The following is a guest article by Mike Levin, General Counsel and Chief Information Security Officer at Solera Health

In today’s interconnected healthcare ecosystem, every organization—from the largest health systems to specialized vendors—plays a critical role in protecting patient data. This shared responsibility requires us to evolve our thinking about cybersecurity.

Recent industry events have highlighted just how interconnected the healthcare ecosystem has become. When major infrastructure providers experience incidents, the ripple effects demonstrate why we all need to work together on strengthening our collective security posture.

Last year, nearly 190 million people were affected by the largest and most costly healthcare breach in history. Many of them had no idea their data was flowing through the compromised systems until they received a notification letter. Their personal health information was swept up in a supply chain breach they didn’t even know existed, simply because their provider or health plan used a third-party vendor for payment processing.

This is the reality of cybersecurity in healthcare today; third-party involvement in breaches has doubled to 30%, and 56% of healthcare organizations have experienced a breach through their vendors in the past two years. It’s not just about your own environment. It’s about who you let in the door and how you enforce your standards on those third parties.

Cybersecurity: Risk Management Beyond Mitigation

Cybersecurity pros tend to focus on mitigation, or identifying risks and putting in place controls so they can be properly addressed. But in risk management, mitigation is just one lever. You can also accept risk or transfer it, and many healthcare organizations overlook this third option.

This is where legal contracts and insurance come in.

If contracts aren’t part of your cybersecurity strategy, they need to be. Legal contracts and risk transfer mechanisms, such as cyber insurance, give organizations the opportunity to more effectively share and manage risk with third-party vendors.

When done right, legal contracts with third-party vendors enforce cybersecurity requirements, define breach notification obligations, and allocate financial responsibility in the event of a breach.

Supply Chain Risks Hit Healthcare Harder

Third-party and supply chain risk is a challenge across industries, but in healthcare, the stakes are higher for several reasons:

• High Consolidation: Healthcare’s vertical integration means a single breach can cascade across thousands of clinics and millions of patients; HHS data shows 30% of healthcare breaches now occur at business associates

• Patient Trust: Patients don’t choose which vendors you work with, yet they still pay the price if and when those vendors expose their data

• Regulatory Obligations: HIPAA and other regulations require you to protect patient data wherever it goes, making your contracts and oversight critical to limiting the risk of incurring costly fines if something goes wrong; healthcare breaches now cost an average of $9.77 million— more than double the $4.88 million average across all industries

A strong internal security program is necessary, but it’s not sufficient. If your vendors don’t maintain equivalent standards, your organization and your patients remain vulnerable.

Turning Cybersecurity Into a Risk Management Strategy

Cybersecurity has become a critical component of risk management, and it comes to life through the practical actions taken every day to protect your organization and your patients. Ways healthcare organizations can put this mindset into practice include:

Fully Evaluating Vendor Security

Third-party vendors can be the weakest link in the chain, but many still assume that a large vendor’s reputation equates to security. What’s needed is to ask vendors for evidence of their controls, such as penetration testing results, SOC 2 Type II reports, HITRUST certification, NIST CSF alignment, and so on. You should also schedule regular security reviews, especially for vendors that work with PHI or critical infrastructure. The bottom line: your vendor’s risk is your risk.

Build Strong Security Requirements Into Contracts

As we previously touched on, your contracts with vendors should serve as tools for enforcing your own organization’s cybersecurity standards. Use clear, plain language that spells out expectations, whether that’s encryption requirements, access controls, or patch management timelines. Frameworks from organizations such as NIST or HITRUST can serve as a baseline, but your contracts should be specific enough to be actionable and protective of your organization if a breach occurs.

Install Realistic Breach Notification Timelines

As soon as a breach occurs, the clock is ticking, and you don’t want to be left in the dark if one of your vendors experiences an incident. Without prompt vendor notification, these delays compound dangerously. Make sure your vendors agree to notify you within a defined timeframe so you can act quickly to protect your data. Obviously, the shorter the timeline, the better, but 24 to 72 hours is a common timeframe.

Clearly Define Liability

Effective risk management in this sense involves clear language in contracts that specifies who’s on the hook when something goes wrong. Your agreements should spell out financial responsibility for data breaches, regulatory fines, and remediation costs, which minimizes finger-pointing and provides a clearer path to recovery if a vendor’s lapse impacts your organization.

Look into Cyber Insurance for You and Your Vendors

Cyber insurance should be part of your overall risk strategy, and it goes beyond your own coverage. Confirm that your vendors have appropriate cyber insurance and understand how their policies align with your own risk exposure. You don’t want to wait until after an incident to find out what’s covered and what isn’t.

Foster True Collaboration Between Legal and Security Teams

It’s common for legal and cybersecurity teams to operate independently of each other, but collaboration gives them the best opportunity to manage their risk effectively across the organization. Legal teams are experts in contracts and regulatory obligations, and cybersecurity teams understand the technical realities of cyber threats and controls. Collaboration helps these teams craft enforceable, practical contracts that meet the specific needs of your organization.

The scale of the problem is staggering: In 2024 alone, 725 large healthcare breaches exposed the records of 82% of the U.S. population. With 81% of these breaches involving hacking or IT incidents, the threat landscape has fundamentally shifted from internal mistakes to external attacks, many coming through trusted vendor relationships.

In the real world, cybersecurity isn’t something that can be fully outsourced to your IT team, security provider, or vendors. It’s a shared responsibility that calls for leaders to view every security decision through a risk management lens. Integrating cybersecurity elements into your legal frameworks protects your systems, as well as your patients, your organization’s reputation, and the trust people place in your ability to deliver care.

The most successful organizations view their vendors as security partners, working together to protect the patients they mutually serve.

Moving Toward True Resilience

At Solera Health, I’ve had the somewhat rare opportunity to wear two hats: CISO and general counsel. It’s not the most common combination, but it’s given me a front-row view of how much stronger an organization can be when legal and cybersecurity teams work in sync under a shared mission to protect patient data and manage risk.

Healthcare organizations need to move past thinking of cybersecurity as just a technical problem for the IT team to solve. Today’s threats and the realities of how data flows across vendors and supply chains demand a broader perspective. Cybersecurity is risk management, plain and simple. And managing that risk requires strong technical capabilities alongside workable legal frameworks, clear contracts, insurance strategies, and ongoing collaboration across teams.

Ultimately, protecting patient data isn’t something that happens by accident. It’s the result of deliberate decisions to build resilience across your people, processes, and technology. Embracing cybersecurity as a risk management tool sets healthcare organizations up to better prepare for the unexpected while keeping patient trust at the forefront.

The healthcare industry has learned valuable lessons from past incidents and is now better positioned to protect patient data through collaborative risk management approaches. This evolution represents the path forward—reducing risk, strengthening our collective security posture, and continuing to deliver effective care even as threats and regulations evolve.