The Hidden Threat in Healthcare: Why Third-Party Risk Management Can’t Wait

Part 1: A look at external threats for your facility

Healthcare is more interconnected today than at any point in history. Hospitals, physician groups, and health systems rely on vast networks of third‑party vendors—electronic health record providers, billing companies, cloud platforms, telehealth applications, medical device software, and countless subcontractors.

These partnerships fuel innovation and efficiency, but they also open the door to one of the fastest‑growing threats in healthcare cybersecurity: third‑party risk.

Recent industry research shows that 35 percent of cyberattacks targeting healthcare stem from third‑party vendors, while 40 percent of vendor contracts are finalized without a security risk assessment. Meanwhile, other analyses have found that over 60 percent of healthcare data breaches originate from third‑party vendors, and 74 percent of healthcare cybersecurity incidents involve third‑party vulnerabilities.

These numbers paint a clear picture- the healthcare sector faces a systemic, urgent challenge—and it’s costing organizations millions while putting patient lives at risk.

The Problem: Why Third‑Party Risk Is Escalating

1.    An Expanding Vendor Ecosystem

The average healthcare organization relies on dozens of external vendors for daily operations—from cloud hosting to radiology systems and billing platforms. This explosion of digital partnerships increases the attack surface dramatically. Small and mid‑size providers are especially vulnerable, as attackers know these organizations often lack the cybersecurity resources of large health systems.

2.    High‑Impact Breaches With Ripple Effects

Recent incidents show how a single vendor failure can paralyze the healthcare ecosystem:

• 2024 Change Healthcare ransomware attack: compromised 100 million patient records and disrupted claims processing nationwide.

• CrowdStrike software failure: caused widespread outages, demonstrating how deeply integrated third‑party platforms can bring operations to a halt.

• HCA Healthcare breach (2023): affected 11 million patients due to vulnerabilities in third‑party software handling automated email formatting.

Healthcare simply cannot function when these services fail—and patient safety is directly affected.

3.    Outdated or Reactive Risk Approaches

Many organizations still manage third‑party risk using manual spreadsheets and email-driven assessments, which are slow, incomplete, and no match for modern threats. In addition, regulatory frameworks (HIPAA, HITECH, and state laws) place full responsibility for PHI protection on the healthcare entity—not the vendor.

4.    Sophisticated Cyber Threats Targeting the Supply Chain

Cybercriminals are increasingly exploiting vendors as the weakest link:

• Ransomware-as-a-Service (RaaS) is enabling less-skilled attackers to target vulnerable vendors.

• Supply chain attacks have surged, especially involving medical devices and cloud-based platforms.

• The average cost of a healthcare breach involving third-party vendors now exceeds $9.77 million.

In my next blog, I’ll highlight the solutions you can use to build a modern third-party risk management program and how services like CorePlus can help you take control of your security.

Author: Ed Wurster, III, manager, business continuity and cyber resilience