Blog
Explore All Blog Posts

Managing Third-Party Risk in Medical IoT Devices

Published on May 22, 2025
 
By: Maureen Sahualla
 
7 — minute read

Your healthcare organization faces an unprecedented challenge: the exponential growth of third-party vendor relationships has increased vulnerabilities across healthcare networks. As healthcare becomes increasingly dependent on external vendors for critical medical IoT devices and services, attackers increasingly exploit third-party access as a primary vector into healthcare networks.

Recent industry studies reveal alarming gaps in healthcare cybersecurity around vendor risk management. In the 2025 Healthcare Cybersecurity Benchmarking Study, 65% of respondents rated “Vendor/Supplier Cybersecurity Requirements” as an essential goal, while ECRI's Top 10 Health Technology Hazards for 2025 ranks "Vulnerable Technology Vendors and Cybersecurity Threats" as the #3 most critical risk facing the healthcare industry.

This growing threat demands your urgent attention and sophisticated risk management strategies. Let’s explore some practical approaches to third-party risk management for medical IoT that protect patient care without disrupting your clinical workflows.

Hidden Risks of Third-Party Vendor Ecosystems

Operating within complex ecosystems involving hundreds of third-party relationships creates opportunities for hidden risk. Internet of Medical Things (IoMT) third-party risks multiply for several reasons, including:

  • Many medical devices have weak security controls due to outdated software, inadequate encryption, and a lack of built-in cybersecurity measures—manufacturers prioritize functionality over security.
  • Third-party vendors often maintain remote access to networks for maintenance, updates, and support services, creating persistent entry points that bypass your traditional perimeter defenses.

When these access points lack proper security controls—such as multi-factor authentication, network segmentation, or continuous monitoring—cybercriminals target them to establish footholds within your network.

IoMT Devices: Soft Targets for Cyberattackers

IoMT devices offer vulnerable components within your third-party ecosystems. Most IoMT devices are designed with functionality and regulatory compliance as the primary concerns, which can sacrifice cybersecurity. These devices frequently have default credentials, unpatched firmware, and weak isolation. These issues make for weak IoMT third party device security.

The proliferation of connected medical devices—from infusion pumps and patient monitors to imaging systems and smart building controls—significantly expands your attack surface. IoMT includes healthcare IoT and connected medical devices such as infusion pumps, imaging machines, and patient monitors. All of these third party IoT devices create more entry points attackers can exploit. Cybercriminals specifically target these devices because they understand you often struggle to maintain visibility into your IoMT inventory, leaving many devices unmonitored and unprotected.

Third-Party Breaches in Healthcare: Case Studies

Recent high-profile incidents demonstrate the devastating impact third-party vulnerabilities can have on your operations and patient safety. These breaches highlight how third-party cybersecurity risk can cascade throughout the healthcare ecosystem.

Change Healthcare Breach (2024)

In February 2024, the Russian ransomware group ALPHV/BlackCat attacked and breached United Health Group's (UHG) Change Healthcare, impacting nearly every American and exposing the protected health information (PHI) of at least 150 million individuals. Attackers gained access through compromised credentials for a Citrix portal used for remote access, exploiting the lack of multi-factor authentication. Despite paying the criminals a staggering $22 million ransom, UHG could not retrieve its data. The incident forced a complete shutdown of Change Healthcare's systems, disrupting prescription processing, claims submission, and payments across the entire US healthcare system.

CrowdStrike Breach (2024)

A fault in a software update CrowdStrike issued in 2024 caused widespread outages across multiple industries. In healthcare, the CrowdStrike software update failure caused disruptions in accessing electronic medical records (EMRs), patient scheduling, and communication systems, forcing you to delay procedures and rely on manual processes. While not a cyberattack, this incident demonstrated how your dependencies on third-party services can create single points of failure with far-reaching consequences for patient care.

Kaiser Foundation Breach (2024)

The Kaiser Foundation Health Plan experienced a significant data breach in April 2024, affecting 13.4 million individuals. Tracking technologies embedded in Kaiser's websites and mobile apps caused the breach, inadvertently sharing user data with third-party platforms like Microsoft (Bing), Google, and X (Twitter). This incident illustrates how seemingly benign third-party integrations can create unexpected data exposure risks in your environment.

Elekta Oncology Attack (2021)

The Elekta oncology data breach occurred in April 2021, when cybercriminals targeted Elekta's cloud-based platform, which stores and transmits healthcare data for oncology providers. The attack led to ransomware deployment, compromising sensitive patient information across multiple healthcare organizations. This breach demonstrated how attacks on specialized medical technology vendors can impact numerous healthcare providers like yours simultaneously.

Why Traditional IoT Risk Assessments are Failing Healthcare

Traditional risk assessments rely on periodic, questionnaire-based vendor assessments that provide only point-in-time snapshots of third-party risk. These traditional approaches fail to capture the dynamic nature of modern healthcare, where device configurations, network connections, and threat landscapes evolve continuously.

Too often, healthcare organizations treat cybersecurity as a "HIPAA issue" and approach it as a compliance consideration. However, cyber risks affect all aspects of care delivery and should be viewed as mission-critical.

The limitations of conventional risk assessments become particularly evident when you deal with IoMT devices. Without real-time visibility into how many devices connect to your networks, what data these devices can access, and how vendors interact with them remotely, it is nearly impossible to assess IoMT risk in real time. Without appropriate assessment, risks become hidden and unexpected.

It is time for all healthcare delivery organizations to move beyond static assessments. Our third-party risk webinar can show you how, as it provides practical frameworks for continuous third-party risk monitoring that top healthcare systems are implementing today.

Smarter Third Party Risk Management for IoT Medical Devices

Effectively managing third-party risk for medical IoT requires a fundamental shift from periodic compliance checks to continuous, risk-based monitoring and assessment. Here are comprehensive strategies that address the full lifecycle of vendor relationships and device management:

Inventory and Visibility

The foundation of your robust third-party risk strategy is comprehensive asset discovery and management. You must identify all internet-facing and network-accessible medical devices, including those third-party vendors manage.

Asset management, which connects closely to third-party and supply chain management, requires you to maintain a detailed inventory and understanding of all assets, including third-party hardware, software, data, and storage systems. This visibility extends beyond simply knowing what devices exist—you need real-time insights into device communications, vendor access patterns, and data flows to understand your true risk exposure.

Risk-Based Prioritization

Not all third-party relationships carry equal risk for your organization. You must develop sophisticated methods for identifying, assessing, and prioritizing high-risk vendor devices and ecosystems based on factors such as data sensitivity, patient safety impact, and attack likelihood. The low coverage for Supply Chain Risk Management is especially concerning, as attackers have increasingly targeted third-party breaches in the healthcare industry year-over-year. Effective prioritization enables your security teams to focus limited resources on the most critical vulnerabilities while ensuring lower-risk devices receive appropriate baseline protections.

Continuous Monitoring and Threat Intelligence

Static risk assessments cannot keep pace with evolving threats and changing network conditions in your environment. You need continuous, real-time monitoring capabilities that can detect anomalous behavior, unauthorized access attempts, and emerging vulnerabilities across your third-party device ecosystem. This approach should incorporate threat intelligence feeds that provide early warning of attacks targeting specific vendors or device types, enabling you to take proactive rather than reactive security measures.

Conclusion

Healthcare's increasing reliance on third-party vendors and IoMT devices has created complex security challenges that demand sophisticated risk management approaches. Traditional compliance-focused assessments are insufficient to address the dynamic, interconnected nature of your modern healthcare IT environment. To properly cover your healthcare environment, you must adopt comprehensive strategies that provide continuous visibility, enable risk-based prioritization, and support proactive threat detection across your entire third-party ecosystem.

Join Cylera for a Smarter Approach to Third-Party Risk Management

Ready to transform your organization's approach to third-party risk management? Cylera's comprehensive webinar, "Connected, Compliant, and Secure: Practical Third-Party Risk Management for Medical IoT," provides in-depth coverage of modern risk management strategies specifically designed for healthcare environments like yours. Learn how leading healthcare organizations implement practical solutions that strengthen security without overwhelming IT teams, moving beyond basic compliance to build true resilience across clinical systems. Discover the proven tools and frameworks that top healthcare systems use to secure IoMT devices and protect patient care from emerging threats.

Watch the full webinar now to gain immediate, actionable insights you can implement immediately in your organization.

  • Maureen Sahualla started her cybersecurity career in the mid to late 1990s, right when most people and organizations began to fully embrace the Internet, but often without fully understanding all the associated risks. Since then, it has been a wild ride as the world has gone online, threats have diversified and multiplied, and the cybersecurity industry has continued to grow at the speed of light. Maureen has seen a lot and worn a lot of different hats during her years working for enterprise software companies focused on trying to protect organizations around the world from cyber threats. Currently Maureen serves as Head of Marketing at Cylera, a leading healthcare IoT asset intelligence and security company.

Recent Related Stories

Vulnerability and Risk Management
Reducing Medical Device IoT Attack Surface Vulnerabilities
Connected medical devices are transforming healthcare. From wearable glucose monitors to IoT-enabled imaging and infusion systems, these technologies provide important…
Read More
Vulnerability and Risk Management
How Medical Device Vulnerability Management Minimizes Healthcare Cyber Risks
One of the core steps involved in healthcare cybersecurity is medical device vulnerability management. Medical device vulnerability management centers around…
Read More
Vulnerability and Risk Management
IoT Vulnerabilities in Healthcare: Protecting Patient Data and Systems
The Internet of Things (IoT) has made having access to a variety of analytics and data easier than ever. In…
Read More

Categories

Analytics and Reporting (1)
Artificial Intelligence (AI) (2)
AI - Defensive (2)
AI - Offensive (1)
Asset Discovery and Inventory (3)
Asset Visibility (3)
Board Communications (1)
CCTV Cameras (1)
Critical National Infrastructure (CNI) (2)
Company (3)
Compliance (14)
Cyber Attack (8)
Cybercrime (3)
Cybersecurity (9)
Cybersecurity Best Practices (5)
Cybersecurity Talent (1)
Cyber Threats (13)
Cybersecurity Startups (1)
Cyberwarfare (2)
Data Breach (1)
Data Enrichment (4)
Events (1)
FDA (1)
Fireside Chat (1)
Fraud (1)
General (7)
Geopolitics (1)
Healthcare (7)
Healthcare Cybersecurity (21)
Healthcare IoT (6)
Healthcare IoT Security (HIoT) (6)
HIPPA (1)
Incident Response (1)
Integrations (1)
Interview (1)
IoT (1)
IoT Security (9)
Inventory (5)
Machine Learning (ML) (2)
Medical Device Security (13)
Medical Imaging (1)
Monitoring (1)
Network Segmentation and Protection (6)
Password Policy (1)
Ransomware (4)
Regulation (3)
Remediation (2)
Risk Analysis (1)
Risk Mitigation (9)
Rural Healthcare (1)
Russia (2)
Security Education (2)
Technology (6)
Technology Company (1)
Threat Detection and Response (8)
Threat Landscape (1)
Threat Intelligence (3)
United Kingdom (UK) (3)
Vulnerability and Risk Management (6)
VPN (1)
Webinar (1)

Connect