Vendor Incidents Affected 85% of Healthcare Practices in the Past 12 Months
It is only a matter of time before a cyberattack is directly linked to the death of a patient, according to new research from the managed IT and security service provider Omega Systems. Last year, 52% of healthcare organizations expected a cyberattack to result in a patient fatality in the next five years due to the huge impact these incidents have on healthcare operations. This year, the percentage increased to 61%. Despite that view, 62% of practices treat cybersecurity and compliance as a technical line item, rather than a patient safety matter.
The Omega Systems Report, Under Pressure: The 2026 Healthcare IT Landscape Report – highlights a growing number of third-party vendor incidents. In the past 12 months, 85% of providers experienced at least one operational disruption due to a vendor or a vendor of a vendor, yet faith in vendor cybersecurity remains strong, with 70% of providers saying they are confident in the cybersecurity posture of their vendors.
Confidence in the security posture of vendors is at odds with the growing number of vendor incidents, and appears to be due, in part, to blind spots rather than hard data. A vendor’s security posture may be assessed before onboarding, or at least assurances are obtained that the vendor is compliant with the HIPAA Rules, but there appears to be a lack of monitoring thereafter. Omega Systems found that 63% of healthcare practices were not continuously monitoring their digital supply chains. It is often only when a vendor experiences a cyberattack and data breach that security gaps are uncovered.
“The biggest mistake a healthcare practice can make today is assuming vendors in their supply chain are handling security, so they don’t have to,” said Mike Fuhrman, CEO of Omega Systems. “Attackers are more sophisticated, vendor networks are more complex, and regulatory requirements are stricter than ever. Practices cannot lean on the outdated mindset that cybersecurity and compliance are merely a back-office problem. It is table stakes to ensure patient safety, deliver consistent care, and keep revenue flowing.”
The consequences of a vendor incident can be severe, resulting in patient safety issues and significant financial harm. If an incident is experienced that causes the electronic medical record system to go down, 53% of respondents said there would be an instant halt to billing and scheduling, preventing vital funds from being received. Almost half of respondents (47%) expressed concern that the loss of access to patient histories would create a significant patient safety issue and open them up to malpractice liabilities, while one-quarter (25%) said it would force them to either temporarily or permanently close the practice.
Despite the high risk of a cyberattack, the survey indicates that 8 out of 10 practices have gaps in their recovery plans, with almost one-third reporting using legacy systems that cannot contain a breach quickly if it starts.
The attack surface is also growing due to the number of connected medical devices, which are being deployed faster than defenders can secure them. AI adoption is growing, yet there is insufficient oversight to confirm that the tools meet security and compliance standards. Almost all healthcare organizations that participated in research said AI tools are being used in their patient-facing and administrative workflows.
The survey also revealed that 6 in 10 leaders have self-attested to HIPAA compliance, despite them having known, unpatched vulnerabilities within their environments. What is particularly concerning is that they have potential security gaps under the current Security Rule, when an update to that rule, with much more prescriptive requirements for security, is due for release this year. Perhaps unsurprisingly, 76% of practices say they are not ready should the final rule be released.
Many practices continue to struggle with in-house security teams that are under-resourced and overworked. 52% of practices do not have a managed security service provider (MSSP), 39% of practices manage cybersecurity entirely in-house, and 23% report that their technology environments are outdated. Practices that have engaged an MSSP report better access to advanced cybersecurity capabilities such as managed threat detection and response and next-gen firewalls, and are therefore better equipped to prevent attacks and deal with one when systems are breached.
“The practices that come out ahead won’t be the ones that buy more tools or hire more staff,” suggests Omega Systems. “They’ll be the ones where leadership decides that cybersecurity, compliance, vendor risk, and AI need to be managed together, with the right resources and outside support in place.”
