NewsCyb3r Operations raises $5.4m to tackle third-party risk blind spots

Read article
Cyb3r Operations
Sector · Healthcare

Industry · Healthcare

Supplier evidence for the systems keeping patient services running.

Cyb3r Operations gives healthcare providers continuous, sector-aware third-party visibility across EHR vendors, medical-device makers, clinical research orgs, and the long tail of operational suppliers. Built for the NHS, US health systems, and EU healthcare providers.

Discover your third-party ecosystem nowSee the regulatory map

From the field

After Synnovis, the trust board wanted to know how exposed we were to a similar incident. Cyb3r Operations let us answer that across our entire supplier base in 48 hours.

Director of Digital · NHS Trust

What the healthcare supplier estate looks like

200 to 500

critical suppliers at a typical NHS Trust

1,000 to 2,000

suppliers at a large US health system

1 in 5

named healthcare incidents originate via a third party

The problem

When a healthcare supplier fails, the patient pays.

Healthcare supply chains carry uniquely consequential risk. Synnovis (NHS, 2024), Change Healthcare (US, 2024), Ascension (US, 2024), and others demonstrated that a single supplier compromise can cascade into delayed surgeries, blood-testing service outages, and life-affecting consequences.

Healthcare TPRM has historically been a paperwork exercise: questionnaires to medical-device vendors that go unanswered for months, EHR risk reviews dated 14 months ago, and a long tail of clinical-research and pharmacy suppliers that have never been assessed at all.

Today's reality

  • ·Patient-facing services depend on suppliers TPRM rarely covers
  • ·Medical-device vendor security inconsistent across the estate
  • ·NHS Trusts and US health systems repeatedly targeted by ransomware via suppliers
  • ·Regulator and board scrutiny following major supply-chain incidents

Supply chain shape

What a healthcare provider's supplier graph actually looks like.

Clinical and operational suppliers mix; medical devices and EHR vendors are usually the deepest exposure.

EHR and clinical systems

The platforms holding patient records. Concentration with a small number of vendors common.

  • Epic
  • Cerner
  • EMIS
  • TPP

Medical device makers

Connected medical devices and the platforms behind them. Often hardest to assess.

  • GE Healthcare
  • Philips
  • Siemens Healthineers
  • Medtronic

Clinical research and laboratories

CROs and lab providers running clinical workflows and trial data.

  • IQVIA
  • Synnovis
  • Major lab networks

Pharmacy and supply

Pharmacy management, drug supply, and pharmaceutical wholesale partners.

  • McKesson
  • AmerisourceBergen
  • Boots Pharmacy

Health-data processors

Specialist health-data processors, analytics providers, and population-health platforms.

  • Cotiviti
  • Optum
  • Sector-specific analytics

Cloud and IT infrastructure

Cloud platforms hosting clinical, operational, and administrative workloads.

  • AWS
  • Microsoft Azure
  • Google Cloud

Threat landscape

Who is targeting healthcare right now.

Ransomware, state-sponsored, and supplier-pivot attacks. Healthcare leads sector incident tables.

Lockbit, BlackCat (ALPHV), Royal

Targeted ransomware

Sustained targeting of NHS Trusts, US hospitals, and their supplier base.

Cl0p (MOVEit campaign)

Recurring pattern

Healthcare providers heavily hit by supply-chain MOVEit exploitation in 2023 to 2024.

Patient-data extortion

Recurring pattern

Exfiltration of patient data sets for extortion against providers or for sale on dark-web markets.

Medical-device-targeting malware

Emerging pattern

Early-stage attacks targeting connected medical devices via supplier ingress.

APT41, APT29

State-sponsored

Healthcare and pharmaceutical research targeting, including supply-chain pivots.

Insider and contractor threats

Recurring pattern

Clinical contractor access misused or compromised; often invisible to enterprise-IT TPRM.

What changes

What healthcare providers get from Cyb3r Operations.

EHR and medical-device vendor visibility.

First-class coverage of the supplier categories that healthcare TPRM most often misses.

Patient-data exposure mapping.

Surface where patient data flows traverse suppliers and where the highest-risk exposure sits.

NHS DSPT and HIPAA-aligned evidence.

Per-assertion DSPT evidence and HIPAA-covered-entity supplier expectations on demand.

Clinical supply chain visibility.

Beyond IT: clinical research orgs, pharmacy suppliers, contractor workforces, lab partners.

Supplier ransomware early warning.

Susceptibility scoring across the supplier base, weighted by patient-service impact.

Board-ready patient-impact narratives.

Translate supplier risk into the patient-services framing a trust board or hospital board can act on.

Regulatory map

Rules of the road for healthcare.

Healthcare-specific plus horizontal cyber regulators.

Regulator

HIPAA + HHS guidance

Jurisdiction

US

Obligation

Privacy and security rule expectations for covered entities and their business associates.

What we evidence

Business-associate supplier evidence and breach-notification-ready exposure mapping.

Regulator

NHS DSPT

Jurisdiction

UK NHS

Obligation

Data Security and Protection Toolkit across NHS organisations and partners.

What we evidence

DSPT per-assertion supplier evidence on demand.

Regulator

NHS Cyber Strategy

Jurisdiction

UK

Obligation

Sector-wide expectations for resilient health services.

What we evidence

Continuous supplier evidence aligned to NHS cyber expectations.

Regulator

NIS2

Jurisdiction

EU

Obligation

Essential entity expectations for healthcare providers, supply-chain security obligations.

What we evidence

Article 21-aligned continuous third-party evidence.

Regulator

FDA + EU MDR

Jurisdiction

Medical device

Obligation

Cybersecurity expectations through the medical-device lifecycle, including suppliers.

What we evidence

Medical-device-vendor supplier risk evidence aligned to FDA / MDR guidance.

Regulator

HITRUST CSF

Jurisdiction

US healthcare

Obligation

Healthcare information security framework increasingly required by US health systems.

What we evidence

Supplier evidence aligned to HITRUST CSF controls.

Sector scenarios

What this looks like in practice for healthcare providers.

Three short stories from the field, each anchored to a platform capability.

Scenario 01

Post-Synnovis trust-board response

After the Synnovis incident, a UK NHS Trust's board asked the Director of Digital how exposed the trust was to a similar event. Cyb3r Operations produced an exposure picture across the trust's full supplier base in 48 hours, with three suppliers flagged for elevated attention.

See the Breach Early Warning use case

Scenario 02

EHR concentration mapping

A US health system's CRO needed to understand the firm's concentration in EHR vendors and the subprocessors behind them. The platform mapped the EHR-vendor-to-subprocessor graph and surfaced a single tier-2 data-processing dependency shared across three regions.

See the Nth-Tier Dependencies use case

Scenario 03

Medical-device vendor risk visibility

A NHS Trust's Caldicott Guardian needed visibility on the security posture of the connected medical devices in the estate. Cyb3r Operations surfaced an inventory of device-vendor exposure including two devices with credentials on a dark-web forum.

See the Hidden Third Parties use case

The healthcare buying centre

The roles that lead this in the sector.

Each persona reads the third-party picture slightly differently. Click through to the role-specific page for the full operating-model framing.

Director of Digital / CISO

Sees the trust's supply chain exposure with patient-services framing the board recognises.

Open the Director of Digital / CISO page

Information Governance

Generates DSPT and HIPAA-aligned supplier evidence on demand.

Open the Information Governance page

Chief Risk Officer

Translates supplier risk into patient-services impact for the trust or hospital board.

Open the Chief Risk Officer page

Sector questions

Questions healthcare providers ask in the first conversation.

Yes. Connected medical-device vendors and the platforms behind them are first-class in the supplier graph. Most healthcare TPRM platforms either ignore them or cover them poorly.

Per-assertion evidence is mapped per supplier. The platform satisfies the supplier-evidence dimension of DSPT submissions without supplier-by-supplier outreach.

Continuous evidence is mapped to HIPAA business-associate expectations including breach-notification preparedness for covered entities in the US.

Yes. The pre-positioned exposure picture means the trust knows its exposure within minutes of a named supplier incident, not days.

Clinical research organisations, lab partners, and other clinical suppliers are covered the same as EHR or IT suppliers. The platform doesn't treat IT and clinical separately.

The platform surfaces signal into IT operations via the same SIEM, ticketing, and IR routing as for any other sector. Clinical systems are observed, not interrupted.