Healthcare cyber risk grows as visibility gaps expose third-party threats | Tech Radar

Overview

News, deals, reviews, guides and more on the newest computing gadgets

Start exploring exclusive deals, expert advice and more

Details

Unlock and manage exclusive Techradar member rewards.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Healthcare cyber risk grows as visibility gaps expose third-party threats

You can’t secure what you can’t see: the hidden risk in healthcare’s digital ecosystem

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

At first glance, Palantir receiving access to an address book containing up to 1.5 million NHS staff may seem like just one more example of digital transformation on a grand scale in healthcare, or simply a necessary step for a supplier supporting such a complex environment.

However, underneath this headline, there is much more to consider: nowadays, the healthcare ecosystem consists not just of the organisation itself, but of an extensive external network surrounding it.

One question that needs addressing here is do organizations know who exactly has access to the most crucial parts of their system and information at all times?

From boardroom risk to deal flow: why cyber M&A is accelerating in 2026

AI-driven cyber discovery signals a new era of systemic risk for banks

The real cost of insider threats is not the incident: It’s the frequency

Healthcare has always been a data-rich, high-stakes environment but its digital evolution has dramatically expanded the number of actors involved in delivering care. Cloud providers, analytics platforms, software vendors, contractors and consultants all require varying degrees of access to critical systems.

The challenge is not simply that third parties exist, but that visibility into their access is often fragmented or incomplete. In many cases, organizations rely on static records, contractual assurances or periodic reviews to validate security. But access changes constantly - new users are onboarded, permissions are altered, integrations are updated - often without a central, real-time view.

This approach creates a very risky and potentially dangerous situation to be in. The organizations themselves are responsible for making sure patient data is secure and services operate smoothly.

However, in the case of the NHS, this is far from straightforward. It is not a single organisation with one unified IT system, but a network of hundreds of semi-independent Trusts, GP practices, mental health services and other care providers, many of which have historically procured their own technology.

This has led to a complex landscape of legacy systems that do not always integrate effectively, making visibility and control over access significantly more challenging, particularly when introducing third-party providers.

This is why so many major security events occur not within companies' strongholds but at the edges of their network, through integrations or partnerships. And it becomes even more problematic since, unlike many other sectors, healthcare relies heavily on the availability of information systems.

Therefore, access management in this sector becomes not just a question of protecting data but of ensuring business continuity as well.

The shocking reason 43% of UK businesses have been hit by cyber attacks last year

AI security is broken at runtime: Most enterprises don’t realize it yet

Most ransomware attacks are opportunistic. Here’s how you can stop attackers

At the same time, the threat landscape is also undergoing changes that only amplify the risks associated with these vulnerabilities.

Recent wiper attacks on healthcare institutions, attributed to Iran, illustrate that today cyber operations are a direct result of geopolitical tension. This creates a sort of parallel battlefield, where disruption becomes possible without crossing borders in the conventional sense. In many ways, this is modern warfare and one that organizations are still not fully prepared for.

Wiper attacks differ from standard attacks in the fact that their purpose is not stealing sensitive information but destroying the systems altogether. In the case of healthcare organizations, these attacks mean catastrophic failures with potentially fatal consequences for patients.

Even more concerning is how accessible these attacks have become. Advances in AI tools are dramatically lowering the cost and effort required to carry them out, meaning tactics like phishing, DDo S and reconnaissance can now be executed at far greater speed and scale.

This shifts cyber risk firmly into the realm of strategic risk. It is no longer confined to the IT department. It affects operational resilience, financial stability and public trust, leaders must now assume that cyber pressure will increase in parallel with global instability, not independently of it.

Even in light of these developments, many organizations still rely on approaches to security and compliance that were designed for a very different era.

Periodic auditing, annual evaluations and a static framework for ensuring compliance offer a one-time snapshot. These methodologies ensure that controls were in place at the moment of assessment but do nothing to guarantee what transpires in the following days or months.

In highly dynamic environments like healthcare, this is a critical limitation. Systems evolve on a daily basis. Access permissions change and new integrations are introduced. A control that was effective during an audit can fail without any immediate visibility.

Recent research from Quod Orbis consistently shows that organizations often overestimate their visibility. For example, while the majority of businesses report confidence in their security posture, 93% say they have clear visibility of their IT assets, yet 95% admit they have been unable to access a specific software asset in the last year. This gap between perception and reality is where risk starts to accumulate.

If the nature of risk has changed, so must the risk management framework. While regulations like DORA are beginning to address this shift within financial services, the reality is that the same principles now apply far beyond a single sector.

Rather than looking for additional reports and methods, businesses need to embrace a completely new approach to assurance, one that recognizes the dynamic and real-time nature of modern IT systems.

Through continuous network monitoring, organizations gain the ability to know in real-time exactly how secure their IT systems really are and ask some crucial questions, such as: who has access, what changes have been made and what holes have yet to be covered? Third-party access is one area where continuous oversight would help organizations implement a "trust, but verify" model rather than a blind trust approach to granting third-party access.

At the same time, continuous oversight and monitoring provide an opportunity to address issues proactively before they occur and in today's ever more disruptive environment, the ability to address and prevent issues can mean the difference between containing an issue and experiencing an operational nightmare.

It allows organizations to exert control without stifling innovation and collaboration. The NHS story is not an outlier in this sense. On the contrary, it reflects the shift in organizational behavior and risks associated with it. With the expansion of digital ecosystems, the risks inherent in third-party access are no longer a question. The question is whether organizations have visibility and the ability to control those risks.

The NHS story is not an outlier in this sense. On the contrary, it reflects a broader reality across many organizations. Like the NHS, many businesses are operating with legacy systems, fragmented IT infrastructure and limited visibility across their environments. With the expansion of digital ecosystems, the risks inherent in third-party access are no longer a question.

It also raises an important consideration: do organizations truly have full oversight of their third-party relationships and can they confidently assess the level of risk and security controls in place?

You cannot secure what you cannot see and increasingly, what you cannot see is exactly where the risk lies.

This article was produced as part of Tech Radar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

You must confirm your public display name before commenting

1EU to back European alternatives to US dominated software and services in major push for ‘tech sovereignty’

3 Star City episodes 1-2 release date and time on Apple TV

4UK businesses spend £11.7 billion on 'AI slop' corrections every year, with 1 out of every 4 hours wasted

5 Quordle hints and answers for Thursday, May 28 (game #1585)

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Key Takeaways

News, deals, reviews, guides and more on the newest computing gadgets
Start exploring exclusive deals, expert advice and more
Unlock and manage exclusive Techradar member rewards
Unlock instant access to exclusive member features
Get full access to premium articles, exclusive features and a growing list of member rewards