Your Vendors May Be Your Biggest Cybersecurity Vulnerability

When healthcare organizations think about cybersecurity risk, most of the conversation focuses inward. Firewalls, endpoints, staff training, and access controls. That instinct is not wrong. But it is incomplete.

The data from 2025 tells a story that many ambulatory practices and senior living organizations have not fully absorbed. Over 80% of stolen protected health information records were not taken from hospitals. They were stolen from third-party vendors, software services, business associates, and nonhospital providers. The threat is not only inside your walls. It lives in every system, platform, and service provider your organization is connected to.

This is what the security community calls third-party or supply chain risk. And it is now one of the most consequential and least managed vulnerabilities in ambulatory healthcare.

What Third-Party Risk Actually Means in Practice

Every healthcare organization depends on a network of vendors. Billing companies. EHR platforms. Managed IT providers. Cloud hosting services. Revenue cycle partners. Patient engagement tools. Each of those relationships involves data, often protected health information, flowing outside your direct control.

Under HIPAA, those relationships are governed by Business Associate Agreements. A BAA creates legal accountability. But it does not create security. A vendor can be contractually bound to protect your data and still suffer a breach that exposes it.

The Change Healthcare attack in early 2024 made this reality impossible to ignore. A single ransomware event at a payment processing subsidiary affected the vast majority of U.S. hospitals and physician practices. Most of those organizations had no direct relationship with Change Healthcare and no visibility into their security posture. The disruption lasted weeks and cost the broader healthcare system billions of dollars.

That was an extreme case. But the underlying vulnerability, which is dependence on third parties whose security controls you cannot directly observe or enforce, is present in virtually every ambulatory practice operating today.

Why Vendor Risk Is Hard to Manage Without a Framework

Most practices do not have a formal process for evaluating the cybersecurity posture of the vendors they work with. New vendors are onboarded based on functionality and price. BAAs are signed as a compliance checkbox. And the question of what controls that vendor actually has in place is rarely asked and almost never verified.

This creates predictable gaps. A billing vendor with weak credential management becomes an entry point into your patient data. A software platform that has not patched a known vulnerability exposes every practice using it. A vendor that stores PHI in an improperly configured cloud environment creates liability that traces back to your organization even though the failure was theirs.

Cybersecurity experts recommend that organizations understand their cyber risk exposure by extending that awareness to third-party software, including a software bill of materials — a formal record of the components and supply chain relationships of various software components — to help identify software-related vulnerabilities. Most practices are nowhere near this level of vendor visibility, which means the gap between their actual exposure and their perceived exposure is significant.

What a Vendor Risk Management Approach Looks Like

Managing third-party risk does not require an enterprise security team. It does require structure and consistency. A practical approach for ambulatory healthcare typically covers four areas.

Vendor inventory and classification. Before you can manage risk, you need a clear picture of who has access to your data and systems. That means documenting every vendor with a connection to PHI, categorizing them by the sensitivity of the data they handle, and reviewing that inventory regularly as vendor relationships change.

Security questionnaires and evidence review. A signed BAA is a starting point, not a finish line. High-risk vendors including billing partners, EHR vendors, and IT service providers should be able to demonstrate their security controls through documentation. This includes evidence of encryption, access controls, incident response procedures, and completed security assessments.

Contractual requirements beyond the BAA. Practices can negotiate security requirements directly into vendor contracts. This includes breach notification timelines, required security standards, and the right to audit. Not every vendor will agree to all terms, but raising the conversation signals that your organization takes vendor risk seriously and creates accountability on both sides.

Ongoing monitoring. Vendor risk is not a one-time assessment. Security postures change. Vendors get acquired. Platforms change ownership. A consistent monitoring cadence, even a simple annual review for high-risk vendors, keeps your picture current and prevents relationships from going unexamined for years at a time.

The Connection to HIPAA Compliance and Cyber Insurance

Regulators and insurers are both paying closer attention to vendor risk management. The 2026 HIPAA Security Rule updates strengthen requirements around risk analysis, which now more explicitly includes the risk introduced by business associates and third-party technology. Practices that cannot demonstrate a structured approach to vendor oversight may find themselves exposed during audits.

On the insurance side, cyber liability carriers are increasingly asking specific questions about vendor management during underwriting. Organizations that have documented their vendor inventory and can show evidence of risk controls tend to receive more favorable coverage terms than those that cannot.

Neither dynamic makes vendor risk management optional anymore. They make it a business requirement that touches compliance, operations, and the organization’s ability to maintain affordable cyber coverage.

Where DAS Health Fits Into This Conversation

DAS Health helps ambulatory healthcare and senior living organizations build the structure they need to understand and manage their full technology risk picture, including the risk that lives outside their own walls. That includes supporting risk analysis processes that account for third-party exposure, helping organizations evaluate vendor security documentation, and ensuring that the IT and cybersecurity infrastructure DAS manages meets the standards your vendors should be held to as well.

If your organization has not recently reviewed the security posture of the vendors you depend on, a cybersecurity assessment is the right place to start.

Schedule Your Cybersecurity Assessment →

Frequently Asked Questions About Third-Party Vendor Risk in Healthcare

What is third-party vendor risk in healthcare?

Third-party vendor risk in healthcare refers to the cybersecurity and compliance exposure that comes from sharing data or system access with outside organizations such as billing companies, EHR vendors, IT providers, and revenue cycle partners. When a vendor experiences a breach, the protected health information they handle on behalf of a healthcare organization can be compromised, even if the practice itself did nothing wrong. Managing this risk requires vendor inventories, security reviews, and contractual controls beyond a standard Business Associate Agreement.

Why are healthcare vendors a target for cyberattacks?

Healthcare vendors are targeted because they often hold large volumes of protected health information across multiple client organizations simultaneously. A successful attack on a single vendor can expose data from dozens or even hundreds of practices at once. Attackers recognize that smaller vendors may have weaker security controls than the hospitals or practices they serve, making them an easier entry point into a broader healthcare data ecosystem.

What is a Business Associate Agreement and does it protect against breaches?

A Business Associate Agreement, or BAA, is a contract required by HIPAA between a covered healthcare entity and any vendor that handles protected health information on its behalf. A BAA establishes legal accountability and defines how data must be handled. However, a BAA does not prevent a breach from occurring. It creates legal obligations after a breach happens but does not substitute for verifying that a vendor has strong security controls in place before sharing data with them.

How should a medical practice evaluate vendor cybersecurity?

A medical practice should evaluate vendor cybersecurity by requesting documentation of the vendor’s security controls, including evidence of encryption, access management policies, incident response procedures, and any recent security assessments or audits. High-risk vendors such as billing partners, EHR platforms, and IT service providers should be reviewed on a regular basis rather than only at contract signing. Practices should also confirm that breach notification timelines are specified in the contract.

What is a software bill of materials and why does it matter for healthcare?

A software bill of materials, or SBOM, is a formal inventory of all software components and their supply chain relationships within a technology product. In healthcare, SBOMs matter because they help organizations and their IT partners identify known vulnerabilities in the software they rely on before those vulnerabilities are exploited. The Cybersecurity and Infrastructure Security Agency recommends that healthcare organizations require SBOMs from their technology vendors as part of a comprehensive risk management approach.

What percentage of healthcare data breaches involve third-party vendors?

According to the American Hospital Association, over 80% of stolen protected health information in recent years was taken not from hospitals directly but from third-party vendors, software services, business associates, and nonhospital providers. This statistic underscores why vendor risk management has become a central component of healthcare cybersecurity strategy rather than a secondary concern.

Does the 2026 HIPAA Security Rule update affect vendor risk requirements?

Yes. The 2026 HIPAA Security Rule updates strengthen requirements around risk analysis and explicitly extend those expectations to include the risk introduced by business associates and third-party technology partners. Healthcare organizations that cannot demonstrate a structured approach to evaluating and monitoring vendor security posture face increased audit exposure and potential penalties under the updated rule.

What does DAS Health do to help manage vendor risk?

DAS Health helps ambulatory healthcare and senior living organizations assess their full technology risk environment, including the exposure that comes from third-party vendors. This includes supporting structured risk analysis processes, helping organizations review vendor security documentation, and ensuring that the IT and cybersecurity infrastructure DAS manages meets the standards that should be applied to all technology relationships. DAS Health serves as a single accountable partner rather than one of many fragmented vendors contributing to the problem.