Safeguard
Software Supply Chain Security

Securing electronic health record (EHR) software supply c...

How the Change Healthcare breach, weak EHR vendor risk management, and exposed HL7 FHIR APIs turned healthcare's software supply chain into its biggest security gap.

James
Principal Security Architect
7 min read

In February 2024, a single compromised Citrix portal at Change Healthcare — the clearinghouse that routes roughly 15 billion healthcare transactions a year — triggered a ransomware attack that froze prescription processing, claims payments, and eligibility checks across thousands of U.S. hospitals and pharmacies for weeks. The breach eventually exposed the health data of an estimated 190 million people and cost UnitedHealth Group more than $2.9 billion. It wasn't a flaw in a hospital's own EHR. It was a downstream dependency nobody in the room had fully mapped. That is the essence of EHR software supply chain security: protecting patient records not just from direct attacks on Epic, Cerner, or Meditech instances, but from the sprawling web of integration engines, billing clearinghouses, lab interfaces, and third-party apps that every modern EHR depends on. This post breaks down why that web has become the healthcare industry's most exploited weakness, and what security teams can actually do about it.

Why Does EHR Software Supply Chain Security Matter More Than Ever?

EHR software supply chain security matters because the attack surface around patient records has moved almost entirely outside the four walls of the hospital. A modern hospital EHR deployment isn't one monolithic application — it's a hub connected to dozens of vendors: e-prescribing networks, revenue cycle platforms, radiology PACS systems, patient portals, and increasingly, third-party apps pulling data through APIs. The HHS Office for Civil Rights logged 725 large healthcare data breaches in 2023 alone, affecting over 133 million records, and a growing share trace back to a vendor or business associate rather than the covered entity itself. The 2020 CMS Interoperability and Patient Access final rule and the 21st Century Cures Act's API access requirements — which became enforceable on December 31, 2022 — were designed to open up data sharing. They succeeded, but they also multiplied the number of external systems with legitimate, standing access to EHR data, and each one is a potential entry point that a hospital's own security team rarely controls or even fully inventories.

What Actually Happened in the Change Healthcare Breach?

What happened is that attackers linked to the ALPHV/BlackCat ransomware group got into Change Healthcare's network through a Citrix remote-access portal that lacked multi-factor authentication, then moved laterally for over a week before deploying ransomware on February 21, 2024. Because Change Healthcare sits in the transaction path between nearly every EHR and every payer in the country, the blast radius was national: the American Hospital Association's own survey found that 94% of hospitals reported a financial impact, and more than 60% said the disruption directly affected patient care, including delayed authorizations for chemotherapy and other time-sensitive treatments. UnitedHealth ultimately confirmed paying a $22 million ransom. No hospital's internal EHR was breached — the incident is a textbook case of supply chain concentration risk, where a single vendor's failure to enforce basic access controls cascades into an industry-wide outage. It's also why "our EHR is secure" is no longer a meaningful statement on its own; the question has to be whether every system that touches that EHR's data pipeline is equally hardened.

Why Is EHR Vendor Risk Management So Hard to Get Right?

EHR vendor risk management is difficult because most hospitals still assess vendors once a year with a static questionnaire, while the software those vendors ship changes weekly. Epic and Oracle Health (formerly Cerner) together account for roughly three-quarters of the U.S. acute-care EHR market, but each installation sits on top of hundreds of third-party modules — lab interface engines, clinical decision support plugins, e-fax gateways — many built on open-source components that update independently of the vendor's own release cycle. A 2023 analysis of healthcare software found open-source components in the vast majority of scanned applications, and a meaningful share contained known vulnerabilities with available exploits. HIPAA's Security Rule requires covered entities to manage business associate risk, but it doesn't mandate continuous monitoring of what's actually inside a vendor's codebase, so most EHR vendor risk management programs rely on SOC 2 reports and attestations that can be a year out of date by the time they're read. The HHS 405(d) Health Industry Cybersecurity Practices guidance now explicitly recommends software bills of materials (SBOMs) for exactly this reason — a point-in-time attestation can't tell you whether a vendor shipped a vulnerable Log4j-style dependency last Tuesday.

How Do HL7 FHIR APIs Expand the Attack Surface?

HL7 FHIR APIs expand the attack surface by turning what used to be batch file transfers between trusted systems into always-on, internet-facing endpoints that any registered third-party app can query. The Cures Act API rule requires certified EHR technology to expose HL7 FHIR R4 endpoints for patient access and, since 2023, for provider-to-provider and payer-to-payer data exchange as well. That's a real win for interoperability, but HL7 FHIR API security introduces problems that didn't exist in the old HL7v2 point-to-point world: OAuth 2.0 and SMART on FHIR authorization flows that are easy to misconfigure, granular resource-level scopes that developers routinely over-request, and third-party apps built by small vendors with none of the security maturity of the EHR platform itself. Researchers have repeatedly demonstrated that misconfigured FHIR servers can leak entire patient panels through overly broad search parameters or missing scope enforcement — one widely cited 2021 study found exploitable authorization flaws in several production SMART-on-FHIR implementations. Every registered app with an API key is effectively a new supply chain node with a standing pipe into protected health information, and most hospital security teams have no inventory of which apps are actually connected, let alone what those apps' own dependencies look like.

What Does Healthcare Interoperability Security Require Beyond TLS and OAuth?

Healthcare interoperability security requires continuous verification of every party in the data exchange chain, not just encryption in transit and a login screen. TLS and OAuth answer "is this connection encrypted and authenticated," but they don't answer "has this app's code been tampered with since it was reviewed," "does this integration engine have a newly disclosed CVE in one of its 200 transitive dependencies," or "did this vendor's last build actually come from their own CI pipeline." The FDA's Section 524B authority under the 2023 PATCH Act now requires medical device manufacturers to submit an SBOM and a vulnerability management plan as part of premarket submissions, which signals where regulators expect the rest of health IT to go. Real interoperability security means treating every FHIR-connected app, every clearinghouse, and every lab interface as a node that needs artifact provenance, dependency scanning, and runtime behavior monitoring — the same rigor applied to build pipelines in any other regulated software industry, applied consistently across a vendor ecosystem that healthcare organizations don't own and can't directly patch.

How Safeguard Helps

Safeguard gives healthcare security and compliance teams visibility into the parts of the EHR supply chain that traditional vendor questionnaires and annual audits miss. Instead of relying on point-in-time attestations, Safeguard continuously monitors the software artifacts, dependencies, and build pipelines behind connected EHR modules, FHIR-integrated apps, and clearinghouse services — surfacing newly disclosed vulnerabilities, unexpected dependency changes, and provenance gaps as they happen rather than at renewal time. For EHR vendor risk management, that means moving from a static risk score to a living picture of what each vendor is actually shipping. For HL7 FHIR API security, Safeguard helps teams inventory which third-party apps hold live API scopes, flag anomalous access patterns, and verify that connected applications meet the same supply chain integrity bar as the EHR platform itself. And because SBOM generation and validation are built into the platform, healthcare organizations can respond to HHS 405(d) guidance and FDA premarket expectations without building that tooling in-house. The goal is straightforward: give hospitals and health systems the same continuous, evidence-based assurance over their software supply chain that they already expect over their clinical supply chain — because in both cases, a failure anywhere in the chain becomes a failure at the bedside.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.