By Liav Caspi
Last year, healthcare systems faced more cyberattacks than any other critical infrastructure industry, costing $7.42 million. The combination of rich, high-value data and low technical sophistication makes healthcare systems an easier target. The biggest threat is no longer stealing records from hospitals directly but hacking insecure third-party connections.
Third-party involvement in data breaches has doubled to nearly 30% in recent years. In one of the biggest data breaches of 2024, hackers accessed 192.7 million records at Change Healthcare using exposed credentials to hack a service that didn’t have multi-factor authentication. In another, cybercriminals used website tracking data to access health information from Kaiser Foundation Health Plan.

Ad Statistics
Times Displayed: 364749
Times Visited: 21098 MIT labs, experts in Multi-Vendor component level repair of: MRI Coils, RF amplifiers, Gradient Amplifiers Contrast Media Injectors. System repairs, sub-assembly repairs, component level repairs, refurbish/calibrate. info@mitlabsusa.com/+1 (305) 470-8013
Without these partners, hospitals can’t provide the level of care their patients require. But an organization’s IT infrastructure is only as secure as its weakest link. No matter how protected your own systems may be, insecure connections to third-party systems in your software supply chain put your data and clients at risk.
The third-party security crisis
Most hospitals rely on sprawling digital networks of partners, suppliers, and providers. Considering that each partner will need some level of access to your systems or data, this network increases the attack surface dramatically with thousands of vendors and no clarity on how they protect data.
Of all data breaches with third-party involvement, healthcare-related breaches accounted for 41%. Vendor logins, for example, can easily be compromised if exposed or stolen. With credentials on hand, attackers can slip through firewalls and access healthcare systems under the guise of “routine maintenance.” This gives them free rein to move through the system and access patient records.
Bad actors also exploit vulnerable connections through security flaws in a partner's system. Unpatched code from a third-party billing system can expose patient data, including payment information. And security flaws extend beyond technology; partner employees with legitimate access can misuse their permissions. When this happens, hospitals face breach notification requirements and all consequences of stolen patient data, including reputational damage and heavy fines, despite bearing no direct fault.
A vendor’s low cybersecurity maturity can open a security gap that creates a breach in your systems. It’s like being in a small room with someone who has the flu; unless you have immunity or protection from the illness, the virus will infect you.