October is Cybersecurity Awareness Month
Throughout the month we will take on cybersecurity subjects that continue to be challenging in healthcare today and ask our experts to weigh in.
Topic 2: Third-Party and Supply Chain Vulnerabilities
Third-party and supply chain vulnerabilities pose a major risk to healthcare by allowing cyberattacks and operational disruptions to impact patient care. Cybercriminals are exploiting weak security in vendors, cloud services, and connected devices to access patient data and disrupt services.
Lesley Berkeyheiser, Senior Director of Accreditation Strategy and Development, DirectTrust
LinkedIn: Lesley Berkeyheiser
HHS OCR data shows that in 2025, four of the ten largest healthcare breaches affected providers, while six involved business associates. These third-party organizations provide the “plumbing” for data exchange: EHR vendors, clearinghouses, HIEs, analytics firms, repositories, and more. Their services make interoperability possible, but they are also frequent targets. Attackers now use AI-driven malware such as droppers to quietly monitor systems and strike for maximum impact.
HIPAA requires Business Associate Agreements, but enforcement actions show that too many organizations fall short in conducting risk analysis or addressing gaps across administrative, physical, and technical safeguards. One way to build trust is through independent third-party audits, certifications, or accreditations. These reviews validate that appropriate privacy, security, and cybersecurity controls are in place, providing documented proof to payers, partners, and patients that your organization can be trusted.
Jeremy Carriger, Chief Information Security Officer, Arcadia
LinkedIn: Jeremy Carriger
Third-party and supply chain vulnerabilities pose a major risk to healthcare by allowing cyberattacks and operational disruptions to impact patient care. Cybercriminals are exploiting weak security in vendors, cloud services, and connected devices to access patient data and disrupt services.
Healthcare organizations often leverage outside cloud and technology partners to operate efficiently, but that dependency creates complexity and risk. Managing third-party and supply chain security is now a core part of protecting patients.
One of the most effective steps healthcare organizations can take is to treat vendor security as an extension of their own program. That starts with asking partners how they secure their own supply chains and requiring transparency into the components they use, such as through software bills of materials (SBOMs). It also means monitoring the integrations that connect systems together, so security teams can quickly detect and address unusual activity. These practices go beyond checklists—they build visibility and accountability into the relationships healthcare organizations already depend on.
While the risk can’t be eliminated, it can be managed. By setting clear expectations for vendors, ensuring continuous monitoring, and holding all partners to the same security standards, healthcare organizations can mitigate the odds that third-party vulnerabilities escalate into disruptions that impact patient care.
Robert Eikel, Chief Information Security Officer & Privacy Officer, P-n-T Data Corp.
LinkedIn: Robert Eikel
Every healthcare company relies on external partners to process, transmit, or store their data—and every one of those relationships creates risk. When a supplier suffers a breach, ransomware, or security incident, the customer bears the consequences: downtime, embarrassment, and even regulatory action. CISOs and business leaders who manage supplier risk should ask three hard questions of every supplier before entrusting them with sensitive data:
- How long will you keep my data?
- How fast can you recover if you are attacked?
- Are you fully audited and certified by a reputable assessor?
But it’s not just about due diligence. Consider how your own infrastructure is designed and whether you can route around a compromised partner. The best-prepared organizations have redundant suppliers for key services, so data can flow securely and continuously even when one vendor stumbles.
David Finn, HIT Advocate, Recovering HC CIO, Principal, Cyber Health Integrity, LLC
LinkedIn: David (Samuel) Finn
In today’s hyper-connected healthcare ecosystem, every vendor relationship—from EHR platforms to medical device suppliers—introduces potential risk. Cybercriminals are increasingly targeting supply chains, using ransomware-as-a-service and AI-driven impersonation tactics to exploit trust and gain access to sensitive systems and patient data. With tens of thousands of new vulnerabilities emerging each year, it’s no longer enough to secure internal systems alone. Leaders across procurement, clinical operations, and patient services must treat third-party risk as a strategic priority. We must move beyond siloed controls and embrace a culture of shared vigilance—because protecting our partners is protecting our patients.
Mike Hoxter, Chief Technology Officer, Lightbeam Health Solutions
LinkedIn: Michael Hoxter
With the rapid influx of generative AI and large language model vendors, building software has become much easier than ever before. Many of these companies have limited experience in dealing with healthcare data, so AI can accelerate outcomes – or incidents. Healthcare leaders should prioritize vendors with verifiable HIPAA, HITRUST, and SOC 2 compliance to unlock ROI without inviting ransomware or data exposure. By taking a deliberate, qualified approach, organizations can harness AI’s potential while protecting both their operations and the patients they serve.
Andrew Mahler, Vice President of Privacy and Compliance Services, Clearwater Security
LinkedIn: Andrew Mahler
Third-party and supply chain compromise continues to be one of the most significant (and underestimated) risks facing healthcare. We’ve seen attackers shift from targeting single networks to exploiting the connective tissue of the industry: shared vendors, managed service providers, and cloud integrations. When a trusted partner is breached, attackers use their access to move laterally across multiple organizations, putting patient data and operations at risk. The result is a ripple effect where one weak link can disrupt care across an entire ecosystem.
Today’s adversaries are capitalizing on credential theft, remote access abuse, and hijacked integrations to gain entry without deploying traditional malware. These tactics often bypass detection and exploit the very technologies designed to improve efficiency. For healthcare organizations, managing third-party exposure can no longer be a compliance checkbox; it’s now a core element of cyber risk management and operational resilience. Thorough assessments, strict access governance, and continuous monitoring of vendor activity are now fundamental to ensuring that the supply chain doesn’t become the attack chain.
Tim O’Brien, Vice President, Global Cloud Operations, Altera Digital Health
LinkedIn: Tim O’Brien
Cyberattacks that exploit vendor or supply chain weaknesses threaten not just data, but the continuity of patient care. Healthcare organizations must do their due diligence to ensure their technology partners embed security into every layer of operations—from vendor onboarding and data segregation to continuous vulnerability testing and incident response readiness. Assess whether the partner maintains full visibility into the performance and security posture of its own supply chain to detect and respond to threats early. By prioritizing operational integrity both internally and with vendors, organizations can continue to deliver safe, uninterrupted care, even in the face of evolving cyber risks.
Lance Reid, CEO, Telcion Communications Group
LinkedIn: Lance Reid
You can have all the right tools in place — strong firewalls, end user training, regular patching — but if your vendors don’t hold up their end of the bargain, your system’s still at risk. Third-party vulnerabilities are a major issue in healthcare, especially for FQHCs and smaller clinics that rely heavily on outsourced tools and cloud services.
It’s not just about software vendors either. Connected medical devices, contractors with system access, and even your supply chain partners can all create hidden openings for attackers. We’ve seen contractors with full access who never got security training. That’s a big problem.
That’s why regular risk assessments and penetration tests matter. They help you spot these gaps before an attacker does. And it’s also why we always recommend a multilayered defense — because if one layer fails, you need the others to hold.
If you’re not sure how secure your environment is, we offer a free baseline assessment for healthcare organizations. It’s a good place to start.
Clay Ritchey, CEO, Verato
LinkedIn: Clay Ritchey
Every health system relies on a complex network of clinical and non-clinical employees, affiliated providers, and vendors with varying degrees of access to their applications and networks. With phishing schemes becoming more sophisticated and pervasive, a single stolen password or a concealed malware update can easily lead to a crippling security breach. Technologies to reduce the threat surface for phishing are becoming table stakes, with tools such as digital identity verification at vulnerable points of access leading the way. The good news is that security measures don’t have to slow you down. By implementing biometric digital identity verification and authentication as part of a healthcare-grade, next-gen MDM platform, organizations can achieve unprecedented identity intelligence, power a single source of truth for provider data management, and increase security while also saving time and cutting costs.
Gary Salman, CEO and Co-Founder, Black Talon Security
LinkedIn: Gary Salman
Organizations that rely on third-party vendors and supply chains—particularly in the healthcare sector—must adopt sophisticated, data-driven strategies to minimize their quantifiable cyber risk exposure. The transition to digital platforms, coupled with the increasing sophistication of cybercrime, has created new vulnerabilities that can significantly impact financial performance, patient care, and “brand trust”. Because healthcare entities store immense amounts of valuable data, including Protected Health Information (PHI), they are attractive targets for cybercriminals.
Effective risk management requires moving beyond subjective feelings and assumptions and grounding security decisions in verified, quantifiable data and specialized expertise. This shift demands a proactive, multi-layered approach that emphasizes visibility, technical hardening, and human preparedness.
To effectively manage risk, organizations must establish clear visibility into their security posture, often through centralized, data-driven platforms. A key step is developing a cybersecurity risk score that quantifies the probability of a breach. Centralized diagnostic and alert systems unify these signals into a single intelligent dashboard, providing the equivalent of a “cyber check engine light” for executives.
Supply chain and third-party access points pose a major risk, as cybercriminals exploit weak security in vendors (such as billing companies or RCM providers) to access patient data. Organizations must demand a copy of a third-party risk assessment that vendors and outsourced service providers (like IT companies or billing companies) have performed against themselves.
Furthermore, healthcare organizations should engage a dedicated third-party cybersecurity firm to provide an independent audit and separation of duties from the internal IT resources or Managed Service Providers (MSPs). Relying solely on general IT providers for preventative security can be a mistake, as their primary focus is maintaining infrastructure.
Rob Stuart, CEO, Claim.MD
Third-party and supply chain vulnerabilities have become one of healthcare’s most overlooked risks. When a vendor or partner is breached, it isn’t just an IT problem, it can stop billing, stall payments, and put patient care on hold. For small and midsize practices in particular, that disruption can threaten their financial survival.
We’ve seen this play out with recent industry-wide cyberattacks. Even providers with solid internal defenses were pulled into weeks of delays and uncertainty because their partners weren’t prepared. The hard truth is that you inherit the security posture of every vendor you work with. If they’re not protecting systems and data, your operations are at risk.
That’s why it’s no longer enough to ask vendors about their safeguards, you need proof. Working with accredited and certified partners provides that assurance. Independent validation shows they’ve invested in the processes and controls needed to protect sensitive information and keep critical services running.
Cybersecurity isn’t just a compliance box to check, it’s a business continuity issue. Providers can’t control every vulnerability in the supply chain, but they can choose partners who take security seriously. That diligence helps protect revenue integrity, patient trust, and the future of the practice.