"Many healthcare orgs don't have a full picture of the data mapping and where data resides, so that's the first step. It's a matter of change management, actually understanding where this information resides, and understanding the value of the data so at the strategic level you can justify protecting the information," George says. "People need to understand where these databases are and how they're interconnected. The second step is segmenting: only allowing the appropriate users appropriate levels of access to that information."
The fortunate thing about healthcare's lagging data protection practices is that even though the sector has its own unique IT challenges, database security is universal no matter what kind of data is stored, says Josh Shaul, vice president of product management for database and application security vendor Application Security Inc.
"I think the drivers are unique and the fact that folks are moving from all of these paper-based records to the electronic records is maybe unique," Shaul says. "But I don't think there's anything else about database security that's unique in healthcare. In the end we're all securing data in databases and Oracle, SQL Server, and Sybase. They work the same whether you have your secret recipe in them or you have your healthcare information in them or you have credit card data in them."
As such, healthcare organizations that might have never endeavored to take database precautions need only look for best-practice and thought leadership material for pointers on how to get a database protection program in order.
Shaul believes that because the drivers to move from paper-based to digitally stored records are prodding organizations that might have never had much of a database in place before, however, there is a unique opportunity for some organizations to apply these best practices much more affordably than those that must wrangle legacy database system.
"The fact that these are folks that are used to using paper-based records -- the whole notion of data security is kind of brand new for them. The hard lesson that folks in other industries have learned is if they don't build in data security from day one, it costs a lot of money," Shaul explains. "These folks that are going through this transition to electronic medical records have the opportunity to sort of start fresh and start with a system that is built with privacy and confidentiality and regulatory compliance built in from day one."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.