HHS Burrows Into Identifying Risks to Health Sector From Third-Party Vendors

The 2024 Change Healthcare ransomware incident shattered expectations about where the greatest cyber threats to the health system reside. Hackers slipped through a remote‑access portal that lacked multifactor authentication, compromising the personal information of roughly 190 million patients, providers, and insurers. The breach rippled through the entire health‑care ecosystem, threatening liquidity for hospitals and prompting UnitedHealth Group to overhaul its IT architecture. Analysts now view the event as a watershed moment that exposed the hidden dependencies on third‑party platforms that process claims, payments, and clinical data.

In response, the Department of Health and Human Services has launched a concerted effort to inventory and assess those hidden dependencies. HHS officials, led by Charlee Hess of the Administration for Strategy, Preparedness and Response, are working with industry groups to develop a risk‑identification methodology that maps critical vendors, evaluates their security controls, and prioritizes remediation. The approach emphasizes continuous monitoring, shared threat intelligence, and mandatory baseline safeguards such as MFA and encryption. Yet the initiative faces practical hurdles, including fragmented vendor contracts, limited visibility into legacy systems, and the need for standardized reporting.

The heightened focus on third‑party risk is likely to reshape the regulatory landscape. Lawmakers on Capitol Hill are already drafting bipartisan legislation that could impose minimum cybersecurity standards on health‑care providers and their suppliers. While some hospital associations resist prescriptive rules, the cost of another sector‑wide breach may outweigh compliance concerns. For vendors, the message is clear: robust security postures will become a market differentiator, and early adoption of best‑practice controls could secure contracts in an increasingly risk‑aware environment.