In conversations with three Chief Medical Information Officers across different healthcare systems, each was asked about their most recent cybersecurity incident. The answer was unanimous and telling: None had experienced a direct attack on their own systems. Instead, all three were grappling with the aftermath of third-party vendor breaches that cascaded through their operations.
This isn’t coincidence – it’s the new reality of healthcare cybersecurity.
The Vendor’s Vendor Problem
“We are big enough to have these experts on staff that are our experts to protect us,” one CMIO explained. “Sometimes I feel that that can be a barrier to agility because of how strict we are and how thorough we are in those evaluations. But I think that we can’t ensure that our partners do the same.”
Here’s the challenge: Healthcare organizations have become incredibly sophisticated at vetting direct vendors. The contracting process is rigorous, security assessments are thorough, and compliance requirements are non-negotiable.
But what happens when your vendor makes a deal with another vendor? Suddenly, you’re exposed to risks you never evaluated, from companies you’ve never heard of, through relationships you don’t control.
One security leader illustrated this perfectly: “I’m going to make a deal to use Vendor X to do something for me here. But Vendor X may make a deal with Vendor Y that lets them do their job. So if there’s a problem with Vendor Y who I’m not technically contracted with, but my vendor needs them to function, I can’t control that.”
When the Ecosystem Fails
The Change Healthcare incident provides a stark example. When its systems went down due to a cyberattack, it wasn’t just Change Healthcare that suffered – it was every healthcare organization that relied on its prescription processing services.
One CMIO described the impact: “We had a lot of issues sending prescriptions, receiving them, having issues being unclear of what went through, what didn’t go through, and who didn’t have their medications.”
The downstream clinical impact was immediate and severe. Patients couldn’t get medications, providers couldn’t verify prescription statuses, and healthcare teams scrambled to identify which patients might be affected. This was a direct patient safety issue caused by a vendor incident completely outside the control of healthcare providers.
But the clinical impact was just the beginning. The compliance implications were equally severe, highlighting a fundamental challenge in healthcare’s regulatory landscape.
The Compliance Trap: When Vendor Failures Become Your Regulatory Problem
Healthcare organizations face a harsh regulatory reality: Vendor incidents don’t absolve them of compliance responsibilities. In fact, they often amplify them.
HIPAA requires covered entities to establish Business Associate Agreements with vendors handling protected health information. While these agreements theoretically transfer some liability, the practical reality is different. When a vendor suffers a breach, the healthcare provider still faces potential penalties, regulatory scrutiny, and mandatory reporting requirements.
The reporting burden alone creates significant operational strain. HIPAA’s proposed 72-hour reporting mandates, similar to regulations like EU NIS2 and DORA for cross-border institutions, require healthcare providers to disclose incidents quickly, regardless of whether the breach originated from their own systems or a vendor’s.
As one CMIO noted: “We actually have to communicate to the state, to the Centers for Medicaid and Medicare Services: ‘This is what’s going on. This is where we are with our recovery.’”
This means that during an active incident – when clinical teams are scrambling to maintain patient care and IT teams are coordinating recovery efforts – compliance teams must simultaneously investigate, document, and report on incidents they didn’t cause and may have limited visibility into.
The data sovereignty challenge adds complexity. Vendors storing healthcare data outside approved regions can trigger compliance violations that organizations may not even know exist until an incident forces a comprehensive audit of their vendor ecosystem.
“We require [vendors] to give us anything and everything we asked for to review,” explained one security leader who’s experienced a vendor ransomware attack. “So, there was actually no limitations on what we could ask.”
But this level of oversight is typically only possible with the largest vendor relationships, leaving many smaller but still critical vendor dependencies in compliance blind spots.
The CrowdStrike Wake-Up Call
The CrowdStrike incident drove home another reality: When critical infrastructure providers fail, the entire healthcare ecosystem fails simultaneously.
“We did [tabletop exercises] with the assumption that it would be a ransomware attack… a very kind of localized event,” one leader reflected. “And this was affecting the entire ecosystem. And that’s where we [learned] that we needed to have more resiliency practices that would incorporate where the ecosystem itself would be widely affected.”
The challenge wasn’t just technical – it was operational and regulatory. When everyone is down at once, the usual backup plans (like calling vendors for support or switching to alternate providers) simply don’t work.
Healthcare organizations faced not only interrupted patient care and massive downtime costs but also complex compliance reporting requirements for an incident that originated entirely outside their control.
Beyond Traditional Risk Assessment
Healthcare organizations are discovering that their traditional approach to vendor risk management isn’t enough. The standard process – sending questionnaires, reviewing documentation, checking compliance certifications – only covers direct relationships.
But post-incident, the conversation is changing. Instead of just asking “Do you do this? Do you do that?” organizations are demanding to see exactly how vendors execute security and recovery plans. They’re asking for evidence of testing, requiring contractual rights to review sub-vendor relationships, and building in financial protections.
The New Vendor Relationship Model
Forward-thinking healthcare organizations are taking several concrete steps to address ecosystem risk:
- Data sovereignty: “We want to start taking more ownership over the data… so that we have something we can rebuild or even switch over to another third party if possible,” one leader said.
Rather than letting vendors hold all the data, organizations are requiring regular data exports and maintaining their own copies of critical information. This approach helps address data residency requirements and enables compliance continuity even when vendors fail. - Enhanced contractual evolution: Post-incident contract negotiations now address compliance obligations explicitly. Organizations are demanding notification timelines that meet regulatory requirements, recovery guarantees that minimize downtime costs, and financial compensation for both direct losses and compliance penalties resulting from vendor-caused outages.
- Compliance-aware update management: The CrowdStrike incident highlighted how vendor updates can create both operational and compliance risks. Many organizations have implemented “two versions behind” policies for critical security updates, balancing the risk of delayed patches against the risk of compliance violations from untested updates that could cause widespread outages.
- Regulatory integration in vendor management: Organizations are building compliance considerations directly into vendor evaluation and ongoing oversight. This includes knowing vendors can meet the same 72-hour reporting requirements, maintain appropriate data residency, and provide the documentation needed for regulatory reporting.
The Insurance Industry’s Perspective
Perhaps most telling is how the insurance industry views these risks. As one security leader shared from a colleague in insurance risk modeling: “The number one risk that we have is the kind of outage like CrowdStrike, where we’re so dependent upon these technology platforms that when we’re out, there’s massive disruptions in services and in operations. She says that’s the number one risk in our risk model. It’s not ransomware attacks.”
This shift in risk assessment reflects a fundamental change. Traditional cybersecurity focused on preventing bad actors from getting in. Modern cybersecurity also must address the reality that critical vendors – with the best of intentions and strong security practices – still can bring down entire ecosystems through operational failures.
The Minimum Viability Challenge in an Ecosystem World
Traditional recovery planning often assumes you can restore everything systematically, but when entire ecosystems fail simultaneously, organizations must focus on minimum viable recovery (MVR).
The concept of minimum viability becomes critical when your vendors, their vendors, and potentially your backup vendors are all affected. As we’ve explored in our analysis of healthcare cyber threats and MVR, the question isn’t just “How do we recover everything?” but “What are the bare essentials we need to keep patient care running while the ecosystem rebuilds itself?”
This ecosystem reality makes organizational recovery readiness more complex than ever. When you can’t rely on your usual vendors or backup providers, your MVR plan must account for true independence from the broader ecosystem – at least temporarily.
Moving Forward
Organizations can’t just secure their own perimeter; they need to understand and plan for the interconnected web of dependencies that modern healthcare relies on. This means fundamentally rethinking business continuity planning to account for simultaneous ecosystem failures. It means maintaining data sovereignty even when using SaaS providers. And it means accepting that some risks simply can’t be eliminated – only managed and planned for.
The healthcare leaders we spoke with weren’t pessimistic about these challenges; they were pragmatic. They understand that the benefits of interconnected, cloud-based healthcare systems far outweigh the risks.
Test Your Ecosystem Resilience
Understanding the risks is just the first step. The next is honestly assessing whether your organization is prepared for the new reality of interconnected failures. How confident are you that your MVR plan would work when your usual vendors and backup systems also are compromised?
Healthcare organizations serious about ecosystem resilience should evaluate their readiness across three critical areas: business-critical prioritization, measurable technical response, and organizational recovery readiness. Commvault’s Minimum Viability Healthcare Assessment helps evaluate your current capabilities and offers actionable recommendations for closing any gaps.
Don’t wait for the next ecosystem-wide incident to discover whether your recovery plans account for the reality of interconnected healthcare IT. Take the assessment today and build true resilience for tomorrow’s challenges.
