Third-Party Risks Can Create Cyber Challenges for Healthcare

The impact of cyber attacks in the healthcare industry can be catastrophic. Healthcare organizations hold a wealth of very sensitive information, and the theft of client and patient data and intellectual property can have serious financial, reputational and regulatory consequences. On top of that, cyber security breaches in medical-device and medtech organizations can threaten the health — and even the lives — of patients.

The healthcare sector also faces its own unique set of challenges when it comes to managing cyber risks. First, many organizations — including hospitals and clinics — continue to suffer from a shortage of IT talent.1 Second, budgets are often tight, making it difficult to secure the funding needed to manage cyber risk. Our data suggest that healthcare organizations spend a median of 7 percent of their IT budget on security, which is lower than manufacturing organizations (8 percent) and finance and insurance organizations (9 percent).2

Meanwhile, healthcare organizations have embraced a broad variety of digital innovations, from incorporating hybrid cloud technology to deploying wearable devices and telehealth applications enabled by AI — all of which can increase the number of entry points for threat actors. In 2024 alone, for example, the FDA approved 107 new medical devices, bringing the total number of approved devices to 1,016 — up from just six in 2015.3 The more internet connectivity an organization creates, the larger the cyber-attack surface can become. AI powered methods also open many new fronts of potential cyber risk,4 of which privacy and security represent only one. Insurance products are being updated to help transfer these risks, but training and human intervention will also be very important in any effective holistic risk management strategy.

In addition, these new technologies — as well as the outsourcing of a number of functions, including IT management — require healthcare organizations to work with a broad range of smaller companies, many of which may have a lower level of cyber sophistication and security. These third- and fourth-party risks have increased significantly in recent years and are a major concern for many organizations. The recent uptick in mergers and acquisitions  activity in the healthcare sector in recent years has also led to the introduction of similar risks related to mismatched  cyber controls.

Healthcare organizations are often a top target for cyber attackers and it’s perhaps not surprising that healthcare organizations ranked a cyber attack or data breach as their number one risk in AON’s 2023 Global Risk Management Survey.5 As the American Hospital Association (AHA) reports, both the rate and severity of cyber attacks on hospitals have risen dramatically over recent years, with 259 million Americans’ healthcare records having been stolen in full or in part by the end of 2024.6

As a result, healthcare organizations must be laser-focused on managing cyber risks. Patients, insurers and regulators are putting pressure on the industry to meet cyber-resilience standards — including through legislation such as the Health Insurance Portability and Accountability Act and the Health Information Technology for Economics and Clinical Health Act — and the penalties imposed for noncompliance or data breaches can be significant.7

To stay ahead of cyber risks and legislation, healthcare organizations need to look at their cyber risk holistically and understand the full range of risk transfer strategies and mitigation measures. While the breadth of coverage available to healthcare organizations through cyber insurance has increased in a competitive insurance market, there is also increased scrutiny on key aspects of cyber maturity — including cyber resilience. Companies that lack key cyber-security controls may struggle to secure insurance and  may achieve less favorable outcomes in the insurance market.

Aon Clients Report: The Healthcare Industry and Cyber Risk

Aon’s Cyber Quotient Evaluation (CyQu) data show that overall risk scores for healthcare organizations improved marginally from 2.76 out of 4 in 2023 to 2.82 in 2024. These scores mean that on average, healthcare organizations perform slightly better than manufacturing organizations (2.53), which tend to be less highly regulated, but not as well as finance and insurance organizations (2.96). As is generally the case across sectors, global and enterprise companies score higher (3.06 and 3.02, respectively) than mid-market organizations (2.85) and small and midsize enterprises (SMEs) (2.66).8

Looking at risk score by cyber domain, healthcare organizations score highest for endpoint security, network security and data security, on average. These areas are of particular importance for the industry and have been a major focus of cyber security investments. Perhaps unsurprisingly, given the issues highlighted above, they score lowest for business resilience and third-party cyber due diligence. But these areas are attracting increased scrutiny across the healthcare sector and from insurers, and we expect to see a growing focus on managing these risks in the coming years. Scores are also low for application security, though these risks may have less relevance for companies in the healthcare sector because many do not develop their own software applications.

Cyber Domains | 2024 Healthcare Providers & Services Industry

Overall Risk Score 2.82

Looking to the U.S., Aon’s Ransomware Supplemental Applications red flag controls data show that year over year, our renewal clients’ red flags decreased by 14 percent, significantly higher than the cross-industry average of 9 percent.

However, there is still significant room for improvement, particularly regarding resilience-related controls and for mid-market organizations and SMEs. A significant proportion of these smaller organizations still lack several relatively basic controls; for example, 58 percent reported they did not have an annual tabletop exercise, and 30 to 50 percent reported lacking backups stored in a secondary data center, an incident response plan for ransomware, or MFA for backups. Addressing these issues as well as the lack of several other resilience-related controls would be relatively straightforward and should be a priority for healthcare organizations.

Addressing a lack of vulnerability scans across 100 percent of the enterprise will be much more challenging for organizations of all sizes given the rapid churn in providers and ongoing M&A activity across the sector.

Top 10 Critical Red Flags | 2024 Healthcare Providers & Services

Given the size and prominence of the sector, it is perhaps unsurprising that a significant portion of ransomware attacks appear to have targeted healthcare organizations.9 Underreporting of attacks will likely be particularly prevalent in this sector.

Key Observations | 2024 Healthcare Providers & Services Industry

Now What? Actions for Healthcare Organizations

Understand Your Exposures

Healthcare organizations need to develop a detailed and regularly updated understanding of their control maturity and cyber vulnerabilities and of the potential impacts of those vulnerabilities. The full range of potential losses should be quantified to better inform budget decisions. This detailed understanding of cyber risk can then be used to help choose the highest-priority risk mitigation measures to assess available risk-transfer solutions.

Healthcare organizations have sometimes been slow to integrate cyber risks related to new technologies. They will, however, need to face technology-related issues head-on, especially given the rapid adoption of AI across the sector. One of the first steps to an effective risk management strategy will be gaining a full understanding of current technology-related risk exposure and its likely evolution.

Manage Third-Party Risks

Understanding and managing cyber risks related to third parties, vendors and potential M&A transactions is becoming more important across the healthcare sector. While many healthcare organizations were early adopters of vendor and business partnership due-diligence agreements, most organizations lacked the resources to verify that all their vendors were complying.

Given the volume of third parties that many healthcare organizations work with, they will need to scrutinize their vendors in terms of cyber risk. Those seen as critical — for example, those with access to electronic health records — should face additional due diligence checks.

Healthcare organizations will also need to ensure they are resilient to cyber events affecting their suppliers, including by considering how they can disconnect from their vendors and ensure business continuity.

Take a Holistic Approach to Building Cyber Resilience

While access management remains an issue and cannot be ignored, healthcare organizations will also need to increase their focus on building their cyber resilience. An early step should be ensuring all basic controls — including using MFA for backups, storing backups in a secondary data center and holding tabletop exercises at least once a year — are in place, especially given that many of these controls are relatively easy to implement.

Aligning incident response and business continuity planning should also be a priority. Organizations should conduct diagnostic reviews of existing plans and run business impact analyses. They should also break down silos as much as possible to get a 360-degree view of risk and to ensure that goals, processes and procedures are aligned. Leveraging the strength of existing enterprise emergency operations centers can also help build cyber resilience.

The Network and Information Security (NIS2) Directive,10 an EU-wide piece of legislation that applies to healthcare, life sciences and pharmaceutical organizations, came into force in 2024. Some of the biggest changes under NIS2 are the specified management liabilities and administration fines for noncompliance. The legislation calls for direct action in some key cyber-security areas and outlines new controls that must be implemented, along with new guidance on how significant incidents should be reported. However, the extent to which NIS2 is implemented varies by country within the EU, just as data breach laws can vary by state in the U.S.

Organizations will need to understand shifts in and impacts of legislation. Over recent years, for example, a number of plaintiffs’ law firms in the U.S. have been taking advantage of some of the regulations targeted at healthcare companies to initiate a number of class actions. As a result, many hospitals have spent a considerable amount of money defending themselves against online tracking/pixel lawsuits.11 Healthcare organizations should ensure they are well prepared for regulatory shifts, including by implementing appropriate governance structures.