Report: AI, third-party risks open gaps in healthcare cybersecurity

Editor's Note

Serious cybersecurity vulnerabilities remain in healthcare despite significant improvements in recent years, according to a July 16 MedCity News report on recent data from cybersecurity firm Fortified Health Security.

Fortified’s research, which reportedly draws on NIST CSF data and first–hand experience from the field, assesses the state of cybersecurity in healthcare. Company CEO Dan Dodson told MedCity News that governance, response planning, and risk assessments have improved over the past five years, driven by high-profile breaches and growing regulatory scrutiny. However, he emphasized that attackers are continually evolving, and health systems must advance their defenses accordingly.

According to the article, a common gap is that many providers conduct cybersecurity risk assessments but fail to act on their findings. Dodson stressed that these evaluations should go beyond “check-the-box” compliance. Many organizations still face vulnerabilities because they adopted advanced tools before establishing core protections like patching, password controls, and access restrictions.

Dodson identified three major cybersecurity challenges currently facing providers:  

• Artificial intelligence (AI). Although providers are eager to adopt AI tools, many lack governance frameworks, and attackers already are using AI.
• Third-party risk. Healthcare providers typically work with hundreds of external vendors, and a single vulnerability in one partner’s system can jeopardize the entire network. 
• Budget constraints. Dodson noted that some providers, especially smaller or rural ones, understand basic cybersecurity principles but lack the funding to implement them fully. Competing organizational priorities often force difficult tradeoffs.

The most resilient providers are those that commit to a cybersecurity framework, such as HITRUST or NIST, and begin execution without delay, Dodson told MedCity News.