Cyber threats targeting healthcare are not just a nuisance, they are life-threatening attacks on critical infrastructure. In a recent webinar between RiskRecon and the American Hospital Association (AHA), an engaging dialogue unfolded around the evolving tactics of cybercriminals, the growing burden on hospitals and vendors alike, and the pressing need for better third-party risk management.
The Reality of Modern Healthcare Cyberattacks
John Riggi, National Advisor for Cybersecurity and Risk at the AHA, summarized the situation clearly: ransomware attacks on hospitals aren't just data heists, they're attacks on human life. "These are threat-to-life crimes", he said, pointing to the deliberate targeting of clinic operations and patient care systems. The motivation of these hackers goes beyond theft, it's disruption, fear, and extortion.
Attackers are largely foreign-based entities often operating with state backing. What's worse is that they are getting smarter and more strategic. Rather than attacking individual hospitals, they're hitting high-value third parties, like revenue management firms or IT vendors that serve hundreds of hospitals. The result? A single attack, like the Change Healthcare breach, can paralyze systems nationwide. This is called the ripple effect attack where the attack made on the center then ripples outward to ultimately create a huge net effect across an entire ecosystem.
The Data Tells the Story
In this webinar, RiskRecon shared an analysis of healthcare breach trends. In 2020 there was a surge of ransomware incidents, which coincides with the rapid expansion of digital health due to the pandemic. While breach events may fluctuate year over year, the impact of one attack can be devasting. As Riggi noted in the webinar, "one event can affect 140 hospitals and thousands of care sites".
The driving force behind this escalation? The democratization of ransomware. With ransomware-as-a-service, hackers no longer need technical expertise, just money and intent. This growing criminal economy thrives on weak links, especially in the network of third-party vendors.
Why Third-Party Risks Can't Be an Afterthought
Hopsitals have long invested in securing their internal systems but no organization can do everything. Healthcare organizations must work with dozens, sometimes hundreds, of third-party vendors who handle sensitive data or provide mission-critical services. And unfortunately, many of these vendors lack the robust cyber defenses that hospitals have worked so hard to build. Just as mentioned in the webinar, a hospital can invest in cybersecurity resources to build a digital fortress but how do they know if the vendor they are sharing data with is operating out of a wooden shack, with poor cybersecurity hygiene? In today's threat landscape, third parties are part of your organization's security perimeter - and attackers know it.
Good Cyber Hygiene
What separates a secure vendor from a risky one? A robust cybersecurity strategy with strong cyber hygiene practices. This includes:
- Regulatory updated systems and software
- Frequent and timely patch management
- Multi-factor authentication enforced across critical systems
- Strong email security
- Robust incident response and recovery plans
- Continuous vulnerability scanning and vendor monitoring
- Threat intelligence tools to anticipate and block attacks
Conversley, poor cyber hygiene often features outdated systems, missing patches, inconsistent incident response, and a lack of visibility into vulnerabilities and third parties. Hackers take advantage of these weaknesses by proactively using tools to scan the internet for exposed systems and attacking the identified vulnerabilities.
The Path Forward
One of the most powerful takeaways from the webinar was the need to break the stigma around being a victim. In healthcare, being attacked can carry legal, financial, and reputational risks which is why many choose to stay silient. But that silience only empowers attackers. While there is no silver bullet to stop every breach and every attacker, there is a way to be prepared. Recognizing that cybersecurity must extend beyond the walls of your organization is the first step to building a robust and resilient protection strategy.
RiskRecon brings transparency to third-party risk, helping healthcare and other industries to spot vulnerabilities before attackers do because a vendors' weaknesses are also your weaknesses.
Ready to strengthen your third-party posture? Request a demo to learn how we can help improve your third party risk management.
Interested in watching the full webinar? Watch it here.
