Bridging the Vendor Compliance Confidence Gap in Life Sciences

In a recent discussion with Pharmaceutical Commerce, Faisal Khan, a GRC solutions expert with Vanta, highlights how internal employee error continues to drive nearly half of all HIPAA-related data incidents. According to Khan, most of these breaches stem from fundamental lapses in access control and data management—specifically, employees having broader data access than their roles require. Without strict adherence to the principles of least privilege and role-based access control, sensitive patient health information (PHI) can easily be exposed, misused, or mishandled.

Khan explained that excessive access privileges often create a “trickle effect” across operations, leading to unintentional errors such as sending PHI to incorrect recipients, storing it in unsecured locations, or using it inappropriately for nonessential functions. These mistakes are not always malicious but are frequently the result of poor oversight, unclear data ownership, and insufficient process documentation.

To address these issues proactively, Khan recommended that healthcare and life sciences organizations map their data flows in detail—identifying how sensitive information moves within and beyond their systems. This process should include documenting the to’s, from’s, and how’s of data transfers to reveal vulnerabilities or inefficiencies in how PHI is handled.

Once these flows are understood, organizations can establish comprehensive asset and data inventories, helping security teams monitor what information exists, who can access it, and how it’s used. With these insights, leaders can implement targeted access controls, correct overly permissive roles, and reinforce policies for data storage and sharing.

Ultimately, Khan emphasized that protecting PHI requires more than compliance checkboxes—it demands a continuous, structured approach to data visibility and accountability. By aligning access control and data management with operational needs, organizations can meaningfully reduce risk while maintaining compliance with evolving HIPAA standards.

He also dives into the threat that third-party noncompliance poses to healthcare data security; best practices to close the perception gap of leaders feeling confident in vendor compliance despite limited oversight; and much more.

A transcript of his conversation with PC can be found below.

PC: Given that many leaders feel confident in vendor compliance despite limited oversight, what best practices can help close this perception gap?

Khan: To close that perception gap, my recommendation would be to make risk-based decisions for the oversight and use of vendors that they have in their ecosystem. Because again, use of third parties is kind of inevitable. It's all about the risk, and that often starts off with having a very core policy that, and then being very clear and prescriptive with the criteria, with what the policy objectives are, who it applies to, the process overall.

With the criteria being prescriptive into what might make the severity of risk go higher or lower—think data types, for example, where the sensitivity of your data may influence it to be higher, especially those that have PHI handled as part of them. And then, of course, sometimes you will have vendors that really are low risk to your business, and that's okay, but only if you have a solid understanding of why, including what the worst possible scenario with that vendor is, and then plans to ensure that that doesn't happen and that you have mitigating, compensating controls to address them.