Managing supplier risk in healthcare cybersecurity
As cyber-attacks on healthcare suppliers just keep coming, the sector’s solutions lie largely in its own hands argue DNV Cyber’s Arve Johan Kalleklev and Peter Hellström.
Prominent cyber-attacks on makers of healthcare software systems and medical equipment in early 2026 have sharpened focus on supply-chain risks in healthcare cybersecurity. As healthcare organizations increasingly rely on electronic health records (EHRs), connected medical devices, and third‑party digital services, the attack surface expands well beyond the hospital itself. This growing interdependence means that cyber incidents affecting suppliers can disrupt clinical operations, access to patient data, and continuity of care, linking cybersecurity directly to patient safety and public trust.
Threat actors see suppliers of the IT- and OT-systems as attractive targets as hacking them may give access to many end-user organizations and systems. With digital systems becoming central to patient care, cybersecurity breaches not only affect administrative systems but may now also delay or alter treatments and pose risks to patient safety.
Across the Nordics, 70% of healthcare respondents reported a general increase in cyberattacks over the last few years, according to the DNV Cyber report How Cyber Resilient is Norway? Recent incidents illustrate how supply-chain vulnerabilities can cascade across multiple healthcare providers, exposing systemic risk.
| Selected cybersecurity incidents in the Nordics |
|
2025 Swedena |
Miljödata: IT systems supplier |
Cyber-attack on records of 1.5 million people | Affected operations at 200 municipalities and several universities, compromising sensitive medical and rehabilitation data. |
| 2024 Denmarkb | IT Hotellet, a hosting and data centre | Cyber intrusion | Operations of Odense University Hospital compromised. |
| 2024 Nordicsc | Tietoevry: IT and cloud services provider | Akira ransom attack on a Swedish data centre | Disrupted Norwegian medical products supplier Mediq's ordering and delivery platforms in Norway, Sweden and Finland. |
a: How Cyber Resilient is Sweden?, DNV Cyber.
b: How Cyber Resilient is Denmark?, DNV Cyber.
c: Technical disruptions affecting Mediq's platforms in Northern region, Mediq.
“Healthcare organizations need to embrace proactive cyber resilience to meet these challenges and avoid the consequences of attacks. They need to map supply chain vulnerabilities and boost visibility of third parties, conduct scenario testing, and enforce stronger cybersecurity requirements on suppliers,” said Arve Johan Kalleklev, Operations Director at DNV Cyber.
“The big message for boards and management in healthcare organizations is that cybersecurity breaches are usually caused by poor governance. If you don't know you have a problem, you can't fix it,” added Peter Hellström, Business Unit Lead Advisory at DNV Cyber.
Dealing with the risk of supplier concentration
Supplier concentration is a major driver of cyber exposure in healthcare. Supply of healthcare management systems tends to be highly concentrated nationally. Not many systems are in more than one or two markets, said Hellström: “Healthcare in Sweden uses just a few different journal systems (EHRs). It’s hard to know exactly because most of the journal systems are quite old. Some are changing, but it's a process that will take years.” Ageing and obsolete systems can bring their own security problems, such as lack of updates and software patches.
When a single supplier has a very large share of a national market and its systems are hit by a ransomware attack, healthcare management can be severely affected. Relying on a few vendors creates hidden single points of failure, raising governance questions around ownership of third-party cyber risk at the board level.
IT and OT are both at risk
Healthcare’s cybersecurity challenges include understanding and hardening the cyber resilience of OT systems. Kalleklev observed there is a wide range in generations of OT systems, with some being less mature than others on safety-related cyber risk.
Hellström added: “It depends on what you're talking about, of course. Healthcare equipment like heart rate-monitors and so on are more standardized than 10 years ago. They’ve become better from a security point of view and will probably be even better in a couple of years.”
The cyber risks of home medicine
With the growing trend towards home medical care managed independently or remotely, new cybersecurity challenges arise from using and monitoring medical devices such as heart monitors and insulin pumps.
Cyber risk management is relatively weak in this area, and the key challenge in most cases is defining and doing risk assessments of what is ‘good enough’ when it comes to security of new medical devices.
The issue cuts across themes such as innovation and commercial markets for suppliers of devices. The DNV Cyber experts observe that a device might, for example, be used in Norway but not in Denmark, because the countries, and even individual regions and hospitals within some nations, have different approaches to risk assessment and the levels of risk they will accept. “Alignment on what is accepted to be ‘good enough’ is definitely needed, and that's something that we're working quite a lot with,” said Hellström.
Managing supply-chain cyber risk
Cyber-attacks in healthcare are focusing thoughts on ‘redundancy management’ in supplier bases – having contracts to switch to alternative suppliers if one is hit by a cyber-attack. “It's definitely something everybody needs to account for, given the impact of recent incidents in the Nordics and elsewhere,” said Kalleklev.
Hellström added: “And if you get attacked, you need a contingency plan and to be able to execute it. Everybody involved should know by heart what needs to be done; that's the part people usually forget. So, you may have a good plan, but have you tested it?”
He cited statistics showing healthcare cyber-attacks rising rapidly but steadily as an indicator that systematic cybersecurity work is needed in hospitals and in healthcare as a whole: “Increase it and make it a governance issue more than a technical issue. Most people today explain a breach in terms of technical issues, but the reasons are almost never technical.”
Raising the game through regulation
Regulation is a key driver of enhanced cybersecurity. For example, the EU’s Network Information and Security 2 Directive (NIS2) makes healthcare management and boards responsible for cybersecurity. The European Commission has been refining an action plan on the cybersecurity of hospitals and healthcare providers. The plan will include actions for prevention, detection, response, recovery and deterrence against cybersecurity incidents in the sector.
DNV Cyber assists many industries to bridge the trust gap between users and suppliers through advisory, certification, verification and validation work based on standardization and best practice with regulatory compliance a key consideration.
Hellström noted: “We’re seeing a regular flow of questions from boards and management asking what their cybersecurity responsibilities are and how to meet them in terms of strategy and educational programmes for employees. That level of management requires key performance indicators (KPIs) and therefore an organization that can provide reliable information. Structured working with cybersecurity is so important; you can't make good decisions on bad data.”
Raising the game through collaboration
Ultimately, cyber resilience in healthcare must be a shared responsibility, requiring coordinated action from providers, suppliers, and regulators to safeguard continuity of care and provide clarity on who is responsible for doing what when cyber incidents happen.
Collaboration across the Nordics is being facilitated by the Nordic Cyber Healthcare Forum established in 2024 by DNV Cyber as a collaborative and trusted platform for discussion, strategic alignment, and the exchange of cybersecurity best practices. DNV Cyber and the Nordic Cyber Healthcare Forum are collaborating in a healthcare consortium applying for EU funding to develop next-generation cybersecurity solutions for healthcare.
“The forum helps to highlight to all stakeholders that if you get a ransomware attack on an IT or OT supplier anywhere, everybody needs to know five minutes after it's happened to be able to protect themselves. That hasn't always been the case before, even within and between hospitals, regions, and countries. It’s very important that you practice together, find gaps, and address security issues across borders.” Peter Hellström, Business Unit Lead Advisory at DNV Cyber.
6/15/2026 11:50:00 AM
