Skip to main content
close search
site logo
Dive Brief

Healthcare weak on third-party data protection compliance

Published March 6, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Ryan Adams, used under Creative Commons license

Dive Brief:

  • Fifty-eight percent of healthcare providers or organizations require proof of data privacy and protection compliance from third-party IT providers, according to a Ponemon Institute and Censinet survey. The survey collected responses from 534 third-party IT and IT security professionals whose companies provide goods or services in healthcare. 
  • Forty-three percent of third parties have access to protected health information (PHI) and in the last two years, 54% experienced at least one breach impacting the data. Just over one-third of respondents said they would immediately contact the healthcare provider after discovering a breach. 
  • Risk assessments cost third-party IT vendors about $2.5 million annually, but healthcare providers don't require updates, leaving results outdated. In light of security or privacy hazards, 41% of respondents said healthcare providers didn't require their company to take action.

Dive Insight:

Supply chain-style data breaches are a hard pill to swallow. 

Last year Quest Diagnostics and LabCorps' billing collector was breached, impacting almost 20 million patient records combined. Neither company allowed American Medical Collection Agency access to patient laboratory results or other patient medical history. 

Data breaches in 2019 were record-breaking for healthcare providers and PHI weighs heavier on breach victims. Personally identifiable data is often more "transient" than PHI, Ed Gaudet, CEO and co-founder of Censinet, told CIO Dive. "It's a problem that transcends the healthcare industry." 

As the healthcare industry becomes more comfortable with the nuances of privacy compliance, Gaudet expects GDPR and the CCPA to "influence healthcare regulators to review [Health Insurance Portability and Accountability Act] and data interoperability requirements." 

However, existing privacy regulations are limited to data collected, as opposed to who is creating or managing it, said Gaudet. Looking at data through that lens is similar to HIPAA compliance. The "custodian of data has to change." 

Healthcare providers are tasked with internal risk assessment of third parties, especially when they have direct access to patient information. While data breaches don't immediately impact patient safety​, recovery is often "costly [and] embarrassing," said Gaudet. But data privacy is just one component of the cybersecurity spectrum. 

Last year the healthcare industry was strong-armed by ransomware, which has "caused more direct impact to patient care delivery in the last 12 months than data breaches since they've been measured," said Gaudet. Hospitals were deterring patients elsewhere and limiting surgeries. "The healthcare industry has the most to lose — a life."

Recommended Reading

Filed Under: IT Strategy

Editors' picks

Company Announcements

View all | Post a press release
NeuBird Secures $22.5M in Funding, Announces General Availability of Hawkeye: An AI Teammate f…
From NeuBird
December 11, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Graphiant Unveils Revolutionary Data Assurance Offering
From Graphiant
December 09, 2024
Welo Data Launches Innovative Model Assessment Suite, Advancing Multilingual Causal Reasoning …
From Welocalize, Inc.
December 17, 2024
Editors' picks
Latest in IT Strategy
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.