Cyberattacks and data breaches can come from myriad sources, including cracked credentials and phishing. But some breaches originate from business relationships, much like those between healthcare facilities and third-party vendors. This scenario muddies the already complex issue of healthcare cybersecurity, making it harder for facilities managers to trust even close business affiliates.
Among the third parties caught in the crosshairs are software vendors, says Jeffrey Wheatman, senior vice president and cyber risk strategist at Black Kite, a security firm. One reason is the prevalence of the software-as-a-service (SaaS) model, where software updates roll out frequently and expose software vendors to potential zero-day vulnerabilities — hardware or software flaws that are unknown to their creators. The flaws allow hackers to take advantage of them and hijack systems long before the vendor becomes aware.
“Why would I try to break into a system with super high-level security controls when I can go after something that I know is not being protected?” Wheatman says. “So many of these software providers are being used by hundreds, thousands, sometimes tens or even hundreds of thousands of people. When you find one open vulnerability in the software, you now have opened doors and windows into many organizations.”
By attacking software vendors at the user organizations, hackers can double their return on investment for breaching an organization, says Chris Henderson, chief information security officer at Huntress, a computer security provider. For example, if a hacker breaches an organization with 1,000 users or 1,000 other companies using the software and was able to successfully install their malware, the attack will have 1,000 victims, Henderson says.
Essentially, instead of having to breach every one of those victims individually, hackers can now target a vulnerability in software and compromise the data of many victims in one strike.
“From an entry point, it makes the return on investment for the breach significantly higher when they can do that through a software supply chain attack,” Henderson says.
Staying vigilant for threats
Healthcare facilities managers must improve visibility into their software and understand where they are exposed to concentration risk, Wheatman says. If there is a high level of concentration risk, meaning an over-reliance on one vendor or software, the impact could be widespread and severe if that platform gets compromised.
This understanding begins by knowing the software their departments use and how it is integrated with other systems. The process includes vendors they rely on, the use of those vendors’ software and that software's role in operations.
“For example, organizations had no idea how dependent they were upon Change Healthcare as a provider, and therefore any vulnerability in their system at this sort of cascading domino effect,” says Wheatman. Change Healthcare, a provider of revenue and payment cycle management, suffered a breach in 2024 because the company hadn’t implemented multifactor authentication to a remote desktop access portal. This enabled hackers to use compromised credentials to access their systems.
Once a manager identifies potential concentration risks, the next step is a base level assessment of the security program. This process includes enabling multi-factor authentication, encrypting data and updating anti-virus and anti-malware programs. The next steps are collecting data and understanding the role of third-party vendors and their compliance with security policies.
Managers must recognize risks not just from their own vendors, but also from the vendors their vendors rely on, says Henderson. This means these deeper supply chain risks can affect the organization just as significantly. He refers to this level as “fourth-party risk management.”
“If everybody uses a software and there's a vulnerability in that software, I need to know if my vendor is using it,” Henderson says. “If I see that there is a security advisory issued for the software, my company needs to watch all the vendors more closely and the integration points for all the vendors that are using that software.”
Healthcare managers and their organizations need to stay vigilant about the software their vendors are using. If that software gets breached, the impact is likely to ripple back to the healthcare organization. The stakes are set high, making healthcare cybersecurity no longer nice to have but essential.
Jeff Wardon, Jr., is the assistant editor of the facilities market.