8 Aug
2025
Paul Mathews
Paul Mathews

Patient data is the crown jewel of cybercrime, rich in immutable personal details and endlessly exploitable. And while hospitals have come a long way in protecting this treasure trove, the digital front lines have shifted.

To a cybercriminal, a patient record isn’t just a file, it’s a goldmine. It includes everything from Social Security numbers to diagnostic results to insurance information. Health systems have responded admirably. Today’s hospitals are fortified with robust firewalls, endpoint detection, multifactor authentication, zero-trust policies, and constant vigilance. Many healthcare CIOs and CISOs now run some of the most sophisticated cybersecurity operations of any industry.

But even as health systems elevate their security posture, a critical threat still looms: third-party software applications.

Beyond the Firewall

The traditional model of cybersecurity focused on defending the organization’s internal systems, everything within the firewall. But that paradigm is now obsolete. Today, the health system’s cybersecurity ecosystem includes everything connected to its data, including applications and vendors far beyond its perimeter.

This evolving mindset has prompted forward-thinking leaders to reframe third-party application developers as part of their extended workforce. Engineers writing code for cloud-based EHR plug-ins, patient communication platforms, and billing systems are not just contractors, they are, in effect, outsourced employees of the health system. And like any employee, their cybersecurity hygiene matters.

If these developers are integrating outdated, insecure, or unmonitored software libraries into their products, then those vulnerabilities are already inside the hospital’s defenses, regardless of how strong the firewall is.

The Trojan Horse of Third-Party Apps

Recent breaches make this painfully clear.

In 2024, ransomware actors infiltrated PIH Health Hospitals’ systems via a third-party vendor, compromising data from over 17 million patients. The breach left systems frozen, delaying care and medication access. That same year, hackers exploited weak access controls in software used by Change Healthcare, exposing 145 million patient records and disrupting clinical operations across the country.

These aren’t isolated events. According to the 2024 Verizon Data Breach Investigations Report, software supply chain compromises accounted for 15% of all healthcare data breaches, up from just 4% in 2021. The trend is unmistakable: attackers are targeting the blind spots in the digital supply chain.

Software Supply Chains

Third-party apps are typically assembled from dozens of open-source and proprietary code libraries. These components, collectively called the Software Bill of Materials (SBOM), are rarely scrutinized by the hospitals that rely on the applications. But they should be.

Why? Because these reused code libraries often contain known vulnerabilities. Take the Log4Shell flaw in the ubiquitous Log4j library, which allowed attackers to execute remote code on affected systems. It remained hidden for years, embedded in countless enterprise and healthcare applications, before it exploded into public view in 2021.

Even when flaws are known, patching them is another matter. Hospitals are at the mercy of their vendors, some of whom delay fixes or fail to notify clients altogether. Worse, many vendors have no system for tracking the security status of the code libraries they use. That’s unacceptable in today’s cybersecurity environment.

Market Forces vs. Security Discipline

This systemic vulnerability is not a mystery, it’s a business reality.

Healthcare SaaS vendors are under constant pressure to ship new features, integrate AI tools, and stay ahead of competitors. Speed-to-market is prioritized over secure development. Shortcuts are made. Code is reused. Penetration testing is deprioritized. Patch cycles are slow. And since buyers tend to evaluate vendors based on features and cost, not software integrity, there’s little market incentive for change.

The regulatory environment hasn’t kept pace either. Unlike pharmaceuticals, where every compound is rigorously vetted, software often escapes serious scrutiny.

The Role of Health System Leaders

To their credit, many health system leaders are already rising to the challenge. They are embracing a broader, ecosystem-wide understanding of cybersecurity and holding vendors accountable.

One powerful tool in their arsenal: automated code monitoring platforms. These solutions continuously scan the code libraries inside third-party apps, flagging outdated or vulnerable components and alerting IT teams when new threats emerge. They turn the black box of a vendor’s software into a glass house, and give security teams a chance to act before attackers do.

This level of insight gives hospital IT leaders the power to ask hard questions of their vendors: What code libraries are in your application? Are they up to date? How quickly can you patch known vulnerabilities? Do you monitor your SBOM with automated tools?

The Challenge

Cybercriminals are no longer attacking the front gates, they’re slipping through the side doors, disguised as “trusted” software providers.

Health systems can no longer afford to draw a line between “us” and “them.” In the modern cybersecurity landscape, third-party engineers are part of the team, and subject to the same scrutiny. Their hygiene is your hygiene. Their code is your risk.

It’s time to bring these outsourced employees into the fold. Monitor their tools. Audit their practices. And make cybersecurity a shared responsibility across the full digital supply chain.

Because in today’s world, the hospital firewall is no longer the edge of the battlefield. It’s just the beginning.

The Hidden Threat to Patient Data in Hospital Software
Code Snippet
go
Learn more
“When you understand your RER, you gain clarity on where to focus your efforts. That insight transforms development from chaotic to controlled”
— Sophia Liang, CTO at TripleKey
1. Reduced Technical Debt
Proactive risk management prevents future bottlenecks.
2. Enhanced Team Morale:
Teams equipped with clear risk insights feel empowered.
3. Faster Time to Market:
Efficient risk handling eliminates unnecessary delays.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

“Efficiency isn’t just about speed—it’s about navigating risks with precision to keep your development pipeline resilient and agile.”

— Sophia Liang, CTO at TripleKey

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

const calculateRER = (riskResolved, codeChanges) => {
  return (riskResolved / codeChanges).toFixed(2);
};

// Example calculation:
const resolvedRisks = 35;
const codeUpdates = 150;

console.log(`Your RER is: ${calculateRER(resolvedRisks, codeUpdates)}`);