For executives at hospitals and healthcare organizations, reducing a facility’s vulnerability to cyberattacks is a big job. That’s because cyberattacks are on the rise, with hospitals reporting 364 hacking incidents in the first nine months of 2025. More than half of US healthcare organizations reported an information breach in the past year. Research reveals, however, that securing the facility is only the first step.
In fact, more than 80% of stolen protected health information was stolen from third-party vendors, nonhospital providers, software services, health plans, and business associates that had contracted relationships to provide hospitals with needed products and services. More than 90% of health records that are hacked are obtained by cybercriminals outside of the electronic healthcare system.
In 2021, cybercriminals gained access to Broward Health’s network in Florida through a third-party medical provider that had been granted access to their system. That breach exposed the identity data, email addresses, telephone numbers, Social Security numbers, driver’s license numbers, financial and bank account information, health insurance information, medical histories, treatment information, and medical record numbers of 1.35 million patients. The US Justice Department became involved following the breach to improve hospital security.
The job, then, for hospital leaders includes accounting for and mitigating third-party vulnerabilities. To do that, there must be an understanding of what relationships involve network access and then monitoring that access. An October 2025 study in Applied Clinical Informatics found that only around half of healthcare organizations had a comprehensive list of the third parties with access to their networks, while only one-third regularly monitored third-party access.
Healthcare data is a prime target for cybercriminals because specific patient data—Social Security numbers, financial records, demographic data, health insurance information, and medical and clinical data—can be easily and quickly sold. Hospitals are legally required to protect patient data, so many cyber criminals are successful in ransomware attacks, where they hold hospital system data in exchange for ransom. Patient data is valuable because criminals can use it to commit identity and medical identity theft.
Cyberattacks not only compromise patient data, but they also diminish the quality of care, resulting in complications, delayed treatment, longer stays for patients, and adverse healthcare outcomes. Medical professional liability lawsuits have stemmed from cyberattacks, including an MPL case that alleged that a baby died due to lack of ongoing monitoring at Springhill Medical Center in Mobile, AL. Settlements of data-breach claims are also proliferating, including a $625,000 settlement by Hypertension Nephrology Associates and a $500,000 settlement by Asheville Arthritis and Osteoporosis Center.
In this article we’ll review the types of third-party relationships with vendors and contractors that create vulnerabilities, the cybersecurity risks for hospitals and health systems, and how to mitigate them.
Types of Hospital Cybersecurity Risks
Foreign ransomware groups—many of which are criminal gangs based in Eastern Europe—are expert at identifying the medical contractors that serve many different health systems, making whole cities, regions, and countries vulnerable to the effects of an attack on a single healthcare provider.
For hospitals, specific threats include:
- Ransomware and data breaches: In the most typical kind of cyberattack, a hacker or hacking group will gain access to a network through phishing inattentive employees, take down the network, and hold the data for ransom—if the ransom isn’t paid, they will sell the data on the dark web.
- Supply chain attacks: Supply chain providers in healthcare who have access to data networks are the next most vulnerable to cybercrime.
- Internet of Medical Things: Devices and systems that automatically collect and transmit medical data.
- Remote access to medical networks through a VPN or other devices.
- Phishing and credential threats: As we’ve already indicated, the most common vulnerability is through phishing attempts to gain hold of credentials.
- Insider threats: The problem here is usually not bad-faith actors but that there are too many insiders. Every employee of a specific contractor might have access to sensitive files containing patient information when, in fact, they don’t need it to do their jobs.
- “Nth” party risks: The more contractors and sub-contractors have access to your data the more vulnerable it is.
How to Mitigate Cybersecurity Risks for Third Parties and Vendors
The first step in strengthening a hospital’s third-party risk management program is to review governance practices. This process starts with understanding where the access points are for the variety of third party relationships. Cybercriminals are masters at exploiting the hubs of third parties serving many different healthcare providers, which can be visualized as the spokes on the same network.
Second, risk assessments need to be conducted for each vendor. ECRI noted that hospitals should conduct comprehensive risk assessments prior to entering into contracts with third-party vendors. An important part of mitigating risk that hospitals need to undertake is creating processes to update and review who has access to patient files. This involves appointing roles—including a clinical director of cybersecurity who understands both security and clinical sides of the work—using firewalls and antivirus software, implementing strong password requirements, and training and retraining staff regularly.
Implement risk controls and insurance requirements for cyber liability based on third party and vendor security risks, including periodic in-depth technical, legal, and procedural reviews of the third-party risk management program, and business associate agreements. The latter should include cybersecurity and cyber insurance requirements for vendors and subcontractors which scale with the level of risk presented by each associate. It’s also worth considering annual policy and procedure cyber risk assessments for vendors.
In the event of a cyberattack, a hospital will need to validate decrypted files, check systems for full functionality, enter paper forms into systems, and replace compromised devices. Staff should be debriefed about the experience so the organization can learn the lessons and develop plans with accountability so that it doesn’t happen again.
The National Institute of Standards and Technology of the U.S. Department of Commerce and the Health Industry Cybersecurity Practices of the Department of Health and Human Services are two different security frameworks that can help safeguard patients’ information against cybercrime. These frameworks can help to create, review, and test incident response and recovery plans so that there is a procedure in place to respond to incidents and recover data that will help restore operations as quickly as possible after an incident of cybercrime.