Healthcare services today can be found outside of just hospitals or clinical settings, as there are many different types of businesses that support healthcare providers by handling a large volume of sensitive data related to the patient's care—call centres, billing services, and data administratively manage patient data on behalf of the provider; thus, creating a complex network within the healthcare provider industry. This has enabled healthcare organizations to improve their operational efficiencies and provide more services to their patients through multiple channels, but has also widened the scope of the opportunity for increased risk of cyberattacks for those organizations.

As healthcare organizations increasingly outsource non-clinical operations to third-party service providers, those vendors obtain access to a multitude of information about patients, including names, social securities, insurance details, and protected health information; however, these third party service providers may not have any direct interaction with the actual patient.

The structure of this exposure creates a vulnerability within the entire healthcare provider system; while some healthcare providers have a secure internal infrastructure, they will still remain vulnerable to potential attacks through the lack of sufficient security controls from their contractors or vendors. An excellent example of this type of indirect access was experienced by VillageCareMAX with the Data Breach they experienced as a result of a contractor's network.

With respect to contractor/vendor compliance, part of the challenge is having adequate visibility into how contractors and vendors protect and monitor access to healthcare information. While it is common for a contract to state compliance responsibilities of a particular contractor/vendor, the actual enforcement and auditing of compliance by contractors/vendors are typically very limited.

Due to the confluence of identity, financial, and medical information, healthcare data is particularly appealing in the underground economy. For example, if a single vendor account is compromised, it could allow for the access to thousands of records across multiple organizations.

The difficulty with regard to accountability stems from the fact that, when a breach occurs within a contractor/vendor's systems, individuals affected by the breach may not know who to hold accountable for safeguarding their healthcare information. As a result, this uncertainty can cause delays in incident response and loss of trust in the overall healthcare system.

Although regulatory frameworks (e.g., HIPAA) provide a baseline for compliance requirements, regulatory structures do not remove the potential for risk introduced through human error, an unintentional misconfiguration of systems, or insiders within a third-party environment. Compliance is not the same as resiliency.

As healthcare companies begin to relinquish their administrative roles to other companies, the landscape of Cybersecurity will begin to transform from solely an internal defence mechanism into a defence strategy which is reliant on third-parties and vendors. Continuous risk assessment of vendors, least-privilege access and Incident Response coordination will be critical components and not optional.

In summary, Healthcare Security is dependent upon the weakest external connection to the organisation.