How to manage your healthcare organization’s third-party cyber-risk

The healthcare industry has long been a target of malicious cyberactors. The life-preserving care it provides, the vast amounts of sensitive patient data it uses and stores, and the proliferation of connected devices means it is particularly susceptible to attacks. Since 2011, the industry has consistently suffered the highest average financial costs of data breaches ($9.77 million in 2024).¹ One study found a 27% increase in ransomware incidents in 2024 from the year before. ²

There is some good news for the industry. The cost of data breaches declined in 2024 from an all-time high the year before. Healthcare organizations have invested heavily in security solutions, and many are better prepared to identify and block malicious activity before incidents lead to disruptions of service or data compromises.

But the bad actors have noticed this trend and, perhaps as a result, are increasingly focusing on third parties that support healthcare organizations, including device manufacturers, software platforms and service providers.

A massive 2024 ransomware and data breach showed why hackers are incentivized to target third parties. By compromising a technology company with connections to almost every hospital in America, a ransomware gang ensured that operational disruptions were widespread and that the data breach involved millions of patients.

But no matter how many organizations a third party works with, healthcare organizations need to maintain oversight over its approach to cybersecurity and its willingness to partner in the defense of patients’ care and information.

Managing third-party risk requires a careful review of how your organization is connected to other entities, what digital services it relies on and what security standards — if any — the third party complies with. All this information should inform and improve your organization’s third-party risk management plan (TPRM). Here are seven ways you can build or reinforce a healthcare-focused TPRM.

• Create incident response plans. Start with the assumption that a breach will happen and plan accordingly. Your company should start by focusing on suppliers and partners with the greatest access to company systems and data. Document steps each organization should take during and after a cyber incident, including communications, reporting protocols and identifying stakeholders. Designate a representative in your organization who will oversee third-party security practices and incident response.

• Identify, track and govern your most valuable data. Your organization should create systems that help identify who is using critical data — like patient records and payment information — and set controls to protect data in transit, in use and in storage. The inventory should detail which third parties have access to data or storage systems.

• Measure third-party risks. Undertake a full risk assessment associated with third parties and identify those that could present the most serious threat to your organization’s data or reputation in the event of a cyber incident. Assess the extent to which these partner organizations must comply with regulations that govern data usage or security protocols.

• Evaluate third-party security standards. Conduct assessments of your most important partners and service providers and the security controls they provide for any of your company’s assets. To improve security in their products or services, consider partnering with third parties — such as device manufacturers — to ensure they are not using outdated or commercial software.

• Bind security protocols to contracts. Be proactive in building security requirements into supplier contracts and business associate agreements, including protocols for reporting potential security incidents and remedial steps third parties are obligated to initiate in the event of an actual cyberthreat.

• Maintain oversight of third-party security. Cybersecurity requires continuous monitoring and updates to tool sets and protocols as needed. Build performance reviews and key performance indicators into your company’s most important third-party contracts. Work with third parties to ensure their business processes are aligned with best security practices.

• Emphasize the shared responsibility of protecting patients. Stress the importance of collaboration during the review process to frame cybersecurity as a shared objective that has a real impact on patient outcomes and the reputation of every organization involved in patient care.