Cyber Attacks Against Hospitals are Getting Worse – Here’s What to do About It
More and more, cybercriminals are targeting hospitals’ third-party vendors.
Cybercriminals have gotten smarter, more sophisticated, and more relentless in their attacks against hospitals. One clear trend is the increasing focus of threat actors on supply-chain attacks that target critical third-party vendors with dramatic downstream impacts.
When it comes to third-party data breaches, no other sector experienced more recent incidents than healthcare. The 2025 attack against Change Healthcare was the largest data breach of all time for the healthcare industry. From zero-day vulnerabilities in file transfer platforms to vendors who store sensitive health and personal information for their clients, threat actors are increasingly targeting third-party vendors because, frankly, they get more bang for their buck. A hospital is just one node, but hacking a third-party vendor unlocks access to multiple organizations, all of which own and transfer sensitive data.
Attacks like these put health systems in a difficult position: even though their systems weren’t directly infiltrated, their patient data, stakeholder trust, and their reputation are at risk. However, with preparation, a plan of action, and an effective communications strategy, healthcare organizations create opportunities to mitigate damage, protect their reputations, and maintain the patient trust they’ve worked so hard to earn.
How to take control during a third-party cyber attack
Even when hospitals are not directly responsible for a cyber attack, they will be held accountable for their response to these types of incidents. Here are several steps leaders can take to mitigate reputational risk.
Avoid standing out in a crowd
When hospitals are impacted by supply chain incidents, they are often one of many. There is safety in numbers, and hospital leaders should consider how to balance responsiveness with avoiding the attention and scrutiny that “first-movers” may receive when they disclose.
Anticipate the tough questions
A helpful message for hospitals facing third-party incidents is that the attack did not occur on their systems. At the same time, patients, employees, partners, regulators and media won’t let health care organizations off the hook that easily. Hospital leaders should prepare to respond to likely questions, such as: Did you initiate your own third-party forensic investigation to verify the security of your systems? What is the scope of data impact for your organization? How do you vet and manage your vendors’ security practices?
Look around the corner
Healthcare providers impacted by vendor incidents should prepare for potential escalations including prolonged downtime, leaks, extortion by threat actors, extended news cycles and more. Communications plans should consider these scenarios and account for the long tail that often accompanies supply chain attacks.
Incorporate vendor risks into incident response plans
Organizations’ cybersecurity incident response preparedness efforts should consider the particular nuances and challenges of a vendor incident. This includes having specific crisis communications protocols and scenario plans in place for supply-chain attacks.
Practice for the big event
Health system leaders can and should map out a variety of cybersecurity risk scenarios – including third-party vendor incidents – and run their teams through their paces. This surfaces the kinks and logjams in a communications plan early.
While hospital leaders lose some degree of control when a cyber attack occurs on one of their vendor’s systems, they can remove uncertainty around how they’ll respond by making a clear, comprehensive plan well ahead of time.
Related Expertise & Solutions
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2025 FTI Consulting, Inc.
All rights reserved. fticonsulting.com
