Why Continuous Vendor Oversight Is Key to Healthcare Data Security

In a recent discussion with Pharmaceutical Commerce, Faisal Khan, a GRC solutions expert with Vanta, highlights how internal employee error continues to drive nearly half of all HIPAA-related data incidents. According to Khan, most of these breaches stem from fundamental lapses in access control and data management—specifically, employees having broader data access than their roles require. Without strict adherence to the principles of least privilege and role-based access control, sensitive patient health information (PHI) can easily be exposed, misused, or mishandled.

Khan explained that excessive access privileges often create a “trickle effect” across operations, leading to unintentional errors such as sending PHI to incorrect recipients, storing it in unsecured locations, or using it inappropriately for nonessential functions. These mistakes are not always malicious but are frequently the result of poor oversight, unclear data ownership, and insufficient process documentation.

To address these issues proactively, Khan recommended that healthcare and life sciences organizations map their data flows in detail—identifying how sensitive information moves within and beyond their systems. This process should include documenting the to’s, from’s, and how’s of data transfers to reveal vulnerabilities or inefficiencies in how PHI is handled.

Once these flows are understood, organizations can establish comprehensive asset and data inventories, helping security teams monitor what information exists, who can access it, and how it’s used. With these insights, leaders can implement targeted access controls, correct overly permissive roles, and reinforce policies for data storage and sharing.

Ultimately, Khan emphasized that protecting PHI requires more than compliance checkboxes—it demands a continuous, structured approach to data visibility and accountability. By aligning access control and data management with operational needs, organizations can meaningfully reduce risk while maintaining compliance with evolving HIPAA standards.

He also dives into the threat that third-party noncompliance poses to healthcare data security; best practices to close the perception gap of leaders feeling confident in vendor compliance despite limited oversight; and much more.

A transcript of his conversation with PC can be found below.

PC: How big of a threat does third-party noncompliance pose to healthcare data security?

Khan: I'd say that noncompliance to healthcare data security is pretty significant. If we think about how the world runs today, most, if not all, businesses operate using third parties. Engaging one to do really a specific activity is just an implicit given from the start of organizations.

The question really becomes, what is the risk that those third parties pose to your organization, why, and how they help you reduce it with their protections and processes, but then also including what your own responsibilities might be in doing a lot of the same.

To reduce the risk overall, my recommendation for organizations should be to treat vendor vetting as an ongoing process, where it's not just about performing that initial vendor assessment to get them in the door, but it's also to continuously check in on the vendor security, their performance overall, and ensure that you have contractual language such as BAAs or DPAs that make security and privacy obligations very clear and enforceable as part of those engagements.