AHA Knowledge Exchange Monitoring and Mitigating Third-party Cyber Risks
 
AHA Knowledge Exchange | Monitoring and Mitigating Third-party Cyber Risks

AHA Knowledge Exchange

Proactive strategies for managing vendor cybersecurity gaps

In today's digitally interconnected health care landscape, a health system's cybersecurity is only as robust as its weakest link — often found in third-party vendors, mission-critical technologies, and the broader digital supply chain. Recent hospital cyberattacks have highlighted a growing threat: external service providers with inadequate security protocols. When just one vendor’s systems are breached, cybercriminals can access sensitive patient information, disrupt essential operations, and jeopardize patient safety. This Knowledge Exchange e-book reveals how leading hospitals and health systems are proactively enhancing vendor risk management strategies. By assessing, monitoring, and mitigating third-party cybersecurity risks, they are protecting patient data, ensuring operational continuity, and preserving long-term financial stability and public trust.

Sponsored by: Mastercard Cybersecurity Logo

9 ways health care organizations are adopting a more proactive and strategic approach to cybersecurity

  • Start with strong governance. Establish clear oversight, accountability and executive sponsorship for third-party risk.
  • Build a comprehensive inventory. Identify and document all third-party vendors. Track what percentage of vendors are inventoried and reviewed regularly.
  • Assess risk beyond the third party. Consider fourth- and fifth-party relationships, as each layer introduces additional complexity and risk.
  • Integrate risk into contracts early. Use proactive, robust contract language to set expectations and enforce standards from the start.
  • Prioritize business and clinical continuity. Understand the operational impact if a third-party system fails. Treat cyber disruptions like natural disasters; plan for both physical and technological emergencies.
  • Foster cross-functional collaboration. Strengthen coordination among procurement, legal, compliance, IT and cybersecurity. Empower teams with clear roles, escalation paths and access to critical contacts.
  • Use external validation, not just self-assessments. Don’t rely solely on vendor self-certifications. Use independent third-party assessments and corroboration.
  • Leverage industry tools and certifications wisely. Certifications like HITRUST [Health Information Trust Alliance Common Security Framework] can help, but they’re only snapshots.
  • Measure what matters. Track metrics like inventory completeness, review frequency and executive engagement. Use these KPIs to drive continuous improvement and accountability.

Participants

Paulette Davidson

Paulette Davidson, MBA, FACHE, CMPE

President and CEO

Monument Health

Jonathan Ehret

Jonathan Ehret, CISSP, CISA, CTPRP, CRISC

Vice President, Ecosystem Risk Solutions

Mastercard

Brian Gragnolati

Brian Gragnolati

President and CEO

Atlantic Health System

Ajay K. Gupta

Ajay K. Gupta, CISSP, MBA

Chair

Trinity Health Mid-Atlantic and Holy Cross Health

Wendy Horton

Wendy Horton, PharmD, MBA, FACHE

CEO

UVA Health University Medical Center

James Leonard

James Leonard, M.D.

President and CEO

Carle Health

Carlos Migoya

Carlos Migoya

CEO

Jackson Health System

 
Candice Saunders

Candice Saunders, FACHE

President and CEO

Wellstar Health System

 
Michael Ugwueke

Michael Ugwueke, MPH, DHA, FACHE

President and CEO

Methodist Le Bonheur Healthcare

 
John Riggi

Moderator:

John Riggi

National Advisor for Cybersecurity and Risk

American Hospital Association

 

AHA Knowledge Exchange

Gain insights from the C-suite and health care leaders on the most pressing issues and transformational strategies.

Explore the Series 

 
 
 
 

Latest Knowledge Exchange

 
Health system leaders are building a robust governance and resilient operating model to transform health care delivery models for the future.
Health system leaders are building a robust governance and resilient operating model to transform health care delivery models for the future.
Optimizing hospital’s revenue cycle for efficient, patient-centered operations and enhancing critical KPIs using AI and robotic process automation.
Empowering patient engagement and leveraging customized communication and education via digital technologies to improve health and reduce disparities.
As value-based care models grow, hospitals, providers and payers need to align goals and incentives to improve patient outcomes and reduce costs.