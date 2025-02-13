The healthcare sector is no stranger to third-party data breaches, making third-party risk management and privileged access management imperative elements of any healthcare organization's security strategy.

However, according to a survey by Ponemon Institute and Imprivata, just 36% of health IT respondents said that their organizations have a strategy to address privileged access risk that is consistently applied across the entire organization. Other respondents reported applying those strategies sporadically or having an informal or ad hoc strategy for addressing privileged access risks.

Ponemon Institute surveyed 1,942 IT and IT Security practitioners across the U.S., the U.K., Germany and Australia. Respondents represented healthcare, industrial and manufacturing, public sector and financial services organizations.

The results revealed that even as third-party risks continue to pose threats to healthcare and other sectors, persisting barriers, like a lack of governance and budget constraints, prevent organizations from effectively managing these risks.

Third-party security incidents have widespread impacts on healthcare Nearly half (47%) of the total surveyed organizations experienced a data breach or cyberattack involving third-party network access in the last 12 months. In healthcare, 44% of the respondents said that their organization experienced a third-party data breach or cyberattack. One of the most notable data breaches of 2024 occurred at Change Healthcare, which serves as a third-party vendor to healthcare organizations nationwide. When a cyberattack hit Change Healthcare in February 2024, it caused widespread operational and financial disruptions across the U.S. healthcare sector. "Third parties frequently need access -- often privileged access -- to devices, systems, applications, and networks, but providing that access creates new risks for the organizations granting it. Third parties are a frequent target of bad actors because they typically have more access than they need," the report stated. "Why? Because third parties present unique access management challenges: they're not employees, and it’s therefore difficult to track their lifecycle and employment status, to enforce multifactor authentication, or to appropriately set up their access rights. Armed with that knowledge, bad actors try to take advantage of third parties' access." As a result of these third-party data breaches and privileged internal access gaps, 60% of healthcare respondents reported that confidential information had been lost or stolen. What's more, 47% of healthcare respondents reported severing relationships with third parties, and 49% suffered regulatory fines. Loss of customers, business disruptions and reduced revenue were also commonly reported. Confidence in the sector's ability to reduce these disruptions varies, the report showed. More than 40% of healthcare respondents said that they anticipate that data breaches caused by third parties will increase over the next 12 to 24 months, and 45% reported agreeing or strongly agreeing that managing third-party permissions and remote access can be overwhelming and "a drain on our internal resources."