Download PDF
Open Access
CC BY 4.0 · Appl Clin Inform 2025; 16(05): 1518-1530
DOI: 10.1055/a-2713-5725
Research Article

Third-Party Access Cybersecurity Threats and Precautions: A Survey of Healthcare Delivery Organizations

Authors

  • George A. Gellert

    1   San Antonio, Texas, United States

  • Daniel Borgasano

    2   Imprivata Inc, Lexington, Massachusetts, United States

  • Robert Palermo

    2   Imprivata Inc, Lexington, Massachusetts, United States

  • Gabriel L. Gellert

    1   San Antonio, Texas, United States

  • Sean P. Kelly

    2   Imprivata Inc, Lexington, Massachusetts, United States
Further Information
Also available at
  Permissions and Reprints

Abstract

Objective

Gather insights regarding the state of third-party access cybersecurity in healthcare delivery organizations (HDOs).

Methods

An online multinational survey was deployed to eligible respondents to assess HDO third-party access, cybersecurity, and challenges.

Results

Of 209 respondents, only 51.1% reported having a comprehensive inventory of all third parties accessing their network. Sixty percent stated third-party access to sensitive/confidential information was not routinely monitored, despite 19% having more than 40, and 31% having 21 to 40 third parties with network access. Reasons included lack of resources (48%) and centralized control over third-party relationships (36%), complexity (28%), and frequent third-party turnover (22%). Confidence in third-party ability to secure information and their reputations was cited. More than half (56%) reported a breach involving a third party in the last 12 months, and two-thirds anticipate breaches increasing in the next 12 to 24 months. Most agreed breaches are a cybersecurity priority, a resource drain, and their weakest attack surface. Slight majorities indicated high perceived effectiveness in mitigating, detecting, preventing, and controlling third-party access risks and security/privacy regulatory compliance. Regarding existing solutions, roughly half (55%) ranked the effectiveness of vendor privileged access management (VPAM) and privileged access management (PAM; 49%) at ≤ 6 on a 10-point scale, respectively. Barriers to reducing access risks include lack of oversight/governance (53%) and insufficient resources (45%). Of those monitoring third-party access, 53% do so manually. Breach consequences include loss/theft of sensitive information (60%), regulatory fines (49%), severed relationships with third parties (47%), and loss of revenue (42%) and business partners (38%).

Conclusion

HDOs recognize the increasing threat of third-party cyber breaches but are struggling to effectively address them. Lack of budget, expert resources, complexity, and third-party turnover are among the reasons why. Need exists for automated, cost-effective solutions to address the significant risks of third-party access with a consistent strategy that minimizes breach risk by securing remote access to privileged assets, accounts, and data.

Keywords

third-party access - cybersecurity - access management - health delivery organizations - information technology - clinical information systems - process improvement

Protection of Human and Animal Subjects

No human subjects were involved in this study. All data was collected from respondents opting in to the survey, and strict data confidentiality, privacy, and ethical research standards were observed. Respondents accepted the survey terms, which declared their individual data would be analyzed and presented only in aggregate form in a fully de-identified manner. No PII from individuals was collected. As a result, ethical board review was waived.


Authors' Contributions

D.B., R.P., and S.P.K. conceptualized and co-designed the survey instrument and methodology, provided oversight for survey execution and analysis, contributed content to, and reviewed and edited all versions of the manuscript. G.A.G. and G.L.G. completed data curation of the HDO segment, formal analysis/interpretation of the HDO survey data, and were responsible for project administration, and also developed the content and wrote the original and all revised drafts of the manuscript.


Supplementary Material



Publication History

Received: 28 April 2025

Accepted: 22 September 2025

Article published online:
30 October 2025

© 2025. The Author(s). This is an open access article published by Thieme under the terms of the Creative Commons Attribution License, permitting unrestricted use, distribution, and reproduction so long as the original work is properly cited. (https://creativecommons.org/licenses/by/4.0/)

Georg Thieme Verlag KG
Oswald-Hesse-Straße 50, 70469 Stuttgart, Germany

 

  • References

  • 1 Riggi J. Third-party cyber risk impacts the health care sector the most. Here's how to prepare. American Hospital Association, August 5, 2024. Third-Party Cyber Risk Impacts the Health Care Sector the Most. Here's How to Prepare. | AHA News
  • 2 Adams M. Third-party risk management critical to protecting against cyberattack. Physicians Practice 2023;8 Mar. Gale OneFile: Health and Medicine, Accessed October 7, 2025 at: link.gale.com/apps/doc/A762612964/HRCA?u=anon∼efeb5f&sid=googleScholar&xid=b5eca4f1
  • 3 Sangster M. The three Ps of third-party risk. Cyber Security: A Peer-Reviewed Journal 2020; 3 (09) 330-338
    Search in Google Scholar
  • 4 Argaw ST, Troncoso-Pastoriza JR, Lacey D. et al. Cybersecurity of hospitals: discussing the challenges and working towards mitigating the risks. BMC Med Inform Decis Mak 2020; 20 (01) 146
    CrossrefPubMedSearch in Google Scholar
  • 5 Vesalainen T. Most hospitals unprepared for AI-driven physical security threats, survey finds. Cybersecurity Software, June 3, 2025. Most Hospitals Unprepared for AI-Driven Physical Security Threats, Survey Finds
  • 6 Southwick R. Cybersecurity and hospitals: Big risks come from third parties. Chief Healthcare Executive, May 3, 2024. Cybersecurity and hospitals: Big risks come from third parties
  • 7 Linden I. Nearly all damaging cyber-attacks involve privileged account compromise. Cybercrime Magazine 2019. Nearly All Damaging Cyber Attacks Involve Privileged Account Compromise
  • 8 Stone A. Privileged access management is key to establishing Zero Trust. StateTech Magazine 2024. Privileged Access Management: Key to Zero Trust Architecture | StateTech
  • 9 IBM Security. Cost of a data breach report 2024. Cost of a data breach 2024 | IBM.
  • 10 Verizon, 2023 Verizon Data Breach Investigations (DBIR). 2023 Verizon Data Breach Investigations (DBIR) Top 3 Takeaways | Proofpoint US.
  • 11 Prevalent Mitratech. The 2024 Third-Party Risk Management Study. 61% of Companies Have Been Breached by a Third Party | Prevalent.
  • 12 Ponemon Institute. The state of third-party access in cybersecurity: A Ponemon Report, 2025. The State of Cybersecurity and Third-Party Remote Access Risk.
  • 13 Jones D. Remote access tools most frequently targeted as ransomware entry points. Cybersecurity Dive, April 11, 2025. Remote access tools most frequently targeted as ransomware entry points | Cybersecurity Dive
  • 14 Cremer F, Sheehan B, Fortmann M. et al. Cyber risk and cybersecurity: a systematic review of data availability. Geneva Pap Risk Insur Issues Pract 2022; 47 (03) 698-736
    CrossrefPubMedSearch in Google Scholar
  • 15 Ponemon-Sullivan, 2025. Creating a Cybersecurity Infrastructure to Reduce Third-Party and Privileged Internal Access Risks: A Global Study | Ponemon-Sullivan Privacy Report.
  • 16 Adler S. Broward Health notifies over 1.3 million individuals about October 2021 data breach. The HIPAA Journal, January 4, 2022. Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach
  • 17 Steven. Advanced Medical Management suffered a data breach impacted nearly 320k people. ID Strong, July 11, 2023. Advanced Medical Management Got Hit by Security Breach
  • 18 Ewoh P, Vartiainen T. Vulnerability to cyberattacks and sociotechnical solutions for health care systems: Systematic review. J Med Internet Res 2024; 26: e46904
    CrossrefPubMedSearch in Google Scholar
  • 19 Wright J. Healthcare cybersecurity and cybercrime supply chain risk management. Health Econo Manag Rev 2023; 4 (04) 17-27
    CrossrefSearch in Google Scholar
  • 20 Rahim MJ, Ibn Rahim MI, Afroz A, Akinola O. Cybersecurity threats in healthcare it: challenges, risks, and mitigation strategies. J Artificial Intell General Sci 2024; 6 (01) 438-462
    Search in Google Scholar
  • 21 Alder S. Study confirms increase in mortality rate and poorer patient outcomes after cyberattacks. The HIPAA Journal, September 8, 2022. Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks
  • 22 American Hospital Association. Change Healthcare cyberattack underscores urgent need to strengthen cyber preparedness for individual health care organizations and as a field. January 2025. Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field | AHA
  • 23 Alder S. Ascension ransomware attack affects 5.6 million patients. The HIPAA Journal, December 20, 2024.
  • 24 McKeon J. Healthcare remains costliest industry for breaches at $7.42M. TechTarget xintelligent HealthTech Security. July 30, 2025. Healthcare remains costliest industry for breaches at $7.42M | TechTarget
  • 25 Elgin M. IBM. Cost of a data breach: The healthcare industry. August 6, 2024. Cost of a data breach: The healthcare industry | IBM
  • 26 Blanchard EE, Feldman SS, White ML, Allen R, Phillips T, Brown MR. Design and implementation of tabletop cybersecurity simulation for health informatics graduate students. Appl Clin Inform 2024; 15 (05) 921-927
    Thieme ConnectPubMedSearch in Google Scholar
  • 27 Alhuwail D, Al-Jafar E, Abdulsalam Y, AlDuaij S. Information security awareness and behaviors of health care professionals at public health care facilities. Appl Clin Inform 2021; 12 (04) 924-932
    Thieme ConnectPubMedSearch in Google Scholar