Healthcare organizations have invested billions in securing their internal systems—yet breaches continue to rise, often from an unexpected source: third-party vendors. From telehealth platforms to analytics providers, today’s healthcare ecosystem is deeply interconnected, and increasingly vulnerable.
In fact, third-party vendors account for around 80% of stolen protected health information (PHI), with compromised partners often serving as the weakest link in an otherwise secure system. As digital transformation accelerates, the traditional boundaries of healthcare IT are dissolving.
Members of the Senior Executive Healthcare Think Tank—a curated group of leaders across patient experience, workforce strategy, policy, quality and technology—argue that this shift demands a fundamental rethink of how organizations approach vendor oversight, data-sharing agreements and supply-chain security.
They assert that healthcare leaders must move beyond compliance-driven approaches and adopt continuous, system-level strategies that treat vendors not as external partners, but as integral components of the care delivery infrastructure. The following Think Tank insights outline how organizations can rethink integration security, strengthen accountability and build more resilient vendor ecosystems in an era where every connection carries risk.
Treat Integration Layers as a Security Domain
Sriharsha Chavali, Enterprise Technology Leader at The Aspen Group, brings a deeply technical perspective shaped by years of building interoperability systems across complex healthcare environments. His experience designing platforms that process EDI 835/837 transactions across hundreds of payers reveals where risk truly resides: not just in endpoints, but in the layers in between.
“Most healthcare enterprises treat vendor data connections as plumbing you install and forget,” Chavali says. “The vulnerability lives in translation layers—middleware where data is parsed, transformed and reconstituted between systems.”
These integration layers are often overlooked in traditional security models, yet they handle vast amounts of sensitive data moving between disparate systems. Chavali emphasizes that protecting PHI requires more than encryption in transit; it demands integrity throughout the entire data lifecycle.
“Security isn’t just encryption in transit,” he explains. “It’s maintaining integrity at the parsing layer itself.”
To address this, Chavali advocates for continuous monitoring and visibility across all data exchanges.
“Organizations need continuous AI-driven observability and real-time monitoring of data exchange behavior,” he says. “They also need auditable data lineage from every vendor handling PHI and must treat integration architecture as a security domain.”
By elevating integration architecture to a core security focus, healthcare organizations can close a critical gap that many attackers exploit.
“Trust in healthcare depends on securing every link in the digital supply chain.”
Treat Vendors as Extensions of Your Infrastructure
Eugene Zabolotsky, CEO of Health Helper, an innovator in consumer-focused medical technologies, approaches vendor risk from a systems-thinking perspective. With nearly three decades of experience in healthcare innovation, he sees third-party relationships as inseparable from core operations.
“As healthcare becomes more digitally connected, vendor risk becomes system risk,” Zabolotsky says. “Organizations must treat vendors as extensions of their own infrastructure.”
This shift has profound implications for governance. Rather than relying on periodic assessments or static compliance checklists, organizations must implement continuous oversight and enforce consistent standards across all partners.
“Data-sharing agreements should enforce accountability, encryption and limited access,” he explains. “Proactive oversight—not reactive compliance—is essential.”
Zabolotsky also underscores the importance of transparency in maintaining trust. “Trust in healthcare depends on securing every link in the digital supply chain,” he says.
This perspective is supported by U.S. Department of Health and Human Services (HHS) guidance, which emphasizes that covered entities remain responsible for protecting PHI even when it is handled by business associates.
Ultimately, Zabolotsky argues that healthcare organizations must internalize vendor risk as their own responsibility—because, in practice, it already is.
“The uncomfortable truth is that many organizations have secured their front door while leaving the side entrances open.”
Move From Point-in-Time Checks to Continuous Assurance
Dr. Sunil Kumar, Founder of Dr. Sunil Kumar Consulting, brings a clinician’s perspective to the issue, shaped by his work as a Lifestyle Medicine Physician, Executive Health Coach and global healthcare leader. His insights focus on the human and operational risks created by overreliance on static oversight models.
“The uncomfortable truth is that many organizations have secured their front door while leaving the side entrances open,” Kumar says. “In a vendor-dependent ecosystem, trust cannot be outsourced.”
He argues that traditional approaches—such as annual audits or onboarding assessments—are no longer sufficient in a dynamic, interconnected environment.
“Oversight needs to move from point-in-time checks to continuous assurance,” he explains. “Treat vendors as extensions of your clinical system, not external add-ons.”
Kumar outlines several practical steps, including risk-tiering vendors based on data sensitivity and patient impact, and requiring real-time visibility into access, breaches and even subcontractor activity.
“Data-sharing agreements should shift from legal formality to operational clarity—who accesses what, why, for how long and with what audit trail,” he says.
Perhaps most importantly, Kumar advocates for a zero-trust approach.
“Adopt a ‘minimum necessary, zero-trust’ posture,” he says. “Limit data exposure by design, not policy.”
Kumar’s message is both strategic and urgent: Without continuous assurance, even well-secured systems remain vulnerable through their weakest connections.
“Vendor oversight must evolve from contract management to ecosystem governance.”
Shift From Contract Management to Ecosystem Governance
Harikrishnan Muthukrishnan, Principal IT Developer at BCBS Florida, a mission-driven health insurer serving millions of members, emphasizes the need for a structural shift in how healthcare organizations govern vendor relationships.
“Vendor oversight must evolve from contract management to ecosystem governance,” he says.
This means evaluating vendors not just by cost or contract terms, but by their broader impact on care delivery and data risk.
“We should assess partners by their impact on care, PHI exposure, operational dependency and decision influence—not by contract value alone,” Muthukrishnan explains.
He also calls for more rigorous and evidence-based security validation. “We need technical proof—not questionnaire theater,” he says. “That includes architecture evidence, control mappings, pen-test results, remediation discipline and secure identity design.”
In addition, Muthukrishnan highlights the growing importance of software transparency in supply-chain security.
“Every digital vendor should provide a mandatory SBOM,” he says, referring to a Software Bill of Materials. “Supply-chain trust now depends on knowing exactly what software components we are bringing into the healthcare environment.”
By reframing vendor oversight as ecosystem governance, Muthukrishnan argues, healthcare organizations can better manage the complexity and interdependence of modern digital systems.
Practical Steps to Reduce Vendor-Driven Risk
- Treat integration layers as critical security zones. Monitor and secure middleware and data transformation points, not just endpoints.
- View vendor risk as system risk. Apply the same security standards and accountability to vendors as internal systems.
- Adopt continuous assurance over periodic audits. Implement real-time monitoring, risk-tiering and zero-trust access controls.
- Shift to ecosystem governance. Evaluate vendors based on their impact on care delivery, data exposure and operational dependency—not just contracts.
Securing Trust in a Connected Care Ecosystem
As healthcare ecosystems grow more interconnected, the traditional boundaries of responsibility are disappearing. Vendors are no longer external partners—they are embedded components of the care delivery system, with direct access to sensitive data and critical workflows.
The insights from the Senior Executive Healthcare Think Tank show that securing PHI in this environment requires a fundamental shift in mindset. Organizations must move from reactive compliance to proactive, continuous governance—treating every connection, every data flow and every vendor as part of a unified security strategy.
In a healthcare system that’s only becoming more connected, resilience will depend on how well leaders secure not just their own environments, but the entire network they rely on.
