TL;DR: Healthcare saw 242 breaches in 2024, including 78 tied to third parties, according to SecurityScorecard’s 2025 Third-Party Breach Report, underscoring why rural health transformation funding must account for vendor exposure as digital infrastructure expands. Security investment cannot be treated as a compliance layer after modernization begins; it has to shape the programme from the outset.
NHIMG editorial — based on content published by SecurityScorecard: cybersecurity priorities for the Rural Health Transformation Program
By the numbers:
- Healthcare sustained more third-party breaches than any other sector in 2024, with 242 breaches total and 78 tied to third parties.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: What is the main cybersecurity risk when rural healthcare programmes expand digital services?
A: The main risk is that every new telehealth platform, cloud integration, or remote device adds another identity and access path that must be governed.
Q: Why do third-party vendors increase healthcare cyber risk so quickly?
A: Third parties often bring delegated access into core clinical and administrative systems, which means their compromise can bypass many local controls.
Q: How should rural healthcare teams govern vendor access to EHR and telehealth systems?
A: They should treat every vendor account as a time-bound business dependency, not a permanent convenience.
Practitioner guidance
- Map every vendor identity before rollout Create a complete inventory of third-party users, service accounts, API keys, and remote support paths that will touch EHR, telehealth, billing, or device environments.
- Separate continuity access from routine access Require distinct approval and logging for emergency, maintenance, and vendor support access so that operational continuity does not become permanent privilege.
- Tie modernization milestones to control evidence Ask states and facilities to show measurable reduction in exposed services, unmanaged vendor access, and unresolved high-risk findings before expanding the next digital workload.
What's in the full article
SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:
- How the 2025 Third-Party Breach Report breaks down healthcare breach exposure by sector and why that matters for rural funding decisions.
- Examples of the specific risk areas that external ratings can surface, including unpatched servers, email security weaknesses, and network configuration issues.
- The article's framing for how continuous monitoring supports due diligence and long-term resilience in small healthcare environments.
- Why the CMS program's emphasis on technology expansion changes the security baseline for states and rural providers.
👉 Read SecurityScorecard's analysis of cybersecurity priorities for rural health transformation →
Rural health transformation: are cybersecurity controls keeping up?
Explore further
Third-party access is the real governance fault line in rural healthcare modernization. The article correctly centres vendor expansion because every new digital service introduces another identity boundary to manage. In healthcare, third-party risk is not an abstract procurement issue. It is a direct control problem across privileged access, offboarding, and accountability. Practitioners should treat each vendor integration as an identity lifecycle event, not just a technology purchase.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when a healthcare transformation programme expands attack surface?
A: Accountability sits with the organisation that approves the transformation, the business owner of the data or system, and the teams that manage access and third parties. In regulated healthcare, security is not separate from care delivery. If a new service depends on external access, someone must own the risk, the review cycle, and the removal process.
👉 Read our full editorial: Cybersecurity funding in rural healthcare must scale with new digital risk