You are part of software development team building a hospital management application. The application will handle healthcare data which are considered as highly sensitive data. Which of the following security measures or controls will you recommend to your team for securing the sensitive data, as part of a brainstorming activity?

Control access to sensitive data $-$ only authorized users must be able to access the data and only when there is a need to access that data.

Encrypt healthcare data $-$ so that even if a database is compromised the attackers can get access to only the encrypted data which the attackers cannot understand $($unless they compromise the decryption key also$).$

Record.all events of healthcare data access $($read$/$write operations$)$ for audit purposes.

All the above security measures must be implemented in a Defense in Depth approach.