare provider to a patient. Specialists across one or more facilities must also diagnose and treat patients, and insurers require diagnosis and treatment information. While the data is increasingly in electronic format, the systems handling the data are disparate. PHI format may change from one system to another. Add to that data shared by email, fax or other electronic transmissions, and the challenge of tracking PHI use becomes extremely difficult.

While the challenges around data and users provide a strong argument for a data-centric approach to information protection, HIPAA requirements make that approach a “must do.” HIPAA requires organizations to protect PHI at all times and across all users. In particular, section § 164.308 (a)(1)(D) states:

“[A covered entity must] implement procedures to review records of information system activity regularly, such as audit logs, access reports, and security incident tracking reports.”

The ability to review access reports and audit logs presumes that the covered entity knows, at all times, which data is covered by the regulation, where it is located, how it is used and by whom. To accomplish that, the organization must be able to classify data as it is created or modified, maintain that classification as data moves, and allow or block actions by users based on a) the data, b) the user, and c) the activity.

In other words, a data-centric approach is the only scalable way to ensure compliance.

Tags:  Data Centric Security

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.