- Fifty-eight percent of healthcare providers or organizations require proof of data privacy and protection compliance from third-party IT providers, according to a Ponemon Institute and Censinet survey. The survey collected responses from 534 third-party IT and IT security professionals whose companies provide goods or services in healthcare.
- Forty-three percent of third parties have access to protected health information (PHI) and in the last two years, 54% experienced at least one breach impacting the data. Just over one-third of respondents said they would immediately contact the healthcare provider after discovering a breach.
- Risk assessments cost third-party IT vendors about $2.5 million annually, but healthcare providers don't require updates, leaving results outdated. In light of security or privacy hazards, 41% of respondents said healthcare providers didn't require their company to take action.
Supply chain-style data breaches are a hard pill to swallow.
Last year Quest Diagnostics and LabCorps' billing collector was breached, impacting almost 20 million patient records combined. Neither company allowed American Medical Collection Agency access to patient laboratory results or other patient medical history.
Data breaches in 2019 were record-breaking for healthcare providers and PHI weighs heavier on breach victims. Personally identifiable data is often more "transient" than PHI, Ed Gaudet, CEO and co-founder of Censinet, told CIO Dive. "It's a problem that transcends the healthcare industry."
As the healthcare industry becomes more comfortable with the nuances of privacy compliance, Gaudet expects GDPR and the CCPA to "influence healthcare regulators to review [Health Insurance Portability and Accountability Act] and data interoperability requirements."
However, existing privacy regulations are limited to data collected, as opposed to who is creating or managing it, said Gaudet. Looking at data through that lens is similar to HIPAA compliance. The "custodian of data has to change."
Healthcare providers are tasked with internal risk assessment of third parties, especially when they have direct access to patient information. While data breaches don't immediately impact patient safety, recovery is often "costly [and] embarrassing," said Gaudet. But data privacy is just one component of the cybersecurity spectrum.
Last year the healthcare industry was strong-armed by ransomware, which has "caused more direct impact to patient care delivery in the last 12 months than data breaches since they've been measured," said Gaudet. Hospitals were deterring patients elsewhere and limiting surgeries. "The healthcare industry has the most to lose — a life."