# Third-Party Access Cybersecurity Threats and Precautions: A Survey of Healthcare Delivery Organizations

**Authors:** George A. Gellert, Daniel Borgasano, Robert Palermo, Gabriel L. Gellert, Sean P. Kelly

PMC · DOI: 10.1055/a-2713-5725 · 2025-10-30

## TL;DR

Healthcare organizations face significant cybersecurity risks from third-party access but lack resources and strategies to manage these threats effectively.

## Contribution

This survey identifies key challenges and gaps in third-party cybersecurity management within healthcare delivery organizations.

## Key findings

- Only 51.1% of HDOs maintain a comprehensive inventory of third-party network access.
- Over half of respondents reported a third-party breach in the last year and expect breaches to increase.
- Manual monitoring and insufficient resources are common barriers to securing third-party access.

## Abstract

Gather insights regarding the state of third-party access cybersecurity in healthcare delivery organizations (HDOs).

An online multinational survey was deployed to eligible respondents to assess HDO third-party access, cybersecurity, and challenges.

Of 209 respondents, only 51.1% reported having a comprehensive inventory of all third parties accessing their network. Sixty percent stated third-party access to sensitive/confidential information was not routinely monitored, despite 19% having more than 40, and 31% having 21 to 40 third parties with network access. Reasons included lack of resources (48%) and centralized control over third-party relationships (36%), complexity (28%), and frequent third-party turnover (22%). Confidence in third-party ability to secure information and their reputations was cited. More than half (56%) reported a breach involving a third party in the last 12 months, and two-thirds anticipate breaches increasing in the next 12 to 24 months. Most agreed breaches are a cybersecurity priority, a resource drain, and their weakest attack surface. Slight majorities indicated high perceived effectiveness in mitigating, detecting, preventing, and controlling third-party access risks and security/privacy regulatory compliance. Regarding existing solutions, roughly half (55%) ranked the effectiveness of vendor privileged access management (VPAM) and privileged access management (PAM; 49%) at ≤ 6 on a 10-point scale, respectively. Barriers to reducing access risks include lack of oversight/governance (53%) and insufficient resources (45%). Of those monitoring third-party access, 53% do so manually. Breach consequences include loss/theft of sensitive information (60%), regulatory fines (49%), severed relationships with third parties (47%), and loss of revenue (42%) and business partners (38%).

HDOs recognize the increasing threat of third-party cyber breaches but are struggling to effectively address them. Lack of budget, expert resources, complexity, and third-party turnover are among the reasons why. Need exists for automated, cost-effective solutions to address the significant risks of third-party access with a consistent strategy that minimizes breach risk by securing remote access to privileged assets, accounts, and data.

## Full-text entities

- **Chemicals:** HDO (-)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Figures

2 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12575072/full.md

---
Source: https://tomesphere.com/paper/PMC12575072