Data Governance and Third-Party Business Associates

machine learning
Jo Ann Stadtmueller      
machine learning
   December 2021            
machine learning
Learn Data Science

With progress inevitably come challenges. Such is the reality organizations confront as they increasingly harness the transformational potential of data. While the value of data rises in pace with data science tools and technologies, so also does the risk of data exposure. 

Effectively managing sensitive data is particularly critical in the healthcare and life sciences universes. The collection, sharing, and transmission of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI)—often replete with sensitive personal information—heightens the need for skilled data governance both to improve outcomes and to comply with standards for safeguarding Personally Identifying Information (PII).

Learn Data Science

The High Stakes of Vulnerable Data

The potential costs of data breaches are daunting, and healthcare organizations face a particularly high toll for data exposure. According to a study by the Ponemon Institute, which measured the financial impact of data breaches across 16 industries, the healthcare industry pays dearly for data security failures, incurring an estimated cost of $380 per record associated with exposure of PHI and ePHI. The cost per record for breaches in the life sciences industry was estimated to be $264.     

The troubling prospect of a ransomware attack looms particularly large as a data security concern across industries. A 2021 whitepaper published by Sophos, a security software and hardware firm, provides a current glimpse into the ransomware threat from a healthcare perspective. While 34% of healthcare employees surveyed for this study indicated that their organizations had experienced ransomware infections in the last year, 41% responded that they had not been hit by ransomware in the last year but expected to be at some point.

For healthcare organizations, a ransomware attack carries with it not just a financial burden, but liability for violation of HIPAA regulations.  With the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted to encourage health technology, this liability extends to third-party business associates (BAs) who have access to Electronic Health Records (EHR).

Third Parties and Data Security

As organizations engage more and more third-party BAs for a range of services, the opportunities for data mischief expand. In the Ponemon Institute’s 2018 study, Data Risk in the Third-Party Ecosystem, 61% of participating US companies reported that they had experienced data breaches connected to vendors or third-party BAs, representing a 12% increase from 2016.

The COVID-19 pandemic has, according to a recent analysis of breach reports by the US Department of Health and Human Services, accelerated this trend of security incidents in healthcare.  Citing a 36% increase in healthcare data breaches in the second half of 2020 over the first half of that year, the report points out that many of these breaches involve BAs, noting “According to analysts, 21.3 million healthcare records were breached in the second half of 2020 alone – with nearly three-quarters of all breaches tied to third parties.”

A Business Wire article reporting on the results of the 2018 Ponemon Institute’s study offers the following comment from Dr. Larry Ponemon:

Considering the explosive growth of outsourced technology services and the rising the (sic) volume of third parties, companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.

The study concludes that mitigating these risks requires strong data governance protocols and security technology, recommending such measures for safeguarding ePHI files as:

  • Routinely auditing third-party security practices.
  • Maintaining an inventory of third parties that have access to their data and any associated entities that have access through them.
  • Conducting frequent reviews of technologies that third parties adopt.
  • Requiring third parties to notify them of their relationships with other entities with whom they might share data.
  • Enlisting the support of senior leadership in prioritizing data security efforts.
Corporate Data Science Bootcamp

Balancing the Risks with the Rewards of Shared Data

With robust data governance procedures in place, organizations position themselves to reap the benefits—safely and confidently—of engaging qualified business associates that provide valuable expertise and important services.  Workforce training resources offer one example of such third-party relationships.

Many healthcare and life sciences organizations are wisely ramping up efforts to upskill their workforces in data science tools and techniques.  In the process, they are increasingly realizing that the real-world data sets their employees use in their work are highly effective as training materials.  However, the advantages of this practice, of course, are accompanied by the additional exposure of sensitive records when they are shared on learning platforms. 

Corporate Data Science Training

Data Science Training with Data Compliance Savvy

The Data Society team recognizes that collaboration between L&D departments and workplace learners plays an important role in professional development.  The team also understands the vital importance of data security, particularly when it comes to healthcare records.  With the goal of creating a fertile learning environment that encourages communication while protecting sensitive information, Data Society has introduced meldR, a Learning Experience Communication Platform (LXCP) that caters to the unique needs of healthcare and life sciences organizations.  meldR provides a unified point of contact—with built-in data compliance specific to the healthcare and life sciences industries—through which instructors can deliver training, learners can develop a community of practice, and L&D departments can track student development and achievements. 

Clearing obstacles to the open collaboration that promotes innovation and professional development is a key to effectively upskilling workforces.  meldR offers a space for educational engagement, where students can focus on learning rather than data security, driving the progress of healthcare and life sciences organizations toward their data maturity goals. 


Subscribe to our newsletter

Data Society provides customized, industry-tailored data science training solutions—partnering with organizations to educate, equip, and empower their workforce with the skills to achieve their goals and expand their impact.

cross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram