Remote Access Vulnerabilities: Why 48% of 2024 Data Breaches Came Through Third-party Connections
Nearly half of 2024’s data breaches (48%) were caused by third-party access vulnerabilities, especially in healthcare.
Here’s what you need to know:
- Healthcare organizations rely on 250–500 vendors on average, but 63% lack clear oversight of vendor permissions.
- 50% don’t fully track third-party access or monitor vendor compliance effectively.
- Stolen vendor credentials and excessive access rights are the leading causes of breaches, with 70% involving overly permissive accounts.
- Major breaches like HealthEquity (4.3M records) and Ascension Health (5.6M records) highlight the urgent need for better vendor access controls.
Quick Fixes:
- Implement Zero Trust and role-based access controls.
- Conduct regular vendor security assessments and limit access duration.
- Use automated tools for real-time activity tracking and breach detection.
Take action now to secure third-party access and protect sensitive data.
Managing & Mitigating Security Risks from Third-Party Vendors
Third-Party Security Risks in Numbers
Third-party breaches grew by 6.5% from 2023 to 2024, now making up 35.5% of all reported breaches [2].
Healthcare Vendor Security Challenges
The vast networks in healthcare create large attack surfaces that require constant monitoring [1]. Here's a breakdown of the main challenges in managing vendor connections [1]:
| Challenge | Impact |
|---|---|
| Vendor Access Visibility | 63% lack clear visibility into vendor permissions [1] |
| Access Management | 50% cannot track the total number of third-party users [1] |
| Regulatory Compliance | 56% report low effectiveness in ensuring third-party compliance [1] |
| Resource Strain | 73% say managing vendor access is overwhelming [1] |
These issues highlight the growing complexity of securing third-party connections.
2024 Third-Party Breach Statistics
In 2024, the healthcare, pharmaceutical, and biotechnology sectors made up 22% of all third-party breaches [2]. Attack patterns shifted, with technology product compromises dropping from 75% in 2023 to 46.75% in 2024 as attackers diversified their methods [2].
"The number of data breaches stemming from third parties is likely higher since the third-party component of data breaches is not always disclosed." [2] - SecurityScorecard
Supply chain attacks surged, with 41.4% of incidents involving a third-party element [2]. Specifically, 32.2% of breaches in the healthcare sector were tied to third-party compromises [2].
Major Third-Party Breaches in 2024
HealthEquity: 4.3M Records Exposed
In March 2024, HealthEquity experienced a breach affecting data for 4.3 million individuals, including 13,480 residents of Maine [3]. Attackers exploited compromised vendor credentials to access sensitive information stored on a SharePoint server [3].
The exposed data included:
- Names, addresses, and employer information
- Social Security numbers
- Dependent details
- Payment card information (excluding card numbers and HealthEquity debit card details)
HealthEquity responded by immediately disabling the compromised vendor accounts, terminating active sessions, blocking malicious IP addresses, resetting global passwords, and offering two years of free identity and credit monitoring to those affected.
"The use of third parties as an initial access vector is an escalating threat, and this brings third-party risk management directly into focus." - Mike Hamilton, founder and CISO of Critical Insight [3]
Another major breach further highlighted the growing risks tied to third-party vulnerabilities.
Ascension Health: 5.6M Patient Records Compromised
In May 2024, Ascension Health suffered a ransomware attack that became the third-largest healthcare data breach of the year, compromising 5,599,699 patient records [4]. The breach began when an employee downloaded a malicious file, allowing attackers to move laterally within the system and deploy ransomware [4].
The attack had far-reaching consequences for Ascension's operations:
| Impact Area | Details |
|---|---|
| Financial Loss | $1.8 billion operating margin loss |
| System Recovery | 6 weeks to restore electronic medical record access |
| Facility Operations | 8–12% drop in facility volumes (May–June 2024) |
| Infrastructure | 7 servers compromised out of 25,000 |
The immediate fallout included:
- Diverted ambulances
- Closed pharmacies
- Offline critical IT systems
- Delayed or rescheduled medical procedures
"We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear, however, that this offer does not mean we have determined that any specific individual patient's data has been compromised. Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals' data." - Ascension [4]
These incidents highlight the growing need to tighten third-party access controls and improve cybersecurity measures in the healthcare sector.
sbb-itb-535baee
Common Third-Party Security Gaps
Third-party data breaches have become a major concern, with 59% of organizations experiencing breaches tied to third-party involvement. Additionally, 54% of these breaches were caused by compromises within their third-party vendors' systems [6].
Stolen Vendor Credentials
Unauthorized access to networks accounts for 40% of third-party breaches [6]. Several factors contribute to this vulnerability:
| Security Gap | Impact |
|---|---|
| Insufficient Vendor Vetting | 51% of organizations fail to assess third parties before granting access to their systems. |
| Weak Authentication Practices | 35% of organizations are unaware of how cyberattacks occurred. |
| Limited Resources | 41% report inadequate resources to manage third-party risks effectively. |
"Third‐party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent." - Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber, at Imprivata [5]
In addition to stolen credentials, granting excessive access rights to vendors heightens the risks.
Excessive Access Rights
Overly permissive access is a major issue, with 70% of breaches involving excessively privileged vendor accounts [6]. Alarmingly, 82% of companies unintentionally allow third parties access to their entire cloud data, and 76% maintain roles that could enable a complete account takeover [6]. Common problems include assigning admin-level privileges and failing to implement role-based access controls.
But that’s not all - poor monitoring practices make these issues even worse.
Poor Access Monitoring
A lack of effective monitoring leaves organizations vulnerable. In fact, 58% of businesses don’t have consistent strategies for managing privileged access risks [5].
| Challenge | Statistics | Impact |
|---|---|---|
| Limited Resources | 44% struggle with managing permissions effectively. | Leads to reduced oversight. |
| Visibility Issues | 35% don’t know how attacks occurred. | Slows down breach detection. |
| Ripple Effects | An average of 4.73 companies are impacted per compromised vendor. | Amplifies the damage. |
These gaps have real-world consequences. Over half (53%) of organizations have faced the loss or theft of sensitive data, while 50% have been hit with regulatory fines due to third-party breaches [5]. Looking ahead, 64% of security professionals expect these breaches to rise or remain at high levels in the next 12–24 months [5].
Steps to Secure Third-Party Access
Addressing vulnerabilities tied to third-party access requires clear and effective measures. Since many organizations lack visibility into vendor permissions, structured protocols are essential to minimize risks.
Vendor Security Assessment Steps
A systematic evaluation of third-party security practices is critical. This process should focus on three main areas:
| Assessment Area | Key Components | Implementation Steps |
|---|---|---|
| Initial Screening | Compliance checks, Security reviews | Document vendor security measures, Confirm certifications |
| Access Requirements | Analyze system needs, Scope permissions | Define minimum access levels, Assess data sensitivity |
| Compliance Validation | Regulatory compliance, Reporting review | Check breach reporting processes, Evaluate HIPAA compliance |
These steps create a strong foundation for managing vendor access securely.
Access Control Best Practices
Managing third-party permissions can be resource-intensive - 73% of organizations report this as a challenge [1]. To address this, implement effective access controls such as:
| Control Measure | Implementation Goal |
|---|---|
| Zero Trust | Verify every access attempt |
| Role-Based Access | Restrict permissions to necessary functions |
| Access Duration Controls | Set time limits for vendor access |
Pair these measures with ongoing monitoring to ensure long-term effectiveness.
Security Monitoring Systems
Since 52% of organizations highlight poor breach reporting by third parties [1], robust monitoring systems are essential. Key strategies include:
-
Real-Time Activity Tracking
Implement automated tools to log and monitor all access attempts to critical systems. -
Automated Alert Systems
Use intelligent software to detect and flag suspicious activities immediately. -
Regular Access Reviews
Conduct monthly audits of vendor permissions to remove unnecessary access.
Risk Management with Censinet RiskOps™
To streamline oversight, integrate these controls with a risk management platform like Censinet RiskOps™. This platform automates assessments and provides continuous monitoring, cutting risk assessment times to under 10 days on average, with reassessments often completed in less than a day.
"Third-party access is an entryway to a hallway of doors that lead to critical systems, networks, and information", says Tori Taylor, Communications Specialist at SecureLink, an Imprivata Company [1].
Conclusion
Remote access vulnerabilities increase cybersecurity risks in healthcare, largely due to limited oversight of vendors and complex permission management systems [1]. To address these challenges, healthcare organizations need focused strategies to secure third-party access effectively.
Here are three key areas healthcare organizations should prioritize to reduce the risk of third-party breaches:
Vendor Assessment and Compliance
Conduct thorough vendor evaluations regularly. Use automated tools to monitor compliance and ensure vendors meet security standards [1].
Access Control Implementation
Adopt Zero Trust principles and role-based access controls to safeguard sensitive patient data and critical systems in an ever-evolving threat environment.
Continuous Monitoring and Review
Regularly review vendor permissions and use automated monitoring systems. For high-risk vendors, perform detailed assessments at least twice a year to catch potential threats early.
"Third-party access is an entryway to a hallway of doors that lead to critical systems, networks, and information", says Tori Taylor, Communications Specialist at SecureLink, an Imprivata Company [1].
FAQs
How can healthcare organizations better manage third-party vendor access to prevent data breaches?
To reduce the risk of data breaches caused by third-party vendor access, healthcare organizations should adopt a proactive approach to managing permissions and monitoring risks. Start by implementing robust access controls to ensure vendors only have access to the systems and data they need. Regularly reviewing and updating these permissions is also essential.
Using advanced tools like AI-driven risk management platforms can help automate third-party assessments, making it easier to identify and address vulnerabilities before they become threats. Additionally, continuous monitoring of vendor activities and conducting comprehensive third-party risk assessments can significantly enhance oversight and reduce exposure to potential breaches.
How do Zero Trust principles and role-based access controls help protect against third-party access vulnerabilities?
Zero Trust principles and role-based access controls (RBAC) play a key role in reducing third-party access risks. Zero Trust operates on the idea of "never trust, always verify", requiring strict identity verification for every user and device before granting access. This ensures that only verified and authorized entities can interact with your systems.
RBAC complements this by limiting access to only what is necessary for a user’s specific role. By assigning permissions based on job functions, you minimize the potential attack surface and prevent unauthorized access to sensitive data. Together, these strategies provide a layered approach to protecting your organization from third-party vulnerabilities while enabling greater control and visibility over access points.
Why is it important to continuously monitor and review vendor access in the healthcare sector?
Continuous monitoring and regular review of vendor access are essential in the healthcare sector to protect sensitive patient data and prevent breaches. Third-party connections often introduce vulnerabilities, and without proper oversight, they can become entry points for cyberattacks.
By implementing strict access controls, monitoring vendor activities, and regularly auditing permissions, healthcare organizations can minimize risks and ensure that only authorized individuals have access to critical systems. These proactive measures help safeguard patient privacy and maintain compliance with regulatory standards.
