Many organizations in highly regulated U.S. industries run on a web of software providers, cloud platforms, device manufacturers, managed service partners, and specialized third parties. This digital interdependence is powerful, but it also means a vendor’s cyber hygiene can become your downtime risk.
In CTG’s latest white paper, we analyzed cybersecurity rating telemetry (RiskRecon by Mastercard) for 4,398 organizations in one of the U.S.’s most regulated industries, healthcare.
The results look reassuring on the surface—most organizations score well. The more important story, however, is what happens over time.
What the Data Reveals (and Why It Matters)
-
Most vendors look strong today: 75.7% of entities are rated A or B (A–F), with an average score of 7.93 on a 0–10 scale.
-
A meaningful minority operates at elevated risk: 24.3% are rated C, D, or F (more than 1,000 organizations).
-
Security posture is drifting: 37.8% of vendors deteriorated over a 365-day period (vs. 21% over 90 days).
-
Hidden risk is building in plain sight: 554 A/B-rated vendors are trending downward, often passing annual assessments while their posture weakens.
-
Most exposure comes from repeatable hygiene gaps: ~80% of observed risk indicators cluster in five Risk Priority Matrix categories, suggesting systemic issues like patch delays, configuration drift, exposed services, and encryption inconsistencies.
The real issue: Point-in-time visibility can’t catch gradual erosion.
Major cyber failures are obvious and urgent. Drift is quieter. It shows up as delayed patch cycles, small misconfigurations, expanding externally visible exposure, and remediation backlog that accumulates over months. When this happens across hundreds of connected vendors, the risk becomes structural, even if individual suppliers still “look fine” on a single snapshot.
How Leaders Can Respond
-
Shift from periodic assessment to continuous monitoring so slow decline doesn’t go unnoticed between annual reviews.
-
Use trend velocity as an escalation trigger (e.g., declining over 90- and 365-day windows) rather than waiting for a letter grade to drop.
-
Create a “high-rated but declining” oversight tier to proactively manage vendors that are slipping before they become material exposure.
-
Prioritize the hygiene domains that drive most findings (repeatable, medium-impact weaknesses where remediation can scale).
-
Elevate supply chain cyber risk to executive reporting by pairing static rating snapshots with trend signals over time.
The full white paper details the rating distribution, trend dynamics, and where risk indicators concentrate, along with a practical governance model for moving from compliance-based third-party reviews to telemetry-informed oversight.
Bottom line: Supply chain cyber risk in healthcare and across other highly regulated industries isn’t collapsing; it’s drifting. Organizations that monitor continuously can catch early decline, intervene sooner, and strengthen resilience even as digital interdependence expands.
You can’t manage what you can’t see. Fix supply chain drift with CTG.
Uncover hidden third-party exposure and move to real-time, actionable intelligence.
/1.%20Visuals/Website/Icons/x-twitter.svg){kind=icon}