Over 80 % of stolen protected well being data (PHI) up to now this 12 months didn’t come from hospitals… it got here from their distributors, in keeping with a Becker’s Hospital Assessment replace on PHI cybersecurity. Much more placing, greater than 90 % of hacked well being information had been stolen from exterior the EHR.
These two numbers redefine the place healthcare safety threat actually lies. The standard hospital’s firewall isn’t the entrance line anymore. Danger surfaces embrace:
- Analytics platforms
- Billing providers
- Affected person-engagement instruments
- Telehealth programs
- Enterprise associates
- Well being plans
…and extra
Defending affected person information in 2025 requires understanding that your distributors’ infrastructure is a part of your personal safety posture.
Why vendor breaches dominate right now’s risk panorama
Healthcare’s speedy digital growth has created a tangled net of integrations. Programs for scheduling, claims, inhabitants well being, and distant monitoring all trade PHI with exterior companions. Every of these companions shops and processes information on internet hosting infrastructure that the hospital doesn’t management.
A lot of the large-scale breaches reported to the Workplace for Civil Rights up to now this 12 months have stemmed from vulnerabilities in vendor infrastructure, like misconfigured cloud environments, unsecured backups, or lax entry administration.
When a billing platform or AI service is compromised, each related supplier turns into collateral harm.
Safety has developed from a neighborhood IT drawback into an ecosystem accountability. The problem is determining what every group can realistically management.
Hospital and follow executives: 5 inquiries to ask your distributors
You may’t dictate a vendor’s internet hosting structure, however you possibly can demand readability. The fitting questions reveal whether or not a accomplice’s infrastructure meets trendy compliance and resiliency requirements.
- The place is PHI saved, bodily and just about? Verify that information resides in U.S. amenities audited for HIPAA compliance, not in shared or offshore environments.
- Who has administrative entry? Distributors ought to separate shopper information into remoted environments, not multi-tenant programs that mingle unrelated datasets.
- How are backups and catastrophe restoration dealt with? Ask about encryption, retention timelines, and whether or not off-site backups are stored in compliant information facilities.
- What unbiased audits or certifications confirm safety? SOC 2 Kind II, HITRUST, and common third-party penetration checks point out a mature program.
- How is vendor-of-vendor threat managed? Any subcontractors dealing with PHI must be disclosed, certain by Enterprise Affiliate Agreements, and topic to the identical requirements.
These questions shift the dialog from belief to transparency. Hospitals that deal with vendor vetting as a part of their cybersecurity program, not simply procurement, cut back the percentages of changing into the following breach headline.
Healthcare SaaS and IT leaders: construct safety into your internet hosting basis
For the software program firms serving healthcare, safety choices begin on the servers and networks powering your utility. Multi-tenant cloud cases and unmanaged digital machines, for instance, introduce shared vulnerabilities.
In contrast, devoted, single-tenant infrastructure provides suppliers full management over entry, patching, and monitoring.
Greatest-practice internet hosting design contains:
- Remoted environments for every shopper or workload.
- Full-disk encryption and real-time intrusion detection.
- Redundant firewalls and bodily segmented backup storage.
- Complete audit logging tied to compliance frameworks corresponding to HIPAA and HITRUST.
- Direct management of patching, updates, and safety configurations (by no means delegated to generic cloud tenants).
The technical rigor behind these decisions isn’t nearly compliance checkboxes. It’s a market differentiator. Hospitals more and more consider distributors on how confidently they’ll describe their infrastructure’s safety mannequin.
Safety as a shared self-discipline
The 2025 breach information makes one factor clear: hospitals can not separate “our community” from “their cloud.” Each healthcare group is determined by a mesh of exterior programs whose internet hosting choices immediately have an effect on affected person belief.
Vendor threat administration should evolve from paperwork to partnership. Hospitals ought to demand transparency and steady communication; distributors ought to spend money on infrastructure that meets healthcare’s highest compliance expectations.
At Liquid Net, we see this shift day-after-day—healthcare organizations and SaaS distributors working collectively to shut the hole between accountability and management. True safety of PHI begins when each side view safe, compliant internet hosting not as an IT line merchandise, however as a shared basis for affected person care itself.
