Data Governance in Healthcare: Your Complete Guide

Data governance in healthcare is a critical discipline for any company that manages PHI. Learn more about the benefits and pitfalls of PHI in this blog.
Michael Buckbee
4 min read
Last updated January 19, 2022

Of all the verticals that need a complete data governance policy – healthcare might be at the top. Consider the incredible amount of healthcare data that exists for any human, the personal nature of healthcare data, and the life or death scenarios that depend on accurate data. It makes sense that data governance in healthcare is super important.

Why is Data Governance in Healthcare Important?

It feels like stating the obvious saying data governance in healthcare is important, but what exactly is data governance?

Get the Free Essential Guide to US Data Protection Compliance and Regulations

Data Governance is the process and procedure organizations use to manage and protect their data. In this context, data can mean either all or a subset of a company’s digital and/or hard copy assets. In the healthcare industry, that data is patient records, blood test results, EKGs, MRIs, billing records, drug prescriptions, and other private medical information.

Healthcare data is the data medical professionals need to make informed decisions about patient care. Data governance provides healthcare organizations with a standardized and structured method of sharing medical data to provide the highest quality of care to every patient.

types of data in healthcare

The Health Insurance Portability and Accountability Act (HIPAA) is the US law that covers the security and privacy of medical information, or in the language of HIPAA, protected health information (PHI). Under the law, “covered entities,” essentially hospitals and insurers, and those that process PHI for them are legally responsible for protecting it.

In 2018, HIPAA fines cost the healthcare industry $28 million alone. The Office of Civil Rights (OCR) levies HIPAA fines based on the number of PHI records exposed and considers the level of compliance for the offending organization in their inquiry. The HIPAA fines, along with other regulatory requirements for remediation and auditing, help make overall breach costs for healthcare to be among the highest of any industry.  

Stated a different way, the better your data governance plan, the lower your fine might be when you get breached.

Healthcare Data Vulnerabilities

Here are some governance ideas for you to ponder:

  • Good data governance and high quality analytics should be a key part of a healthcare business strategy.  You’re reducing risk –fines and other penalties – as well as understanding (and fine-tuning) underlying data workflows for more efficient processing.
  • According to the Stanford Medicine 2018 Health Trends Report, automation and data sharing have the potential to revolutionize the healthcare industry for the better. Stanford imagines a world where Artificial Intelligence (AI) analyzes your medical data and provides a diagnosis on your mobile phone. However, to get there, healthcare organizations (universities, hospitals, research centers, and technology companies) need to speak the same language of data and data needs to flow freely and securely through the entire healthcare system.
  • The explosion of electronic healthcare data and recent mergers and acquisitions in the healthcare industry (i.e., Aetna and CVS) have created an enormous data governance challenge. Managing the ever-increasing volume of data and merging disparate data sets presents a significant challenge. Companies that handle their data well will succeed and profit.

What is the Difference Between Data and Information Governance in Healthcare?

Data governance in healthcare is a little different from information management in healthcare, despite the interchangeable usage in this post so far. From a cybersecurity/ compliance perspective, it’s simpler to consider them the same thing.

Data governance in healthcare is all about the individual pieces of data — the patient ID number, blood pressure reading, etc. Data governance in healthcare is concerned about how to protect, secure, and accurately gather each piece of data.

Information governance in healthcare is the process and systems to use the data to make decisions about patient care.

For example, a patient’s blood pressure readings for the past two years fall under data governance.

data governance vs information governance

Information governance is when a clinician – or AI – aggregates the past two years of blood pressure records to diagnose the patient with hypertension and advises a specific medication.

The differences between the two are nuanced, but if you are talking to a healthcare professional about their data governance plans, they might be expecting a different conversation about information governance.

Steps to Implement Strong Data Governance in Healthcare

Here are the best early steps you can take to begin your data governance practice.

steps to implement strong data governance in healthcare

Discover Where Your PHI Lives

Categorize and classify your file system to discover where the PHI lives. It’s impossible to govern what you don’t know about. Gather folder and file permissions for your all of your data storage. Search every file for PHI and tag those files as sensitive.

Correlate all of that data – your permission structures and classified sensitive data – and build a comprehensive risk profile. You will use this risk profile to continue the data governance process.

Reassess Privileges

One of the goals for any data governance program is to get to a least privilege access state. Least privileged means that each user – person or service account – only has permissions they need to do their job.

You may need to remove Global Access Groups and fix inheritance issues before you can clean up permissions. Do that before you start changing permissions or group memberships.

Once you have achieved least privilege access, you need to stay there. Implement a process that puts data owners in control of their data, and empower them to add and remove access as needed and audit permissions regularly.

Clean Up Stale Data

Some of the greatest risks in unstructured data is data this is no longer used or needed, stale data. Stale data makes excellent targets for data thieves. So put a plan in place to find this forgotten data, lock it down, and delete it from your stores if possible.

Train and Identify Key Personnel

Create a cross-functional data governance team with data managers, data owners, and data analysts. Data owners are the keepers of their data. They know who has and should have access to their data and are the people closest to their data. Many organizations are adding a Chief Data Officer (CDO) that is responsible for the entire organization’s data governance. The CDO leads the data managers in the day-to-day governance operations.

Check out “The Road to HIPAA Compliance” webinar by a Varonis customer, Rick Thompson of Hugh Chatham Memorial Hospital, as he explains how he leverages Varonis to stay HIPAA compliant.


What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

The Anatomy of a Phishing Email
Have you been hooked by a phishing email? We’ve broken out the most common components of a phishing email. Check out our full guide to test your knowledge!
Phishing Attacks Classified: Big Phish vs. Little Phishes
The CMU CERT team I referred to in my last post also has some interesting analysis on the actual mechanics of these phishing attacks. Based on reviewing their incident database, the...
The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware
The LoL approach to hacking is a lot like the “travel light” philosophy for tourists. Don’t bring anything to your destination that you can’t find or inexpensively purchase once you’re…
Spoofing SaaS Vanity URLs for Social Engineering Attacks
SaaS vanity URLs can be spoofed and used for phishing campaigns and other attacks. In this article, we’ll showcase two Box link types, two Zoom link types, and two Google Docs link type that we were able to spoof.