As healthcare organizations navigate a rapidly expanding vendor ecosystem, third-party risk has moved from a compliance checkbox to a board-level concern -- and the Stryker attack that unfolded during HIMSS 2026 made that urgency impossible to ignore. Ryan Patrick of HITRUST joins Sean Martin to unpack what the industry is grappling with at the intersection of supply chain resilience, AI security, and the often-overlooked availability and integrity sides of the CIA triad.
Third-party-related breaches have doubled in the last 12 months. Ryan Patrick, Executive Vice President of TPRM Customer Solutions at HITRUST, is not surprised. As organizations outsource more to stay focused on core competencies, the vendor attack surface grows -- and malicious actors are exploiting it through a pattern Patrick calls "island hopping": land on a smaller vendor, secure a foothold, then move laterally toward the real target.
The Stryker attack, which unfolded in real time during HIMSS 2026, made the stakes concrete. What began as a nation-state operation quickly became a supply chain crisis. Hospitals relying on Stryker products scrambled -- not because their own environments were breached, but because a critical supplier went down. Patrick argues that availability of services deserves equal weight to confidentiality, especially when a supplier outage directly impacts patient care and revenue.
AI adds a new layer of urgency to vendor risk. Vendors are quietly adding AI capabilities to existing products -- sometimes without notifying customers. An EHR platform might add a clinical decision support model as a routine feature update. The health system consuming it may lack the leverage to audit what that model does with patient data. In agentic AI scenarios, where decisions happen without a human in the loop, the consequences are clinical, not just operational.
Patrick's advice for managing AI risk: stop treating it as a fundamentally different category. Layer it into existing security programs, policies, and governance frameworks. The uniqueness lies in how you assess AI risk -- not in abandoning what already works. The industry, he observes, is finally moving past the wait-and-see phase.
The data on HITRUST certification outcomes is compelling. One organization has gone seven to eight years without a security incident by requiring all vendors to achieve HITRUST certification. External vulnerability platforms like SecurityScorecard and RiskRecon independently confirm the pattern: HITRUST-certified vendors score measurably higher. Certified vendors mature over time. Non-certified vendors plateau.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Ryan Patrick, Executive Vice President, TPRM Customer Solutions, HITRUST
https://www.linkedin.com/in/ryan-patrick-3699117a/
RESOURCES
HITRUST: https://hitrustalliance.net
HIMSS 2026 Coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/himss-global-health-conference-amp-exhibition-2026
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Ryan Patrick, HITRUST, Sean Martin, third-party risk management, TPRM, supply chain security, healthcare cybersecurity, HIMSS 2026, AI security, EHR security, vendor risk, HIPAA compliance, CIA triad, supply chain resilience, agentic AI, healthcare data security, brand spotlight, brand marketing, marketing podcast, brand spotlight
Supply Chain Resilience and AI Risk in Healthcare | A Brand Spotlight Conversation with Ryan Patrick, Executive Vice President, TPRM Customer Solutions of HITRUST
[00:00:00] Sean Martin: And hello everybody. You're very welcome to our event coverage for HIMSS 2026, and I'm thrilled to have Ryan Patrick on from HITRUST. How are you Ryan?
[00:00:10] Ryan Patrick: I am doing well, Sean. Thanks for having me.
[00:00:12] Sean Martin: It's good to see you. I ended up not being able to make it on location for HIMSS this year, which is sad. I hear it was a good one. And that's what we're gonna talk about, some of the things you heard and saw and what people should know coming out of HIMSS from your perspective. So before we get into all that goodness, for folks who haven't seen you on the show before and don't know who Ryan Patrick is, a few words about who you are, what you're up to at HITRUST.
[00:00:40] Ryan Patrick: Yeah, so with HITRUST, EVP of TPRM Customer Solutions. So my role is solely focused on how HITRUST can help manage risk within your third party ecosystem for organizations of all shapes and sizes. We're committed to solving this problem because as you'll probably hear in this discussion, it's a pretty big problem and only getting bigger every year. So anybody who wants to talk to me about it, you can reach out to me, find me on LinkedIn. Happy to talk about third party risk any day of the week.
[00:01:13] Sean Martin: Well, let's get into it. Because there are two things that I see and hear over and over. There are a lot of them, but the two big ones that come out in my mind over and over again are ransomware -- why is that a problem that we can't really solve -- and third party risk. It's something we've been talking about for quite some time and it seems to not necessarily be getting easier by any stretch, but I want to get your perspective on that. What were some of the things you heard there at the conference?
[00:01:50] Ryan Patrick: Yeah, so I didn't hear a ton about ransomware. I mean, to your point, it is still super pervasive. It's still a huge problem really in any industry, and to me it still boils down to a lack of focus, a lack of resources, and sometimes the bad guys and gals just get lucky because everybody's environments are dynamically changing. So there are ways to open up inadvertently holes that can be exploited. So from a ransomware perspective, we just have to maintain perseverance and make sure that we're doing all the things to prevent ransomware. Whether it be educating our employees on phishing and how to open and scrutinize emails and things of that nature, to vulnerability management, and really all the other things that -- I don't want to say blocking and tackling as if I'm going to be condescending -- but blocking and tackling in the sense of these are the things that we know we should be doing. We just have to stay focused on them.
[00:02:59] Ryan Patrick: The two things that I heard a lot at HIMSS -- one because I was on stage talking about it, but two -- there was a lot of sessions about third party risk and then AI security and really where the two intersect. Because AI security is not just an internal organizational problem. You have vendors that are coming to you with AI, or they're already an existing vendor and they just add AI capabilities into the product and service that you're already consuming, sometimes without letting you know. Sometimes they do let you know because they want to tell you about it, but you have not done any due diligence on what that model is doing with your data, what it's doing within the environment, how it's interacting with your users, things of that nature. So it's almost becoming this perfect storm. And there was a lot of discussion at HIMSS about how to tackle this problem.
[00:04:02] Sean Martin: Can you give me an example? I'm probably thinking of a few, but I'm thinking of patient-facing services or B2B relations services. Can you give me a couple examples of workflows where all of a sudden AI now exists, models are being used, stuff's going out into the public domain that should be under HIPAA protection rules?
[00:04:27] Ryan Patrick: If you think about the provider world, because when you think of healthcare, you think of providers primarily -- it's as simple as your EHR vendor adding AI capabilities into the platform itself. You have not scrutinized that. In fact, it probably will cost you hundreds of thousands, if not millions of dollars to scrutinize that because the implementation costs you tens of millions of dollars or whatever it may be. So this feature is not coming to you with a pause -- you don't get to say, hold on, vendor, I need to take a look at what this model is doing. It's just being added as a feature and you have to play catch up. And if there is an AI model assisting providers and making determinations of what could be wrong with a patient, and it's hallucinating, there's bias, there are all these things that we worry about when it comes to AI. It literally could be life and death. Now, obviously that one's a little bit easier because there's a human in the loop, there's the physician there to scrutinize the output of the model. But when you start to think about agentic AI and how it's going to make decisions without a human in the loop, that's where it gets pretty concerning. And what I've seen since Gen AI has come about in the last three years is people have been kind of in a wait-and-see. They're just trying to learn about AI and they're not really doing anything from a security perspective to make sure that the models are going to behave the way they're intended to behave. But I did hear a bunch of conversations at HIMSS around, we need to be focused on locking down these models and making sure that they're going to operate the way that they're supposed to operate. So it feels like some people were in a wait-and-see for a little while, and now we're starting to say, okay, we've got to do something about it. We're a little more comfortable with this. This is something we need to address.
[00:06:35] Sean Martin: And I'm curious -- so looking back over time, a lot of the healthcare security and privacy stuff focused a lot, obviously data privacy, but focused a lot on systems controls, application controls. And now we have this world of AI and models and certainly the use of APIs and microservices and things like that add complexity to end-to-end workflows. What were the conversations like surrounding that? Are we shifting focus from systems and apps to AI and models and data? Are we worried about the data and where it lives? Or are we forgetting the systems and apps? Are we staying focused there and adding AI? What does that look like?
[00:07:22] Ryan Patrick: I'll give you my perspective. So like I said, people have been trying to learn what the heck AI is, and they've been a little apprehensive and gun shy, at least in the conversations that I have every day. And what I've been trying to tell people is AI is just another piece of technology. It's like anything else that has been built in the past. Stop overthinking it and just include it in your existing programs, policies, procedures, whatever it is. So we're not moving away from your traditional software and infrastructure type of focus. This is just getting layered in and people need to just realize it's being layered in. Now there's some uniqueness to AI in the way that you would ascertain the risk, but otherwise it's going to follow arguably the same principles that most security teams, IT teams, developers, whoever are following today. We just have to recognize that and ingrain it into the programs and processes that we have.
[00:08:30] Sean Martin: So clearly it's easy to drive down straight into the AI world. I think there's a lot of conversation there. But that doesn't take away from the fact that third party risk is still a hot topic. So kind of bringing it up a little out of the AI -- unless there's something AI can help with -- can you touch on what are some of the conversations around third party risk? What's the state of affairs there and what are some of the hot topics, and maybe even some surprising things that you heard during the week?
[00:09:06] Ryan Patrick: Yeah, so I've been in and out of the third party risk game for 15 years, and it's always been an issue. But it's becoming more of an issue because of globalization and the need to run more efficiently. So we're seeing organizations outsourcing more because they want to stick to their core competencies. So the number of vendors for a particular organization is growing, and what has now come to the forefront is the malicious actors out there have realized that it's super hard to break into a Fortune 500 or Fortune 100 company. Like typically they're pretty locked down. But going through one of your vendors, the soft underbelly, is a lot easier of an approach to gain a foothold and then laterally move. So think about -- a former colleague of mine calls it island hopping. You land on an island, you secure that island, and then you hop to the next island. And that's what the malicious actors are doing today. And what we're seeing is that third-party-related breaches have doubled in the last 12 months. So it is becoming a hot topic. And I was actually really energized to hear not just me, not just in my echo chamber, but others talking about how third party risk is super important. I don't know the exact survey, but I heard a statistic that said CISOs -- their top three things -- third party risk is in their top three concerns for 2026, which rightfully so, I think they need to be looking at it. Because good or bad, the Stryker attack happened right in the middle of HIMSS. And if you look at that, it was a nation-state attack and it was designed to send a political message. But it quickly became a supply chain issue. It quickly became a third party issue because Stryker wasn't able to operate. They're not able to operate right now. So hospitals and other types of organizations that rely on their products and services are now scrambling. And this goes back to the whole resiliency argument -- everybody gets solely focused on confidentiality of data. And what I've been trying to tell people is confidentiality is important for sure, especially in a world of HIPAA. But availability of data and availability of services is just as if not more critical, because if you have a supplier that is critical for your business to generate revenue and they go down, you are not able to generate revenue. And that's a huge problem.
[00:12:08] Sean Martin: Yeah. And I always bring in the integrity piece too. If you're operating off the wrong data...
[00:12:16] Ryan Patrick: It occurred to me -- and it's going to sound silly when I say this -- this past week at HIMSS, like I've always talked about confidentiality, and now I've been talking about availability. But when you think about AI, integrity becomes really, really important because AI can manipulate that data. So we can't ignore availability and integrity anymore.
[00:12:41] Sean Martin: Yeah, the CIA triad exists for a reason.
[00:12:44] Ryan Patrick: For sure.
[00:12:46] Sean Martin: So as we wrap, you've been in this space for a long time. HITRUST has been doing a lot in this space for quite a while and has, I don't know if it's a working group or what it's called at this point, but a significant number of organizations that come together to help kind of solve this problem. What are some of the outcomes you're seeing from folks working with you and your team at HITRUST, where they're actually able to make a dent in this problem? And where do you think things are headed?
[00:13:19] Ryan Patrick: So I can't name names, but I had a customer slash partner tell me recently that they heavily rely on HITRUST for their third party risk management program. They actually ask all of their vendors to get HITRUST certified because they just believe in it. They themselves haven't had an incident in seven or eight years, and they attribute a lot of that to the fact that they themselves are HITRUST certified. But what I was told recently is from a third party risk perspective, they can quantifiably see their vendors who are HITRUST certified maturing over time. Like they're just getting better over time. Whereas other vendors who are not certified kind of just maintain this flat trajectory.
[00:14:18] Sean Martin: The same XLS every audit.
[00:14:20] Ryan Patrick: Yeah, yes. The other thing that I thought was really compelling -- if you think about the external vulnerability exposure tools like Black Kite, SecurityScorecard, RiskRecon, those types of things -- they can actually tell, based on the results of that tool, which of their vendors are HITRUST certified and which ones aren't, because they score better. I mean, that is golden.
[00:14:58] Sean Martin: Yeah. Ultimately there are certainly regulations and laws and industry standards that have to be followed depending on what sector you work in. It's about the work. It's not about the check mark. And so yes, any certification will have some benefit, but it's the level of work that goes into it. And I think coupled with that is the belief and the desire to do the right thing, not just achieve the mark. And I know from working with you, from many conversations with you and your partners -- you help do that work in a meaningful way, not just to achieve a check mark, but to actually improve that posture and improve that maturity level. So kudos to you, Ryan, and thanks for bringing this insight back from HIMSS 2026. Hopefully we can chat some more. There's a lot of stuff going on.
[00:16:10] Ryan Patrick: Thank you, sir. Thanks for having me on.
[00:16:11] Sean Martin: And thanks everybody for listening. Stay tuned for more coverage and articles from Marco and I on ITSPmagazine.com.