Data-centric Security for Healthcare Compliance

Focusing security efforts on sensitive data to meet healthcare regulatory requirements

I’ve written previously about why data-centric security makes a lot of sense. One reason not discussed, however, is regulatory requirements. For organizations operating in the healthcare market, federal and state requirements such as HIPAA make a data-centric approach the most sensible.

Many people view Personal Health Information (PHI) as the most private of all data. Medical records include intimate details about a patient’s life, and are required to deliver quality healthcare. However, if leaked, the information could cause disrupt a patient’s life, including employment opportunities. While organizations can remove bogus charges for a victim of a stolen credit card (and thus “undo” the damage), the same is not possible when a person’s private health records are released.

Long gone are the days when a single doctor was the sole healthcare provider to a patient. Specialists across one or more facilities must also diagnose and treat patients, and insurers require diagnosis and treatment information. While the data is increasingly in electronic format, the systems handling the data are disparate. PHI format may change from one system to another. Add to that data shared by email, fax or other electronic transmissions, and the challenge of tracking PHI use becomes extremely difficult.

While the challenges around data and users provide a strong argument for a data-centric approach to information protection, HIPAA requirements make that approach a “must do.” HIPAA requires organizations to protect PHI at all times and across all users. In particular, section § 164.308 (a)(1)(D) states:

“[A covered entity must] implement procedures to review records of information system activity regularly, such as audit logs, access reports, and security incident tracking reports.”

The ability to review access reports and audit logs presumes that the covered entity knows, at all times, which data is covered by the regulation, where it is located, how it is used and by whom. To accomplish that, the organization must be able to classify data as it is created or modified, maintain that classification as data moves, and allow or block actions by users based on a) the data, b) the user, and c) the activity.

In other words, a data-centric approach is the only scalable way to ensure compliance.

Mike Pittenger

Digital Guardian Case Study

A healthcare organization identified a significant risk of non-compliance. Deploying Digital Guardian resulted in an 85% reduction decrease in prompts to users in the first 6 months.

Read now

Related Articles
The Dutch Boy and the Data Leak

Home Depot,, and Goodwill all announced data breaches in September. They will all now investigate how these leaks occurred and build defenses to prevent those particular attacks from repeating.

Insider or Outsider - Does it Matter?

Much noise is made about the risks associated with insider threats versus outsider threats, but why?

How to Protect Sensitive Data without Having to Guess the Next Attack Vector

Focusing on data for effective and sustainable protection

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at]

Please post your comments here