A comprehensive Q4 2025 flash survey has exposed a critical vulnerability at the heart of modern healthcare, revealing that the very digital tools designed to enhance patient care have become the primary conduits for cyberattacks. The study, which gathered insights from 427 senior IT and security executives across nine countries grappling with high rates of data breaches, points to a clear and present danger: third-party vendors, especially those providing Electronic Health Record (EHR) and Artificial Intelligence (AI) platforms, are now the main drivers of security incidents and patient privacy violations. This seismic shift in the threat landscape challenges the long-held belief that outsourcing digital infrastructure to specialized vendors inherently reduces risk, indicating instead that it has merely transferred the danger to environments often outside a healthcare organization’s direct control. The findings signal an urgent need for a fundamental re-evaluation of how healthcare providers manage their sprawling and increasingly complex ecosystems of digital suppliers.
The Great Migration of Cyber Risk
For years, the prevailing wisdom in healthcare IT suggested that moving to cloud-based EHRs, adopting AI-driven analytics, and utilizing managed services would offload the significant burden of internal security management. However, the survey data paints a starkly different picture, one where this transition did not eliminate risk but rather relocated it to vendor-controlled environments. According to the research, provider organizations now find themselves in a precarious position of extreme dependency on these external platforms. This reliance is often coupled with a dangerous lack of the necessary tools, contractual leverage, and operational visibility required to govern these third parties effectively. This migration has created a new paradigm where the greatest threats are no longer inside the hospital’s walls but are embedded within the supply chain of technology partners who are integral to daily operations, turning a strategy meant to simplify security into a complex new challenge.
This alarming trend is quantified by several key data points from survey respondents across all nine nations studied. An overwhelming 80% of Chief Information Security Officers (CISOs) confirmed that their most significant emerging cyber risk for the upcoming year, 2026, stems directly from their EHR, AI, and cloud health IT vendors. This is not a theoretical threat; 69% of these organizations have already experienced at least one major security incident or a serious near-miss within the last 24 months that was directly traceable to a vendor’s platform, a third-party integration, or a managed service provider. Compounding this problem is a profound crisis of confidence in existing defenses. A staggering 91% of cybersecurity leaders confessed that their current third-party risk management programs are either “not adequate” or “barely adequate” to handle the intricate security demands of modern digital health and AI ecosystems, leaving them dangerously exposed.
A Global Consensus on Vendor Vulnerability
While the overarching theme of vendor risk is consistent globally, the survey highlights unique challenges and varying degrees of impact across the nine countries. The situation is particularly dire in India, where an astonishing 96% of respondents reported vendor-linked data breaches or privacy violations, and 90% identified AI and analytics vendors specifically as their fastest-rising source of risk. In Brazil, the consequences are felt directly in patient care, with 78% of CISOs reporting vendor-originated breaches and 61% of those events leading to a direct disruption of clinical services. The operational fallout was also severe in South Africa, where 71% of leaders cited third-party EHR or billing platforms in a major incident, with over half of these events causing debilitating multi-day system downtime, crippling the ability to provide care effectively.
This global consensus extends to other developed nations facing their own distinct but related challenges. Canadian CISOs reported that 72% have confronted vendor-driven privacy incidents, and a nearly unanimous 98% identified the governance of cross-border data flows with their predominantly U.S.-based vendors as a top and highly complex hurdle. In Saudi Arabia, where 67% of organizations have experienced vendor-related security incidents, the issue has captured leadership’s attention, leading to 72% of CISOs reporting that board-level focus on supplier cyber risk has “significantly increased” in the past year. Similarly, in Singapore, while incident rates were slightly lower, 93% of security leaders stated that regulatory expectations for vendor oversight are advancing far more rapidly than their organizations’ capabilities can currently meet, creating a dangerous compliance and security gap.
Identifying the Highest Risk Platforms
Across the global landscape, CISOs identified four primary categories of vendors as posing the most immediate and significant risk to their organizations. At the top of the list are the core EHR and clinical systems, including cloud-based record platforms and practice management software that form the very backbone of clinical operations. Following closely are the AI and machine learning-enabled analytics and decision support tools, which are increasingly used for sophisticated tasks like medical imaging analysis and clinical decision support. The third category includes intermediary and integration platforms, such as health information exchanges (HIEs) and API gateways that facilitate the critical flow of data between disparate systems. Finally, “digital front door” and patient engagement solutions, encompassing everything from patient portals and mobile health apps to telehealth platforms, were flagged as a major source of vulnerability.
Within these high-risk categories, cybersecurity leaders expressed a consistent set of profound concerns that go beyond simple software bugs. A major issue is the presence of weak or opaque security controls within the multi-tenant cloud environments where many of these platforms reside, leaving one organization’s data vulnerable due to the insecurity of another. Vendors were also cited for inconsistent patching and vulnerability management, leaving known exploits open for attack. A severe lack of transparency into AI model security, data handling practices, and the provenance of training data was a particularly acute concern. Furthermore, leaders pointed to immense challenges in managing identity and access across both internal and vendor-hosted systems, creating complex security gaps. All of this is amplified by significant legal and regulatory uncertainty, especially where AI and cross-border data transfers intersect with complex health privacy laws.
An Escalation to Patient Harm and Systemic Distrust
A critical finding from the report was the clear evidence that the consequences of these vendor-linked failures now extend far beyond data exfiltration and regulatory fines, increasingly causing tangible harm to patient care and undermining the foundation of digital health initiatives. The survey found that 67% of organizations have experienced direct clinical disruption or operational downtime in the last two years stemming from a vendor outage or cyber event. This translates into real-world crises, such as clinics being forced to suspend operations or critical oncology pathways being disrupted because a partner’s platform was compromised or simply offline. This operational impact has rightfully elevated the issue to the highest levels of governance, with nearly all respondents—98%—reporting board-level concern that incidents involving AI and EHR vendors could seriously erode patient trust in all digital health programs.
The repercussions also manifested in escalating financial and operational pressures that threatened the long-term viability of digital transformation. A decisive 95% of IT leaders stated that renewing their cyber insurance policies has become significantly more difficult or expensive, precisely because of the poorly understood and managed risks associated with their third-party vendors and opaque AI systems. In response to this escalating crisis, CISOs outlined a series of strategic actions for 2026 aimed at regaining control. These priorities included embedding rigorous, non-negotiable cybersecurity requirements into all new EHR and AI procurement contracts, standardizing third-party risk assessments, and implementing continuous monitoring across all vendors. The ultimate message from the Black Book survey was an unequivocal call to action. The vulnerability of EHR and AI vendors was no longer a peripheral IT problem but had become a top-tier systemic risk to patient safety, continuity of care, and public confidence in the healthcare system.
