3rd Party Risk Management , Governance & Risk Management

How Poor Vendor Practices Lead to Major Health Data Breaches

Kate Borten of The Marblehead Group on Dealing With Business Associate Risk
Kate Borten, president, The Marblehead Group

Many of the major health data breaches being reported to regulators reflect a variety of poor privacy and security practices by business associates, including retaining sensitive patient information for much longer than necessary, says Kate Borten, president of The Marblehead Group, a privacy and security consultancy.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

For example, several of the largest health data breaches reported in 2022 involved hacking incidents at business associates where affected patient records dated back a decade or more.

"There is a tendency to hold on to data," Borten tells Information Security Media Group. "If you are a covered entity, a healthcare provider, there are typically state laws that dictate how long you must keep patient records, whether they're inpatient or outpatient, different lengths, and so on," she says.

But for business associates, those retention regulations are less likely to apply. And unfortunately, many of these vendors "fundamentally keep legacy data on their systems, putting that information needlessly at heightened risk for compromises," she says.

"You don't want to be holding on to more data than you actually absolutely need. So, I would strongly recommend … that business associates think very carefully about what they collect and how long they keep it and have a very clear process for destroying data," she says.

In this video interview with Information Security Media Group, Borten also discusses:

  • Other top vendor security risk challenges;
  • HIPAA enforcement and related regulatory trends;
  • Steps organizations can take to improve patient data security and privacy practices.

Before founding The Marblehead Group, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its then-parent organization, CareGroup, as the organization's CISO.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.