WP EMR Database Security | Healthcare Compliance | Imperva

Home > Healthcare > EMR 

Your EMR database needs protection

To meet compliance regulations, healthcare organizations need to demonstrate electronic medical records (EMR) database security, which is not a feature of the application

Imperva Data Security Fabric provides direct visibility into the underlying EMR database

EMR database security and access controls are your responsibility

Many stakeholders within healthcare organizations responsible for EMR systems are not aware that the database upon which the application is built comes from a third party provider. Most assume that the database is contained within the EMR system itself, and that security and monitoring is owned by the EMR vendor.

This is not the case. Just like a database hosted by a cloud service provider (CSP) such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure, the underlying security for the database is the responsibility of the owner of the system, and not the vendor (or the CSP). Imperva Data Security Fabric supplies the missing piece in healthcare compliance, security, and reporting by providing direct visibility into the EMR database - answering the “who, what, when, where, why, how, and should” questions of healthcare data compliance.
Failed database logins

Failed database logins

Gain visibility into failed login attempts to your EMR database outside of normal application use


Access via unknown IPs

There should only be a few known IP addresses requesting data from your EMR database


Irregular data volume

Understand data request volumes - is someone requesting more data than is normal?


Privilege compliance

HIPAA states that database access should be revoked for users without an active login in the last year

Your EMR application needs data security

EMR systems provide security and audit compliance at the application layer, but the underlying database remains vulnerable and difficult to audit

EMR databases are the “single source of truth” for healthcare organizations in regards to PHI. Current laws in place around the world are quite extensive and explicit regarding patient privacy and protecting patient information - every healthcare organization must know who has access to PHI, and be able to track each time it has been viewed, for whatever reason. However, today’s EMR systems have a large “blind spot.” While these systems provide audit and tracking at the applications layer, such as snooping by non-care team members, unusual and risky behaviors, etc., they provide no visibility into the root database layer.

Without the proper tools and safeguards in place, healthcare organizations are vulnerable to bad actors targeting their EMR database. Database administrators (DBAs), as well as other authorized users given direct access to the database (most likely to run custom reports), could become compromised. Such bad actors could exfiltrate your entire database without leaving any trace. Perhaps worse, they could damage, destroy, or even hold your data hostage - and you would have no way to know how they did it.

The bad actors do not necessarily have to be internal threats. Most likely your database does not have the same perimeter defenses applied to it as your EMR application. External threat actors could directly target your database for attack. Again, unless the healthcare organization has active database security in place, you might not know these attacks are even happening.

EMR application data security

On-premises or in the cloud, self-managed or SaaS, Data Security Fabric protects, secures, and makes your EMR database compliant

Many organizations have implemented perimeter security, data loss prevention, intrusion prevention/detection systems and endpoint protection, but healthcare organizations' complex IT environments demand new data security requirements to protect data at the source.

Multiple relational and non-relational data stores, instances and versions (often from different vendors), geographically distributed systems, and cloud/multi-cloud/hybrid-cloud deployments require coordinated policies, monitoring and enforcement. Without directly protecting data at the source, gaps could exist between systems and applications, leaving data stores vulnerable to attack.

  • EMR systems

  • DBaaS

  • On-premises data

  • Files

  • Data warehouse

Imperva delivers end-to-end protection for healthcare's critical data and applications

Network Security

Application Security

Data Security Fabric