Last year, cyberattackers accessed 192.7 million patient records at Change Healthcare. And the attack vector wasn’t sophisticated; the attackers used exposed credentials on a service that didn’t have multi-factor authentication (MFA) enabled. Similarly, criminals exploited website tracking data from Kaiser Foundation Health Plan to breach patient information. Both breaches had the same root cause: a vendor with weak security.
Healthcare data breaches now cost an average of $7.42 million in the United States. That’s higher than any other sector, and third-party involvement in these breaches has doubled to nearly 30% in recent years. Over 70% of organizations dealt with at least one serious third-party security incident last year alone.
Healthcare can’t run without partners, especially for billing systems, electronic health records (EHRs), medical device vendors, and cloud services. But every vendor connection is another entry point. Weak security at a vendor becomes your problem. You can have the most secure infrastructure in the world, but when a vendor gets compromised, attackers walk right in.
Visibility into your software supply chain isn’t optional anymore. It’s how you avoid the next breach and the millions in damage that come with it.
Why Healthcare’s Attack Surface Keeps Expanding
Most hospitals operate with sprawling digital networks made up of thousands of vendors, suppliers, and service providers. Each connection expands the attack surface. The math gets ugly fast when you consider that 57% of organizations handle more than 50 externally facing applications annually, according to the Legit Security ASPM Strategies report. Twenty-one percent manage over 500.
The ways attackers exploit these connections keep multiplying. Compromised credentials give them access under the guise of routine maintenance. Unpatched code in a third-party billing system exposes payment data. Security flaws in a partner’s system create backdoors. Sometimes it’s just a partner employee with legitimate access who misuses their permissions.
When any of this happens, the hospital deals with the fallout — breach notifications, regulatory fines, reputation damage — it doesn’t matter that you weren’t at fault.
And, unfortunately, the understaffing issue makes this problem worse, as only 14% of healthcare IT leaders say their teams are fully staffed. These short-staffed teams are trying to monitor hundreds of vendors while managing compliance requirements and keeping general IT operations running. It’s not sustainable.
The Visibility Gap Problem
The problem isn’t just the number of vendors. It’s that most teams can’t see what’s actually happening across their software supply chain.
The same Legit Security strategies report shows the top security challenges as:
- Inefficient vulnerability management (32%)
- Unprioritized vulnerabilities (26%)
- Limited visibility (22%)
These problems are all connected. When you can’t see your full attack surface, you can’t manage vulnerabilities effectively.
Keep in mind that the software supply chain extends beyond third-party vendors. It includes other vulnerable links in the chain, like development tools, code repositories, build pipelines, open-source components, and AI-generated code. As production deadlines get tighter, developers pull in more open-source libraries and AI-generated code without proper vetting. Tech debt piles up fast.
Many teams lack the tools to get clarity on all the parts of their supply chain, let alone whether those parts have been compromised. When they do find vulnerabilities, they struggle to prioritize them based on actual risk. There are just too many to fully understand each and sort through manually.
The result is security teams are unable to manage risks at the speed and scale healthcare requires. That’s why 29% now cite enhancing visibility into software supply chain risks as their top application security priority for the next 12 months.
Building Proactive Defense for 2026
Running through compliance checklists won’t cut it anymore. The threat landscape moves too fast for that approach to work.
Start with the basics:
- Vet third-party vendor security rigorously. Require evidence of their security controls and practices.
- Maintain detailed software bills of materials so you know what’s in your environment.
- Implement continuous monitoring across your entire application security landscape with the help of AI. Periodic audits miss too much.
Application Security Posture Management (ASPM) provides unified visibility across the software supply chain. It automatically prioritizes vulnerabilities based on risk and exploitability instead of making your team sort through thousands manually. Real-time detection catches issues that quarterly audits would miss entirely. This takes pressure off understaffed teams while improving the quality of security decisions.
Don’t wait for a breach to force your hand. Organizations that adopt risk-based approaches instead of compliance checklists will be in a better position as cyber threats continue evolving in 2026.
Liav Caspi
Liav Caspi leads product management and strategy. Liav previously held leadership positions in product management, platform architecture and engineering at IDF Unit 8200, Checkmarx, and Argus Cyber Security.
