Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more
Blog Data Security

Data Governance in Healthcare: Your Complete Guide

Data governance in healthcare is a critical discipline for any company that manages PHI. Learn more about the benefits and pitfalls of PHI in this blog.
Michael Buckbee
4 min read
Last updated January 19, 2022

Contents

    Of all the verticals that need a complete data governance policy – healthcare might be at the top. Consider the incredible amount of healthcare data that exists for any human, the personal nature of healthcare data, and the life or death scenarios that depend on accurate data. It makes sense that data governance in healthcare is super important.

    Why is Data Governance in Healthcare Important?

    It feels like stating the obvious saying data governance in healthcare is important, but what exactly is data governance?

    Get the Free Essential Guide to US Data Protection Compliance and Regulations

    Data Governance is the process and procedure organizations use to manage and protect their data. In this context, data can mean either all or a subset of a company’s digital and/or hard copy assets. In the healthcare industry, that data is patient records, blood test results, EKGs, MRIs, billing records, drug prescriptions, and other private medical information.

    Healthcare data is the data medical professionals need to make informed decisions about patient care. Data governance provides healthcare organizations with a standardized and structured method of sharing medical data to provide the highest quality of care to every patient.

    types of data in healthcare

    The Health Insurance Portability and Accountability Act (HIPAA) is the US law that covers the security and privacy of medical information, or in the language of HIPAA, protected health information (PHI). Under the law, “covered entities,” essentially hospitals and insurers, and those that process PHI for them are legally responsible for protecting it.

    In 2018, HIPAA fines cost the healthcare industry $28 million alone. The Office of Civil Rights (OCR) levies HIPAA fines based on the number of PHI records exposed and considers the level of compliance for the offending organization in their inquiry. The HIPAA fines, along with other regulatory requirements for remediation and auditing, help make overall breach costs for healthcare to be among the highest of any industry.  

    Stated a different way, the better your data governance plan, the lower your fine might be when you get breached.

    Healthcare Data Vulnerabilities

    Here are some governance ideas for you to ponder:

    • Good data governance and high quality analytics should be a key part of a healthcare business strategy.  You’re reducing risk –fines and other penalties – as well as understanding (and fine-tuning) underlying data workflows for more efficient processing.
    • According to the Stanford Medicine 2018 Health Trends Report, automation and data sharing have the potential to revolutionize the healthcare industry for the better. Stanford imagines a world where Artificial Intelligence (AI) analyzes your medical data and provides a diagnosis on your mobile phone. However, to get there, healthcare organizations (universities, hospitals, research centers, and technology companies) need to speak the same language of data and data needs to flow freely and securely through the entire healthcare system.
    • The explosion of electronic healthcare data and recent mergers and acquisitions in the healthcare industry (i.e., Aetna and CVS) have created an enormous data governance challenge. Managing the ever-increasing volume of data and merging disparate data sets presents a significant challenge. Companies that handle their data well will succeed and profit.

    What is the Difference Between Data and Information Governance in Healthcare?

    Data governance in healthcare is a little different from information management in healthcare, despite the interchangeable usage in this post so far. From a cybersecurity/ compliance perspective, it’s simpler to consider them the same thing.

    Data governance in healthcare is all about the individual pieces of data — the patient ID number, blood pressure reading, etc. Data governance in healthcare is concerned about how to protect, secure, and accurately gather each piece of data.

    Information governance in healthcare is the process and systems to use the data to make decisions about patient care.

    For example, a patient’s blood pressure readings for the past two years fall under data governance.

    data governance vs information governance

    Information governance is when a clinician – or AI – aggregates the past two years of blood pressure records to diagnose the patient with hypertension and advises a specific medication.

    The differences between the two are nuanced, but if you are talking to a healthcare professional about their data governance plans, they might be expecting a different conversation about information governance.

    Steps to Implement Strong Data Governance in Healthcare

    Here are the best early steps you can take to begin your data governance practice.

    steps to implement strong data governance in healthcare

    Discover Where Your PHI Lives

    Categorize and classify your file system to discover where the PHI lives. It’s impossible to govern what you don’t know about. Gather folder and file permissions for your all of your data storage. Search every file for PHI and tag those files as sensitive.

    Correlate all of that data – your permission structures and classified sensitive data – and build a comprehensive risk profile. You will use this risk profile to continue the data governance process.

    Reassess Privileges

    One of the goals for any data governance program is to get to a least privilege access state. Least privileged means that each user – person or service account – only has permissions they need to do their job.

    You may need to remove Global Access Groups and fix inheritance issues before you can clean up permissions. Do that before you start changing permissions or group memberships.

    Once you have achieved least privilege access, you need to stay there. Implement a process that puts data owners in control of their data, and empower them to add and remove access as needed and audit permissions regularly.

    Clean Up Stale Data

    Some of the greatest risks in unstructured data is data this is no longer used or needed, stale data. Stale data makes excellent targets for data thieves. So put a plan in place to find this forgotten data, lock it down, and delete it from your stores if possible.

    Train and Identify Key Personnel

    Create a cross-functional data governance team with data managers, data owners, and data analysts. Data owners are the keepers of their data. They know who has and should have access to their data and are the people closest to their data. Many organizations are adding a Chief Data Officer (CDO) that is responsible for the entire organization’s data governance. The CDO leads the data managers in the day-to-day governance operations.

    Check out “The Road to HIPAA Compliance” webinar by a Varonis customer, Rick Thompson of Hugh Chatham Memorial Hospital, as he explains how he leverages Varonis to stay HIPAA compliant.

     

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
    Michael Buckbee
    Michael Buckbee Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    the-anatomy-of-a-phishing-email
    The Anatomy of a Phishing Email
    the-anatomy-of-a-phishing-email
    Rob Sobers
    May 8, 2018
    Have you been hooked by a phishing email? We’ve broken out the most common components of a phishing email. Check out our full guide to test your knowledge!
    phishing-attacks-classified:-big-phish-vs.-little-phishes
    Phishing Attacks Classified: Big Phish vs. Little Phishes
    phishing-attacks-classified:-big-phish-vs.-little-phishes
    Michael Buckbee
    September 16, 2014
    The CMU CERT team I referred to in my last post also has some interesting analysis on the actual mechanics of these phishing attacks. Based on reviewing their incident database, the...
    the-malware-hiding-in-your-windows-system32-folder:-mshta,-hta,-and-ransomware
    The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware
    the-malware-hiding-in-your-windows-system32-folder:-mshta,-hta,-and-ransomware
    Michael Buckbee
    June 4, 2018
    The LoL approach to hacking is a lot like the “travel light” philosophy for tourists. Don’t bring anything to your destination that you can’t find or inexpensively purchase once you’re…
    the-difference-between-bash-and-powershell
    The Difference Between Bash and Powershell
    the-difference-between-bash-and-powershell
    Michael Buckbee
    September 13, 2016
    You don’t normally talk philosophy and IT when considering Bash and Powershell, but if it’s one thing I’ve learned over the past 20 years of sysadmin work it’s that whether...