Healthcare's Hidden Risk: Why Third-Party Visibility Has Become a Cybersecurity Imperative
June 22, 2026
Key insights from the American Hospital Association's Bringing Value Podcast featuring John Riggi and Vince Crisler
Healthcare cybersecurity leaders have spent years strengthening perimeter defenses, deploying endpoint security tools, and improving vulnerability management. Yet despite these investments, breaches continue to rise, ransomware attacks remain relentless, and healthcare organizations face increasing operational disruption.
Why?
According to a recent episode of the American Hospital Association's Bringing Value podcast, the answer may lie in a growing blind spot: third-party connectivity. During the discussion, AHA National Advisor for Cybersecurity and Risk John Riggi sat down with Celerium’s Chief Strategy Officer, Vince Crisler, to explore why connected vendors, cloud services, and emerging AI tools have become some of the largest cybersecurity risks facing healthcare today.
The Perimeter Is Gone
For decades, cybersecurity strategies focused on protecting the network perimeter. Today, that model no longer reflects reality.
Modern hospitals depend on hundreds of interconnected vendors, including electronic health record providers, imaging platforms, telehealth systems, pharmacy applications, managed service providers, cloud services, and AI-powered tools. Every connection expands the organization's attack surface.
As Crisler explained during the podcast, healthcare's perimeter is no longer defined by hospital walls or even internal networks. Instead, it extends to every supplier connected to the environment. The challenge is that many healthcare organizations lack complete visibility into those connections and the data flowing through them.
This visibility gap creates opportunities for attackers, who increasingly target trusted third parties rather than attacking healthcare organizations directly.
Third-Party Risk Is Now Enterprise Risk
Healthcare leaders have long recognized the importance of Business Associate Agreements (BAAs) and vendor risk assessments. However, contractual protections alone cannot prevent a cyberattack.
As Crisler noted, legal agreements may determine responsibility after a breach occurs, but they do not provide real-time security controls. Meanwhile, breach disclosures continue to increase, with healthcare organizations experiencing a growing volume of cyber incidents linked to third-party exposures.
The reality is straightforward: organizations cannot adequately manage risks they cannot see.
Shadow AI: The New Frontier of Risk
Another emerging challenge discussed during the podcast is the rapid adoption of AI tools across healthcare environments.
Clinicians and staff are increasingly using AI-powered applications to summarize notes, assist with documentation, and improve productivity. While these tools offer tremendous potential, many are introduced without formal review or approval by security and compliance teams.
The result is "Shadow AI"—the use of unauthorized AI platforms that may collect, process, or retain sensitive healthcare data outside organizational control.
The challenge is not malicious intent. Healthcare workers are simply trying to work more efficiently. However, when protected health information (PHI) is submitted to external AI services with unknown retention and processing policies, organizations may unknowingly create significant compliance and security risks.
Perhaps most concerning, this activity often appears indistinguishable from normal web browsing traffic, making it difficult for traditional security tools to identify.
The Evolution of Ransomware
One of the most important insights from the discussion centered on how ransomware attacks have evolved.
Many organizations still think of ransomware primarily as an encryption event. In reality, today's attacks are increasingly focused on data theft.
Before deploying ransomware, attackers typically exfiltrate sensitive data. Even if an organization successfully restores systems from backups, stolen patient records, intellectual property, or financial data remain in the hands of adversaries.
This shift fundamentally changes the cybersecurity equation.
The question is no longer whether organizations can recover systems. The question is whether they can identify suspicious outbound activity before data leaves the network.
Healthcare organizations should pay particular attention to:
- Unusual outbound data transfers
- Connections to unfamiliar destinations
- Large data movements during nights, weekends, or holidays
- Unexpected use of cloud storage or file-sharing services
- Behavioral anomalies that deviate from established patterns
The challenge is that these indicators often hide within legitimate network traffic, making visibility and context essential.
Why Vendor Monitoring Remains So Difficult
Monitoring third-party activity is often easier said than done.
Healthcare environments contain years of accumulated integrations, VPN tunnels, cloud connections, and legacy systems. Many organizations lack a complete inventory of vendor relationships and data flows.
Trusted VPN connections are particularly problematic because they are designed to create secure pathways between organizations. Once trust is established, few teams have visibility into exactly what data is moving through those connections.
Compounding the issue, many clinical systems cannot support modern security agents due to age, vendor restrictions, or operational concerns.
As a result, healthcare organizations often possess the raw network data necessary to identify threats but lack the resources and intelligence required to interpret it effectively.
Visibility Is the Foundation of Cyber Resilience
Throughout the conversation, one theme emerged repeatedly: visibility.
Organizations cannot defend what they cannot see.
Crisler highlighted the importance of analyzing network traffic metadata—understanding where data is going, how much is being transferred, how often transfers occur, and whether those behaviors are normal. This approach can identify suspicious activity without exposing PHI or disrupting clinical operations.
For many healthcare organizations, simply gaining visibility into outbound traffic reveals previously unknown vendor connections, unexpected data flows, and hidden risks that would otherwise remain undetected.
Translating Cybersecurity Into Business Risk
The podcast concluded with a critical leadership lesson for healthcare CIOs and CISOs.
Cybersecurity leaders often communicate in technical language—SIEM platforms, zero-trust architectures, threat intelligence feeds, and endpoint controls. Boards and executive teams, however, think in terms of business risk.
To secure executive support, cybersecurity leaders must connect cyber threats to outcomes leadership understands:
- Patient safety
- Operational disruption
- Regulatory exposure
- Financial loss
- Reputational damage
- Community impact
As both Riggi and Crisler emphasized, cybersecurity is not merely an IT issue. It is enterprise risk management. A ransomware attack that disrupts patient care affects clinical operations, revenue, compliance obligations, and public trust simultaneously.
When cybersecurity discussions shift from technology to organizational impact, leadership engagement and action become far more likely.
Looking Ahead
Healthcare's digital transformation continues to accelerate. AI adoption is growing, vendor ecosystems are expanding, and data flows are becoming increasingly complex.
The lesson from the AHA Bringing Value podcast is clear: healthcare organizations must move beyond traditional perimeter-focused security models and prioritize visibility into their extended digital ecosystem.
Because in today's healthcare environment, the greatest risks often originate not from what organizations can see—but from what they can't.
Want to learn how hospitals are using Data Breach Defender® to detect and contain data breaches before they escalate?