Protecting health records takes a combination of technical and human governance controls to ensure that the confidentiality, integrity and availability of the records are protected.
From a technical perspective, organizations have moved to software automation and artificial intelligence in large part to manage the ever increasing medical data repositories out there. Broadly speaking, software solutions fall into categories of
- Discovery (of medical information) and application of rules such as de-identification and anonymization
- Risk management, tracking and treatment software
- Data-mapping and data-flow Tools and;
- Automated monitoring (Event logging, AV, and response)
eHR protection software is largely built on automatic identification of data described in table 1 and applying pre-built policies on how to handle it. The truth is that there are alot of discreet technical controls which are built-in to protecting medical data from end-to-end encryption, database encryption, secure protocols, access controls, firewall rules and more which are required from modern organizations.
Software controls need governance which comes from the adoption of frameworks and human oversight. For HIPAA security and privacy rules to work, an ISMS / PIMS (Information Systems Management System / Privacy Information Management System) must be in place. Frameworks such as NIST-800 and ISO 27000 detail governance (and technical) high level controls needed to ensure that privacy and security is implemented properly within organizations. At a more granular level, CIS benchmark standards are used to implement specific settings for VMware, databases and cloud services as an example.