Healthcare Sector Faces Escalating Third- and Fourth-Party Risk Management Challenges
Healthcare organizations are increasingly confronted with complex third- and fourth-party risks due to the widespread distribution of sensitive data across diverse vendor networks. Steven Adler, a partner at The Edmund Group, emphasized that data often resides not only with primary vendors but also with offshore, onshore, and even fourth-party entities, which significantly complicates compliance with HIPAA and emerging federal security regulations. The proliferation of vendors and subcontractors in the healthcare supply chain introduces new vulnerabilities, making it essential for organizations to adopt robust risk management frameworks. Adler recommends that healthcare entities maintain a patient-centric approach while ensuring that risk management strategies are closely aligned with overall business priorities. One critical step is the implementation of a vendor risk-tiering model, which ranks suppliers based on the sensitivity of the data they handle and their strategic importance to the organization. This model helps organizations prioritize oversight and allocate resources more effectively to the most critical relationships. Adler also highlights the importance of thoroughly vetting vendors, not just for their service capabilities but also for their ability to recover from disruptions. He advises that contracts with suppliers should clearly define recovery time objectives and maximum allowable downtimes to ensure business continuity in the event of an incident. Many healthcare organizations mistakenly assume that their suppliers have adequate recovery capabilities, which can lead to significant operational risks if not properly verified. The evolving regulatory landscape, including new federal mandates, further increases the pressure on healthcare providers to demonstrate due diligence in managing third-party risks. Business continuity management and disaster recovery planning are now integral components of vendor risk management programs. Organizations are encouraged to regularly evaluate the security posture of their vendors and to ensure that contractual agreements include enforceable security and recovery requirements. The growing complexity of healthcare supply chains necessitates a more proactive and structured approach to governance and risk management. By adopting these best practices, healthcare organizations can better safeguard patient data, maintain regulatory compliance, and ensure resilience against a rapidly evolving threat landscape. The insights provided by Adler at the Healthcare Security Summit in New York underscore the urgent need for stronger oversight and more sophisticated risk management strategies in the sector. As healthcare organizations continue to digitize and expand their vendor ecosystems, the ability to manage third- and fourth-party risks effectively will be a key determinant of their overall cybersecurity posture.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Healthcare risk oversight concerns highlighted in sector report
A report or analysis published on 2025-10-06 highlighted that healthcare cyber and operational risks were increasing and called for stronger oversight. No earlier discrete real-world events are provided in the references, and the two sources appear to be duplicate coverage of the same item.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Third-Party and Partner Risk as Core Enterprise Security Challenge
Modern enterprises face significant cybersecurity risks stemming from their reliance on third-party vendors, cloud providers, and business partners. As organizations increasingly integrate external entities into their core operations, the traditional view of third-party risk as a peripheral or compliance-only concern is no longer sufficient. Regulatory frameworks such as GDPR, NIS2, and SEC disclosure rules now hold enterprises directly accountable for breaches and incidents involving their suppliers, making third-party failures a direct threat to operational resilience, brand reputation, and legal standing. Effective management of these risks requires a shift toward governance-first, business-aligned strategies that treat third-party and partner risk as integral to enterprise security. Establishing clear data governance frameworks, defining accountability, and ensuring alignment on security practices are essential for secure collaboration. The exposure of hundreds of millions of records in recent breaches highlights the urgency for organizations to address not only technical vulnerabilities but also the complexities of data sharing and trust across their extended digital ecosystems.
Mar 21, 2026
Cybersecurity and Privacy Challenges in Healthcare Sector Compliance and M&A
Healthcare organizations are facing heightened scrutiny and risk management challenges related to cybersecurity and data privacy, particularly during mergers and acquisitions (M&As). Legal and technical experts emphasize the importance of thorough due diligence, including compliance with HIPAA and state privacy laws, robust risk assessments, and the implementation of comprehensive security programs. Sellers are advised to proactively address regulatory requirements, maintain up-to-date policies, and ensure the presence of designated security and privacy officers to mitigate potential compliance gaps that could impact transactions. Simultaneously, the healthcare industry is pushing back against proposed updates to the HIPAA Security Rule, which aim to strengthen cybersecurity controls in response to increasing cyberattacks and data breaches. Industry groups have raised concerns about the feasibility of the new requirements, citing financial burdens and unrealistic implementation deadlines. A coalition of over 100 healthcare organizations has formally requested the withdrawal of the proposed rule changes, highlighting the sector's struggle to balance regulatory compliance with operational realities.
Mar 21, 2026
HHS Increases Oversight of Healthcare Third-Party Vendor Cybersecurity After Change Healthcare Breach
The US Department of Health and Human Services (**HHS**) is increasing scrutiny of **third-party service provider** cybersecurity in the healthcare sector following the 2024 **Change Healthcare** cyberattack, which HHS officials describe as having threatened the “liquidity” of the broader healthcare system. HHS’s Charlee Hess (Administration for Strategy Preparedness and Response) said the incident exposed previously underappreciated systemic risk from external vendors that can have outsized sector-wide impact, and noted HHS is working through a methodology—alongside industry—to identify where those critical third-party dependencies and risk concentrations exist. Reporting reiterated that the Change Healthcare intrusion began with attackers exploiting the lack of **multi-factor authentication (MFA)** on a remote access portal and ultimately exposed data affecting roughly **190 million** people. The breach has also driven broader government and industry responses, including proposals for mandatory cybersecurity requirements on hospitals (which healthcare organizations have opposed as burdensome, arguing the Change Healthcare compromise originated with an external vendor) and remediation actions by **UnitedHealth Group** (Change Healthcare’s parent) to “start over” on aspects of its systems and technology environment.
Mar 21, 2026