The healthcare industry’s continual digital revolution requires it to increasingly rely on third-party vendors for everything from electronic health records to telehealth platforms. While these partnerships offer undeniable benefits like improved patient care, cost savings and efficiency, they also expose healthcare organizations to third-party, or supply chain, cyberattacks.
The numbers are sobering. A recent analysis of data breaches by Security Scorecard for its Global Third-Party Cybersecurity Breaches Report found healthcare was the worst affected industry with the highest volume of third-party breaches, followed by financial services. More than one-quarter (28%) of all breaches occurred at healthcare organizations.
Third-party breaches aren’t just isolated incidents; they are happening across the healthcare spectrum and impacting massive amounts of financial or patient data. Earlier this year, Change Healthcare, a subsidiary of UnitedHealthcare, experienced a ransomware attack that came into the organization’s network through a third-party provider, resulting in a theft of 4TB of data and costing Change $22 million in ransom. It’s estimated that patient data for one in three Americans could be involved, and the American Hospital Association has referred to the incident as “the most serious incident of its kind levelled against a U.S. healthcare organization.” Kaiser Foundation and Perry Johnson & Associates are two more examples of third-party healthcare breaches taking place just this year.
The Human Cost of Cyberattacks
There’s a reason the healthcare sector is the most targeted industry sector for cybercrime: it’s a honeypot of the most valuable personally identifiable information (PII). We’re not just talking about payment information here, though that is certainly part of the appeal. Personal medical records and insurance information fetch a high price on the dark web and, when combined with stolen data from other industry sectors, help create a holistic data portrait of individuals.
Outside of housing highly appealing data, attackers know that injecting chaos into the healthcare system can impact actual patient care and well-being. Healthcare organizations literally dealing with life and death decisions about patients are paying ransoms more frequently, with an increase to 53% in 2024 from 42% in 2023.
Additionally, these attacks clog up an already overwhelmed scheduling system, causing patients to wait for required care.
In addition to playing offense and defense on cyberattacks, healthcare organizations must also navigate a complex regulatory web, including HIPAA, which mandates strict safeguards for protected health information (PHI).
AI and ML: The New Frontier in Cybersecurity
We cannot talk about cybersecurity without considering how Artificial intelligence (AI) and machine learning (ML) are emerging as powerful allies in the fight against cyberattacks. Bad actors are using AI and ML to make their attacks more successful; we, on the protective side, need to, as well.
These technologies can analyze vast amounts of data to detect patterns and anomalies that may indicate a breach. They can also automate routine security tasks, freeing up IT staff to focus on more strategic initiatives. While not wholly realized, AI and ML offer tremendous potential in strengthening cybersecurity within the healthcare field.
A Multi-Layered Defense
Because healthcare organizations are part of our critical infrastructure, a robust approach that addresses both technical and human factors must be taken to protect them from third-party cyberattacks.
- Vendor Risk Management: Implementing a robust vendor risk management program is crucial. This includes thorough due diligence before onboarding new vendors, continuous monitoring of their security practices, and clear contractual agreements that outline security expectations. Don’t just assume a vendor is secure because they claim to be; verify their security posture and ensure it aligns with your organization’s standards.
- Comply With Standards: Not only do security information and compliance programs protect patient data, but they also help healthcare organizations remain competitive. Nearly 40% of healthcare security professionals back this up. In an environment where successful cyber attacks not only result in impacts to patient care and significant fines, the reputational damage to both the entity and the healthcare system as a whole is astounding. Standards from HIPAA to ISO 42001, which specifically addresses AI, help organizations assure stakeholders, including partners, customers and regulators, that the proper steps are being taken to secure data.
- Employee Education and Training: Your staff is your first line of defense and your biggest risk. Regular training on security best practices, such as recognizing phishing scams and avoiding social engineering attacks, is essential. Make cybersecurity awareness an ongoing part of your organizational culture, not just a one-time event.
- Advanced Security Technologies: Playing defense in cybersecurity is a must and investing in technologies like intrusion detection and prevention systems, firewalls, and encryption is crucial for protecting your network and data. These technologies come from third-party vendors, so make sure they are part of your vendor risk management program and stay in communication with them. Not only will you be aware of patches and updates to the system, but you can mine their knowledge of how they can enhance your defenses.
- Incident Response Planning: While no one wants to use an incident response plan, having a well-defined one already prepared is key to minimizing the impact of a cyberattack. An active cyberattack is an anxiety-inducing situation, and having a plan in place—that your team has role–played—is a must for moving through the situation quickly and thoughtfully. This plan should outline the steps to be taken in the event of a breach, including communication protocols, data recovery procedures, and forensic investigations.
The Road Ahead
The threat of third-party cyberattacks is not going away. As healthcare organizations continue to rely on external vendors, the opportunity for attack expands. However, by taking a proactive and comprehensive approach to cybersecurity, that includes a commitment to compliance, embracing new technologies like AI and ML, and planning for the inevitable, healthcare organizations can protect their patients, their data, and their reputations.
About Sam Peters
Sam Peters has a diverse work experience starting from 2003 to present, serving as the Chief Product Officer at ISMS.online since May 2021. Previously, they worked at Alliantist for 8 years, from January 2013 to May 2021, as Head of Products and Services. Before that, they held the position of Product and Support Manager at WPM Education from June 2011 to January 2013. Prior to that, they worked at East Sussex County Council as a School ICT Applications Manager from September 2009 to June 2011. They also worked as a General Manager at DB Education Services from April 2008 to September 2009. Their earliest professional experience was at Digitalbrain PLC, where they served as a Service Delivery Manager from November 2003 to April 2008.