New Black Book Research flash survey of 427 hospital and health system security leaders finds 74% see EHR, AI and cloud vendors as their top emerging cyber risk, 63% report vendor-linked incidents in the last 24 months, and over half have suffered clinical disruption or downtime.
MELBOURNE, AU / ACCESS Newswire / December 9, 2025 / Black Book Research today announced headline findings from a flash survey of hospital and health system CISOs and senior cybersecurity leaders in nine countries reporting some of the highest recent rates of healthcare data breaches and patient privacy incidents. The rapid-response poll highlights a sharp escalation in cyber risk originating from electronic health record (EHR) vendors, AI and analytics platforms, and other digital health suppliers.
The flash survey, conducted in Q4 2025 across Australia, Brazil, Canada, India, Japan, Saudi Arabia, Singapore, South Africa, and the United Arab Emirates, collected responses from 427 CISOs, CIOs, IT managers, and heads of information security at provider organizations ranging from single hospitals to large multi-facility systems.
Vendor ecosystems now the primary breach engine
Across the nine markets, respondents report that:
80% say their greatest emerging cyber risk in 2026 comes from EHR, AI, and cloud health IT vendors, not from on-premise systems.
69% have experienced at least one security incident or serious near miss in the last 24 months that was directly traceable to a vendor platform, integration, or managed service.
91% believe their current third-party risk management practices are "not adequate" or "barely adequate" for the complexity of modern digital health and AI environments.
"Over the last decade, hospitals were told that moving to cloud EHRs, AI-driven analytics, and managed platforms would simplify their security posture," said Douglas Brown, President of Black Book Research. "Our latest flash survey shows the opposite: risk didn't disappear, it migrated into vendor ecosystems that many provider organizations still don't have the tools, leverage, or visibility to govern effectively."
Country-by-country snapshot: where vendor incidents hit hardest
The survey reveals meaningful variation across the nine high-incident countries:
Brazil - 78% of CISOs report at least one vendor-originated breach or serious incident in the past 24 months, and 61% say clinical services were directly disrupted.
India - 96% report vendor-linked data breaches or privacy violations, and 90% identify AI and analytics vendors as their fastest-rising source of risk.
South Africa - 71% say third-party EHR or billing platforms were involved in a major incident or near miss, with 55% citing multi-day system downtime as a result.
Saudi Arabia - 67% have experienced vendor-related security incidents, and 72% say board attention to supplier cyber risk has "significantly increased" in the last year.
Australia - 64% report cloud EHR or telehealth vendor vulnerabilities as a primary concern, while 49% have experienced clinically significant downtime tied to vendor outages.
Canada - 72% have faced vendor-driven privacy incidents or notifications, and 98% say cross-border data flows with US-based vendors are a top governance challenge.
Japan - 59% report incidents involving connected devices, imaging systems, or vendor-managed PACS, and 54% highlight opaque AI model security as a key worry.
Singapore - 57% of respondents have seen at least one vendor-related security event, but 93% say regulators' expectations for vendor oversight are outpacing their current capabilities.
United Arab Emirates - 94% report significant reliance on international EHR and AI vendors, and 63% have had regulatory or insurer scrutiny triggered by supplier incidents.
"Even in markets with relatively advanced digital health programs, CISOs are telling us the same story," Brown noted. "The more care delivery and analytics depend on remote vendor platforms and AI models, the more a single supplier's weakness can ripple across an entire health system or country."
EHR and AI platforms top the CISO worry list
When asked which vendor categories pose the highest near-term cybersecurity and privacy risk to their organizations, CISOs most frequently cited:
Core EHR and clinical systems (including cloud-based EHRs and practice management platforms)
AI/ML-enabled analytics and decision support tools used for imaging, clinical decision support, and operational optimization
Intermediary and integration platforms, including health information exchanges, integration engines, and API gateways
Digital front door and patient engagement solutions, including portals, apps, and telehealth platforms
Key concerns reported include:
Weak or opaque security controls in multi-tenant, cloud EHR and AI platforms
Inconsistent patching and vulnerability management across vendor ecosystems
Limited transparency into AI model security, data handling, and training data provenance
identity and access management across internal systems and vendor-hosted environments
uncertainty, especially where AI and cross-border data transfers intersect with health privacy laws
Cyber incidents increasingly impact patient care and trust
Respondents across the nine countries also reported that vendor-linked incidents are no longer "paper-only" breaches:
67% have experienced clinical disruption or downtime in the past 24 months due to a vendor outage or cyber event.
98% report board-level concern that AI and EHR vendor incidents could erode patient trust in digital health initiatives.
95% say renewing cyber insurance has become significantly more difficult or expensive because of third-party and AI-related risks.
"In every region we studied this year, the pattern is the same: vendor failures are turning into operational crises at the bedside," Brown added. "You can have a strong internal security program and still see clinics shut down or oncology pathways disrupted because a partner's platform was compromised or offline."
CISOs call for stronger governance of EHR and AI suppliers
The flash survey also asked respondents about their top priorities for improving vendor-related cybersecurity in 2026. Leading action items include:
Embedding rigorous cyber requirements into EHR and AI procurement and contracting
Standardizing third-party risk assessments and continuous monitoring across all clinical and business vendors
Consolidating vendor sprawl, especially overlapping digital health and analytics tools
Investing in independent advisory support to benchmark vendor controls, validate attestations, and design realistic contingency plans
Educating boards and executives on the systemic nature of vendor/AI risk in healthcare
"CISOs are clear: this isn't just an IT problem or a single vendor negotiation issue," said Brown. "They are asking boards, regulators, and industry groups to recognize that EHR and AI vendor vulnerability is now a top-tier systemic risk to patient safety, continuity of care, and public confidence in health data."
Part of Black Book's 2026 global healthcare cybersecurity series
Findings from the nine-country flash survey will be incorporated into Black Book's 2026 Healthcare Cybersecurity Series, which includes:
2026 Hospital Cybersecurity Readiness - benchmarking preparedness across governance, controls, and staffing
2026 Hospital Cyber Resilience and Recovery - focusing on real-world incidents, downtime, and recovery patterns
2026 European Healthcare Cybersecurity - examining regional differences in threats, regulation, and vendor reliance
2026 Healthcare Cybersecurity Resource Guide to Vendors - an approximately 300-page reference covering frameworks, vendor landscapes, and best practices
2026 Healthcare Cybersecurity Guide to Consultants and Advisory Firms - profiling advisory and consulting providers and client-rated outcomes across 13 functional categories
"The message from this flash survey is not that hospitals should abandon digital health, EHR modernization, or AI," Brown concluded. "It's that boards and executives must treat EHR and AI vendor risk as core to their cybersecurity strategy, not as an afterthought. The organizations that will weather the next wave of incidents are those that combine strong internal programs with disciplined oversight of the vendors that now sit at the heart of care delivery."
About Black Book Research
Black Book Research is an independent global healthcare market research and public opinion firm, conducting crowdsourced client experience surveys and competitive intelligence across healthcare technology and services sectors since 2004. Black Book's mission is to provide unbiased insights that help healthcare organizations make better decisions about the partners and platforms they rely on to deliver safe, efficient, and trusted care. Download gratis industry reports and find other 2026 data leads at: https://www.blackbookmarketresearch.com
Contact Information
Press Office
research@blackbookmarketresearch.com
8008637590
SOURCE: Black Book Research
View the original press release on ACCESS Newswire:
https://www.accessnewswire.com/newsroom/en/healthcare-and-pharmaceutical/cisos-in-9-countries-vendor-ai-and-ehr-now-drive-most-healthcare-data-1115833