Healthcare sector faces persistent supply-chain security, identity management challenges
Healthcare sector faces persistent supply-chain security, identity management challenges
Publish Date: 2026-07-14 11:50:00
Source Domain: www.cybersecuritydive.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Dive Brief:
Dive Insight:
Healthcare organizations face one of the largest volumes of cyberattacks of any critical infrastructure sector, and those intrusions can also be some of the costliest. The new data from Fortified paints a picture of a healthcare industry struggling to combat ransomware attacks and other security compromises.
In the first half of 2026, according to the report, the average healthcare organization encountered 60% more vulnerabilities rated critical or high on the severity scale than in the first half of 2025. Organizations are discovering more problems than they can fix. “This isn’t the story of a single catastrophic breach,” researchers wrote. “It’s the story of visibility outpacing capacity.”
Two areas of cybersecurity continue to bedevil healthcare providers the most: supply-chain risk management, and identity management and access control.
Organizations identified six times more supply-chain risks in the first half of 2026 than they did in the first half of 2025, Fortified said. Nearly two-thirds of those risks constituted critical or high-severity vulnerabilities. Hospitals and other healthcare facilities rely on dozens of technology vendors, from hardware manufacturers to software developers, and as the Change Healthcare crisis demonstrated, a breach at any one of those suppliers could have cascading effects throughout the industry. “Assessments are exposing third-party risk gaps that many healthcare organizations have no current program to address,” the report said, “and they are struggling to remediate them once they are identified.”
Protecting user accounts from compromise and misuse remains an equally stressful challenge for healthcare organizations, many of which lack the security personnel to carefully track employees’ arrivals and departures and either provision or deactivate their accounts accordingly. The presence of traveling nurses and contract physicians in many healthcare facilities makes these access-control challenges even more daunting, particularly for small providers.
Healthcare organizations identified four times more vulnerabilities related to identity and access control during the first six months of 2026 than they did during the same period in 2025, according to Fortified’s report.
“We’re seeing real improvement in the organizational processes around Identity and Access Management (IAM),” researchers wrote, “but the underlying work, authenticating users, services, and hardware, and protecting, conveying, and verifying identity assertions, continues to challenge teams.
In the first half of 2026, 92% of healthcare network domains had an administrator account with a password that hadn’t been updated in more than three years, according to Fortified.
While the new report discusses many security challenges, it places particular emphasis on identity.
“Identity maintenance will never be the exciting part of cybersecurity,” Fortified said. “It is a quiet, extremely critical part of it though: it closes the doors most attackers walk through.”
The report also covers security mitigations for legacy medical devices. “Contain what you can’t replace,” Fortified said of end-of-life equipment such as MRI machines, urging providers to place such equipment behind strict firewalls and to “never, never” run outdated equipment on domain administrator accounts. “One forgotten, over-privileged system is all an attacker needs to move laterally across everything else.”
Another emphatic recommendation addresses incident-response preparedness.
Healthcare organizations are used to crises, but responding to cybersecurity incidents takes practice. Fortified said providers need to build “operational muscle memory” before breaches so they can respond effectively and in a coordinated way.
Doctors, nurses and their staff should train for cyberattacks like firefighters, Fortified said. Even rural fire departments that rarely deal with major blazes maintain the equipment, personnel, and training standards necessary to respond to much larger crises. Healthcare facilities should follow the same approach, according to Fortified.
“Emergency responders understand something deeply important: probability does not change responsibility,” researchers wrote. “Eventually, a serious incident will occur. The only question is whether the organization is operationally prepared when it happens.”