
Monitoring and Mitigating Third-party Cyber Risks
AHA Knowledge Exchange
Proactive strategies for managing vendor cybersecurity gaps
In today's digitally interconnected health care landscape, a health system's cybersecurity is only as robust as its weakest link — often found in third-party vendors, mission-critical technologies, and the broader digital supply chain. Recent hospital cyberattacks have highlighted a growing threat: external service providers with inadequate security protocols. When just one vendor’s systems are breached, cybercriminals can access sensitive patient information, disrupt essential operations, and jeopardize patient safety. This Knowledge Exchange e-book reveals how leading hospitals and health systems are proactively enhancing vendor risk management strategies. By assessing, monitoring, and mitigating third-party cybersecurity risks, they are protecting patient data, ensuring operational continuity, and preserving long-term financial stability and public trust.
9 ways health care organizations are adopting a more proactive and strategic approach to cybersecurity
- Start with strong governance. Establish clear oversight, accountability and executive sponsorship for third-party risk.
- Build a comprehensive inventory. Identify and document all third-party vendors. Track what percentage of vendors are inventoried and reviewed regularly.
- Assess risk beyond the third party. Consider fourth- and fifth-party relationships, as each layer introduces additional complexity and risk.
- Integrate risk into contracts early. Use proactive, robust contract language to set expectations and enforce standards from the start.
- Prioritize business and clinical continuity. Understand the operational impact if a third-party system fails. Treat cyber disruptions like natural disasters; plan for both physical and technological emergencies.
- Foster cross-functional collaboration. Strengthen coordination among procurement, legal, compliance, IT and cybersecurity. Empower teams with clear roles, escalation paths and access to critical contacts.
- Use external validation, not just self-assessments. Don’t rely solely on vendor self-certifications. Use independent third-party assessments and corroboration.
- Leverage industry tools and certifications wisely. Certifications like HITRUST [Health Information Trust Alliance Common Security Framework] can help, but they’re only snapshots.
- Measure what matters. Track metrics like inventory completeness, review frequency and executive engagement. Use these KPIs to drive continuous improvement and accountability.
Participants

Paulette Davidson, MBA, FACHE, CMPE
President and CEO
Monument Health

Jonathan Ehret, CISSP, CISA, CTPRP, CRISC
Vice President, Ecosystem Risk Solutions
Mastercard

Brian Gragnolati
President and CEO
Atlantic Health System

Ajay K. Gupta, CISSP, MBA
Chair
Trinity Health Mid-Atlantic and Holy Cross Health

Wendy Horton, PharmD, MBA, FACHE
CEO
UVA Health University Medical Center

James Leonard, M.D.
President and CEO
Carle Health

Carlos Migoya
CEO
Jackson Health System

Candice Saunders, FACHE
President and CEO
Wellstar Health System

Michael Ugwueke, MPH, DHA, FACHE
President and CEO
Methodist Le Bonheur Healthcare

Moderator:
John Riggi
National Advisor for Cybersecurity and Risk
American Hospital Association
AHA Knowledge Exchange
Gain insights from the C-suite and health care leaders on the most pressing issues and transformational strategies.