Healthcare systems are often judged by the strength of their internal security, but an increasing number of data incidents are exposing a different vulnerability—third-party vendors. As hospitals and clinics rely on external service providers to manage specialized functions, sensitive patient data is no longer confined to a single system. The Deaconess Health System – Data Breach highlights how this extended data ecosystem can introduce risks beyond an organization’s direct control.

In this case, the incident did not originate within the healthcare provider’s own network. Instead, it involved a third-party vendor responsible for handling Release of Information (ROI) requests—an essential function that allows patient records to be shared for legal, insurance, or personal purposes. According to disclosures, an unauthorized individual gained access to the vendor’s cloud-based file-sharing system and downloaded certain files linked to patient records.

This distinction is important. While internal systems may be well-protected, vendors often operate separate infrastructures with their own security protocols. Yet they are entrusted with the same sensitive information, including patient identities, medical records, and insurance details. When a breach occurs at the vendor level, the impact can extend directly to patients and healthcare providers alike.

Modern healthcare uses third-party vendors in many aspects of its operations - for example, in billing and transcription services, as well as for data storage and compliance management. These third-party vendors are essential to achieving efficient processes in healthcare. Each vendor represents an integration point that provides a new means through which data may be accessed, secured and transferred. Accordingly, these integrations must also be secured in the same manner as the internal systems of healthcare organizations.

One of the greatest challenges in managing vendor-related risks for healthcare organizations is obtaining visibility into how their vendors conduct their day-to-day security practices when storing or processing healthcare data. Even though contracts and compliance standards exist, many times, third-party vendors do not follow security best practices as per industry standards for protection of sensitive data. Unfortunately, this can result in creating instances of unaddressed vulnerabilities that go unnoticed until a data breach incident occurs.

Cloud-based file-sharing tools are frequently utilized by many organizations for exchanging data. They allow for a fast and easy method of exchanging data (especially when requesting data from multiple locations or organizations). However, if a cloud-based file system is not secured, configured, or maintained appropriately, it has the potential to become an unsecured system allowing unauthorized access to an organization’s data. Since cloud-based systems are centralized, it is also highly likely that an unsecured system will cause multiple records to be compromised due to a single vulnerability.

Another element that contributes to this is how sensitive the information is that is being requested for a ROI. Typically, records that are requested for a ROI will have detailed medical history, treatment details and personally identifiable information associated to them. Additionally, because they are reasonably typically being requested for a single purpose (i.e. lawsuit or insurance claim) it would also not be impertinent to assume that the data as requested will be organized, nevertheless it is not impossible for them to have been organized in some way to aid in extracting it if data systems have been breached.

As many healthcare providers end up becoming dependent upon outside vendors; there is a lack of clarity on the issue of liability. Even though healthcare providers would ultimately be responsible for their patients' data, the vendor must still maintain compliance with strict security protocols. Therefore, communication must be very clear between both parties, periodic audits are a must and risk assessments need to be continually evaluated for the entire data sharing network.

These types of incidents illustrate an evolving mindset in regard to cybersecurity issues. The protection of patient information has evolved beyond protecting your internal systems; it has now become a responsibility to partner with your entire ecosystem of partners, platforms and procedures. As the healthcare industry continues to adopt more digital tools and vendor/vendor-related services, your ecosystem of interconnected vendors will continue as an area of focus with regard to your organization's efforts to continue to innovate as well as mitigate risk.

To sum up, in order to truly improve data protectiveness in the healthcare industry; there will need be an expansive approach to data protection, recognizing that there are multiple vulnerabilities throughout an organization as well as across the networks utilized by the organization.