Cybersecurity of healthcare facilities: a cyber risk increased by providers.

A risk that extends well beyond the internal information system of healthcare facilities.

Healthcare organisations have long focused their cybersecurity efforts on their own internal systems: securing the hospital information system (HIS), hardening the patient information system (PIS), protecting networks, and monitoring connected biomedical devices. This approach remains essential, but it no longer reflects the operational reality of the sector.

Today, hospitals, clinics and laboratories operate within a fragmented digital ecosystem, where a significant proportion of critical functions rely on external service providers.

Data from CERT Santé clearly illustrates this trend : 764 cyber incidents were reported in 2025, representing a nearly 30% increase in one year. *

Over 40% of the affected organisations had to operate in degraded mode, and more than half of the incidents were not the result of malicious acts, but of breakdowns, errors, unavailability or provider failures.

In a sector where continuity of care is vital, this indirect exposure is one of the main factors contributing to vulnerability. A healthcare organisation may be perfectly secure yet still be paralysed by an incident occurring at a third party.

* DIGITAL HEALTH AGENCY. Over 700 hospital directors mobilised to gauge perceptions of cyber risk [online].

The recent cyber incidents that perfectly illustrate this reality.

Beyond the theoretical risk associated with partners, several recent incidents demonstrate the very real impact that IT service provider failures can have on healthcare organisations.

We can of course mention the recent case Cegedim : on the one hand, the unavailability of billing and electronic claims submission services, which led to payment delays, an increased administrative burden and tensions with both patients and payers; and on the other hand, the major incident in February 2026 affecting the MLM software, which involved a massive breach of personal data.

The example of Dedalus highlights the critical role played by hospital software providers. The temporary unavailability of critical systems has led to difficulties accessing patient records, the postponement of procedures and disruption to teams. In a clinical setting, an EPR outage is more than just an IT incident: it becomes an operational incident.

Teleradiology also illustrates this fragility. The unavailability of Telediag has revealed how essential interpretation solutions have become, resulting in exams being put on hold, diagnostic delays, and forced prioritization.

Finally, the incident CrowdStrike Although outside the health sector, it has highlighted the systemic vulnerability induced by dependence on a central technology provider. In the field of healthcare, a comparable actor, such as a healthcare data host, strategic publisher, or national IT outsourcer, could be responsible for an unprecedented interruption.

In all these situations, the same observation is clear: if the establishment does not control the cause of the incident, it nevertheless bears the full effects.

In this context, a bespoke cyber insurance policy will cover not only the standard crisis management services provided by technical, legal and communications experts, as well as system restoration and remediation costs, but also financial losses arising from the disruption of healthcare services or operational disruption caused by IT provider failures.

Depending on the nature of the organisation’s activities and its level of dependence on other providers critical to its operations, apart from IT providers, consideration should also be given to extending the cover to include any supplier failure. This cover enables the cyber insurance policy to provide cover in the event of a failure by these essential partners, in order to cover any financial losses that may result.

Furthermore, in a sector where trust is paramount to business operations, some cyber insurance policies also offer cover designed to address reputational risks. These coverages are no longer limited to covering the costs of crisis communication but also include the necessary provision for compensation for quantifiable financial loss when an incident, including one attributable to a third party, damages the institution’s image or credibility.

This cover may be triggered following a service outage, a health data breach or the failure of a critical service provider, provided that such situations result in a loss of confidence on the part of partners, regulatory authorities or the local ecosystem, with a measurable impact on the organisation’s financial results.

These essential coverages complement the standard ‘business interruption’ cover provided by policies and strengthen the overall framework for covering financial losses for stakeholders in the healthcare sector.

One final point deserves particular attention: the waiver clauses frequently imposed by hosts and other IT service providers on their clients.

In order to manage their exposure, insurers intend, where a claim involves the liability of a third party, to be able to seek recourse against the service provider responsible for the incident. However, many IT service providers impose clauses in their contracts requiring their clients—whether healthcare institutions or organisations in other sectors—to waive their right of recourse against them.

These contractual provisions can undermine insurance cover, or even lead to a reduction in or refusal of compensation if the insurer has not been informed in advance of the existence of such clauses, which deprive the insurer of any recourse against the liable third party.

In the absence of specific amendments to the cyber insurance policy, acceptance of these waivers of recourse has the effect of transferring the financial risk to the healthcare provider.