TL;DR: Healthcare leaders are finding that the biggest operational risk often comes from their vendors’ vendors, with incidents like Change Healthcare and CrowdStrike showing how downstream failures can interrupt care, reporting, and recovery, according to Commvault. The real governance problem is that third-party dependency chains outgrow direct contractual oversight, so resilience now depends on ecosystem visibility, data sovereignty, and recovery assumptions that extend beyond the immediate supplier.
NHIMG editorial — based on content published by Commvault: healthcare ecosystem risk, vendor-of-vendor failures, and recovery readiness
Questions worth separating out
Q: How should healthcare organisations govern vendor-of-vendor risk?
A: Start by mapping the full dependency chain behind every critical supplier, including subcontractors and platform providers that affect service continuity, data handling, or access.
Q: Why do direct vendor reviews fail in ecosystem outages?
A: They fail because questionnaires and attestations only describe the vendor you contract with, not the hidden providers that may keep the service running.
Q: What should organisations test before relying on a critical SaaS vendor?
A: They should test whether their service can recover when the vendor, a subcontractor, or a connected platform is unavailable.
Practitioner guidance
- Map fourth-party dependency chains Identify which critical services depend on downstream providers, subcontractors, and platform layers you do not contract with directly.
- Require recovery evidence, not assertions Ask vendors to demonstrate how they restore service when one of their own dependencies fails.
- Maintain independently restorable data copies Keep regular exports of critical data and verify they can be restored without the vendor’s live platform.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- Direct CMIO and security leader interviews on how vendor-of-vendor failures affected clinical workflows
- Detailed examples of contract changes, including notification timelines and recovery guarantees
- Practical discussion of data sovereignty, including keeping independently restorable copies of critical data
- Minimum viable recovery planning considerations for ecosystem-wide outages
👉 Read Commvault's analysis of healthcare ecosystem risk and vendor-of-vendor failures →
Vendor-of-vendor risk in healthcare: what IAM teams need to know?
Explore further
Vendor-of-vendor risk is now a governance problem, not just a procurement problem. The article shows that healthcare organisations can do everything right on their direct suppliers and still inherit exposure from relationships they never approved and cannot directly control. That breaks the old assumption that third-party review stops at the signed contract. The practitioner conclusion is that ecosystem dependency mapping now belongs in identity and resilience governance, not only in procurement.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when a vendor’s vendor causes a compliance incident?
A: The covered organisation usually remains accountable for its own regulatory reporting, evidence collection, and patient or customer impact, even when the root cause sits elsewhere in the supply chain. Contracts can share obligations, but they do not remove the need for local governance, documentation, and incident response.
👉 Read our full editorial: Healthcare vendor ecosystems expose a new identity governance gap