3rd Party Risk Management , Governance & Risk Management
How Poor Vendor Practices Lead to Major Health Data BreachesKate Borten of The Marblehead Group on Dealing With Business Associate Risk
Many of the major health data breaches being reported to regulators reflect a variety of poor privacy and security practices by business associates, including retaining sensitive patient information for much longer than necessary, says Kate Borten, president of The Marblehead Group, a privacy and security consultancy.
See Also: State of Brand Protection Report
For example, several of the largest health data breaches reported in 2022 involved hacking incidents at business associates where affected patient records dated back a decade or more.
"There is a tendency to hold on to data," Borten tells Information Security Media Group. "If you are a covered entity, a healthcare provider, there are typically state laws that dictate how long you must keep patient records, whether they're inpatient or outpatient, different lengths, and so on," she says.
But for business associates, those retention regulations are less likely to apply. And unfortunately, many of these vendors "fundamentally keep legacy data on their systems, putting that information needlessly at heightened risk for compromises," she says.
"You don't want to be holding on to more data than you actually absolutely need. So, I would strongly recommend … that business associates think very carefully about what they collect and how long they keep it and have a very clear process for destroying data," she says.
In this video interview with Information Security Media Group, Borten also discusses:
- Other top vendor security risk challenges;
- HIPAA enforcement and related regulatory trends;
- Steps organizations can take to improve patient data security and privacy practices.
Before founding The Marblehead Group, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its then-parent organization, CareGroup, as the organization's CISO.