"A hospital may send data to a third party company that produces its invoices for it. How can you distinguish between a legitimate business process like that, and an illegitimate one that is sending sensitive data to bad people?"
How do you know that the legitimate third party isn't compromised? Or that it doesn't employ someone untrustworthy?