I’ve written previously about why data-centric security makes a lot of sense. One reason not discussed, however, is regulatory requirements. For organizations operating in the healthcare market, federal and state requirements such as HIPAA make a data-centric approach the most sensible.

Many people view Personal Health Information (PHI) as the most private of all data. Medical records include intimate details about a patient’s life, and are required to deliver quality healthcare. However, if leaked, the information could cause disrupt a patient’s life, including employment opportunities. While organizations can remove bogus charges for a victim of a stolen credit card (and thus “undo” the damage), the same is not possible when a person’s private health records are released.

Long gone are the days when a single doctor was the sole healthcare provider to a patient. Specialists across one or more facilities must also diagnose and treat patients, and insurers require diagnosis and treatment information. While the data is increasingly in electronic format, the systems handling the data are disparate. PHI format may change from one system to another. Add to that data shared by email, fax or other electronic transmissions, and the challenge of tracking PHI use becomes extremely difficult.

While the challenges around data and users provide a strong argument for a data-centric approach to information protection, HIPAA requirements make that approach a “must do.” HIPAA requires organizations to protect PHI at all times and across all users. In particular, section § 164.308 (a)(1)(D) states:

“[A covered entity must] implement procedures to review records of information system activity regularly, such as audit logs, access reports, and security incident tracking reports.”

The ability to review access reports and audit logs presumes that the covered entity knows, at all times, which data is covered by the regulation, where it is located, how it is used and by whom. To accomplish that, the organization must be able to classify data as it is created or modified, maintain that classification as data moves, and allow or block actions by users based on a) the data, b) the user, and c) the activity.

In other words, a data-centric approach is the only scalable way to ensure compliance.