Over 80 percent of stolen protected health information (PHI) so far this year didn’t come from hospitals… it came from their vendors, according to a Becker’s Hospital Review update on PHI cybersecurity. Even more striking, more than 90 percent of hacked health records were stolen from outside the EHR.

Those two numbers redefine where healthcare security risk truly lies. The typical hospital’s firewall isn’t the front line anymore. Risk surfaces include:

• Analytics platforms
• Billing services
• Patient-engagement tools
• Telehealth systems
• Business associates
• Health plans

…and more

Protecting patient data in 2025 requires understanding that your vendors’ infrastructure is part of your own security posture.

Why vendor breaches dominate today’s threat landscape

Healthcare’s rapid digital expansion has created a tangled web of integrations. Systems for scheduling, claims, population health, and remote monitoring all exchange PHI with external partners. Each of those partners stores and processes data on hosting infrastructure that the hospital doesn’t control.

Most of the large-scale breaches reported to the Office for Civil Rights so far this year have stemmed from vulnerabilities in vendor infrastructure, like misconfigured cloud environments, unsecured backups, or lax access management.

When a billing platform or AI service is compromised, every connected provider becomes collateral damage.

Security has evolved from a local IT problem into an ecosystem responsibility. The challenge is figuring out what each organization can realistically control.

Hospital and practice executives: 5 questions to ask your vendors

You can’t dictate a vendor’s hosting architecture, but you can demand clarity. The right questions reveal whether a partner’s infrastructure meets modern compliance and resiliency standards.

1. Where is PHI stored, physically and virtually? Confirm that data resides in U.S. facilities audited for HIPAA compliance, not in shared or offshore environments.
2. Who has administrative access? Vendors should separate client data into isolated environments, not multi-tenant systems that mingle unrelated datasets.
3. How are backups and disaster recovery handled? Ask about encryption, retention timelines, and whether off-site backups are kept in compliant data centers.
4. What independent audits or certifications verify security? SOC 2 Type II, HITRUST, and regular third-party penetration tests indicate a mature program.
5. How is vendor-of-vendor risk managed? Any subcontractors handling PHI should be disclosed, bound by Business Associate Agreements, and subject to the same standards.

These questions shift the conversation from trust to transparency. Hospitals that treat vendor vetting as part of their cybersecurity program, not just procurement, reduce the odds of becoming the next breach headline.

Healthcare SaaS and IT leaders: build security into your hosting foundation

For the software companies serving healthcare, security decisions start on the servers and networks powering your application. Multi-tenant cloud instances and unmanaged virtual machines, for example, introduce shared vulnerabilities.

By contrast, dedicated, single-tenant infrastructure gives providers complete control over access, patching, and monitoring.

Best-practice hosting design includes:

• Isolated environments for each client or workload.
• Full-disk encryption and real-time intrusion detection.
• Redundant firewalls and physically segmented backup storage.
• Comprehensive audit logging tied to compliance frameworks such as HIPAA and HITRUST.
• Direct control of patching, updates, and security configurations (never delegated to generic cloud tenants).

The technical rigor behind these choices isn’t just about compliance checkboxes. It’s a market differentiator. Hospitals increasingly evaluate vendors on how confidently they can describe their infrastructure’s security model.

Security as a shared discipline

The 2025 breach data makes one thing clear: hospitals cannot separate “our network” from “their cloud.” Every healthcare organization depends on a mesh of external systems whose hosting decisions directly affect patient trust.

Vendor risk management must evolve from paperwork to partnership. Hospitals should demand transparency and continuous communication; vendors should invest in infrastructure that meets healthcare’s highest compliance expectations.

At Liquid Web, we see this shift every day—healthcare organizations and SaaS vendors working together to close the gap between responsibility and control. True protection of PHI starts when both sides view secure, compliant hosting not as an IT line item, but as a shared foundation for patient care itself.