Third-Party, Cyber-Risk Skyrockets for Health Systems

Third-Party, Cyber-Risk Skyrockets for Health Systems. A hacker in a black hoodie that leaves his face in shadow sits in a room lit by red lights and works on a laptop to break into a health system's computer network.

Third-party cyberattacks pose one of the biggest challenges on the health care cyber-risk landscape. Hospitals and health systems are at increasing risk of cyberattacks on third parties — such as business associates, medical device providers and supply chain vendors. Third-party breaches occur when sensitive data are stolen from a third-party vendor or when their systems are used to access and steal sensitive information stored on your systems.

Fifty-five percent of health care organizations surveyed experienced a third-party data breach in the last year, and seven of the top 10 health care data breaches reported so far this year involved third-party vendors. The biggest breach – which affected more than 30 health care providers and health insurance carriers and 2.6 million patients – involved OneTouchPoint, a third-party mailing and printing vendor.

These threats underscore the urgent need for a robust third-party, risk-management program (TPRM) that enables you to identify, assess and mitigate cyber-risk exposures from strategic as well as tactical perspectives. At the same time, a comprehensive approach to managing risk must also encompass detailed preparations for responding to any incidents that do occur to assess impact, minimize downtime, support business continuity and ensure patient safety.

John Riggi, AHA’s national adviser for cybersecurity and risk, posted a blog this month presenting the following key strategies to bolster your defenses and strengthen your response capabilities:

  1. Take a critical and objective look at your existing TPRM program framework.
  2. Implement third-party, risk-based controls and cyber-insurance requirements based on identified risk levels.
  3. Consistently and clearly communicate third-party, risk-management policies, procedures and requirements internally.
  4. Prepare intensively for incident response and recovery.

To learn more about how the AHA can help you strategically manage your third- and fourth-party cyber-risk, and protect your patients by minimizing the downtime impact if cyberattacks should occur, read Riggi’s blog on reducing third-party cyber-risks, visit or email him at

AHA Center for Health Innovation logo