Become a TechRadar Insider
At first glance, Palantir receiving access to an address book containing up to 1.5 million NHS staff may seem like just one more example of digital transformation on a grand scale in healthcare, or simply a necessary step for a supplier supporting such a complex environment.
However, underneath this headline, there is much more to consider: nowadays, the healthcare ecosystem consists not just of the organisation itself, but of an extensive external network surrounding it.
One question that needs addressing here is do organizations know who exactly has access to the most crucial parts of their system and information at all times?
Healthcare has always been a data-rich, high-stakes environment but its digital evolution has dramatically expanded the number of actors involved in delivering care. Cloud providers, analytics platforms, software vendors, contractors and consultants all require varying degrees of access to critical systems.
CEO of Quod Orbis.
Third-party blind spots
The challenge is not simply that third parties exist, but that visibility into their access is often fragmented or incomplete. In many cases, organizations rely on static records, contractual assurances or periodic reviews to validate security. But access changes constantly - new users are onboarded, permissions are altered, integrations are updated - often without a central, real-time view.
This approach creates a very risky and potentially dangerous situation to be in. The organizations themselves are responsible for making sure patient data is secure and services operate smoothly.
However, in the case of the NHS, this is far from straightforward. It is not a single organisation with one unified IT system, but a network of hundreds of semi-independent Trusts, GP practices, mental health services and other care providers, many of which have historically procured their own technology.
This has led to a complex landscape of legacy systems that do not always integrate effectively, making visibility and control over access significantly more challenging, particularly when introducing third-party providers.
This is why so many major security events occur not within companies' strongholds but at the edges of their network, through integrations or partnerships. And it becomes even more problematic since, unlike many other sectors, healthcare relies heavily on the availability of information systems.
Therefore, access management in this sector becomes not just a question of protecting data but of ensuring business continuity as well.
Cyber risk meets geopolitics
At the same time, the threat landscape is also undergoing changes that only amplify the risks associated with these vulnerabilities.
Recent wiper attacks on healthcare institutions, attributed to Iran, illustrate that today cyber operations are a direct result of geopolitical tension. This creates a sort of parallel battlefield, where disruption becomes possible without crossing borders in the conventional sense. In many ways, this is modern warfare and one that organizations are still not fully prepared for.
Wiper attacks differ from standard attacks in the fact that their purpose is not stealing sensitive information but destroying the systems altogether. In the case of healthcare organizations, these attacks mean catastrophic failures with potentially fatal consequences for patients.
Even more concerning is how accessible these attacks have become. Advances in AI tools are dramatically lowering the cost and effort required to carry them out, meaning tactics like phishing, DDoS and reconnaissance can now be executed at far greater speed and scale.
This shifts cyber risk firmly into the realm of strategic risk. It is no longer confined to the IT department. It affects operational resilience, financial stability and public trust, leaders must now assume that cyber pressure will increase in parallel with global instability, not independently of it.
Compliance isn’t enough
Even in light of these developments, many organizations still rely on approaches to security and compliance that were designed for a very different era.
Periodic auditing, annual evaluations and a static framework for ensuring compliance offer a one-time snapshot. These methodologies ensure that controls were in place at the moment of assessment but do nothing to guarantee what transpires in the following days or months.
In highly dynamic environments like healthcare, this is a critical limitation. Systems evolve on a daily basis. Access permissions change and new integrations are introduced. A control that was effective during an audit can fail without any immediate visibility.
Recent research from Quod Orbis consistently shows that organizations often overestimate their visibility. For example, while the majority of businesses report confidence in their security posture, 93% say they have clear visibility of their IT assets, yet 95% admit they have been unable to access a specific software asset in the last year. This gap between perception and reality is where risk starts to accumulate.
The case for continuous monitoring
If the nature of risk has changed, so must the risk management framework. While regulations like DORA are beginning to address this shift within financial services, the reality is that the same principles now apply far beyond a single sector.
Rather than looking for additional reports and methods, businesses need to embrace a completely new approach to assurance, one that recognizes the dynamic and real-time nature of modern IT systems.
Through continuous network monitoring, organizations gain the ability to know in real-time exactly how secure their IT systems really are and ask some crucial questions, such as: who has access, what changes have been made and what holes have yet to be covered? Third-party access is one area where continuous oversight would help organizations implement a "trust, but verify" model rather than a blind trust approach to granting third-party access.
At the same time, continuous oversight and monitoring provide an opportunity to address issues proactively before they occur and in today's ever more disruptive environment, the ability to address and prevent issues can mean the difference between containing an issue and experiencing an operational nightmare.
It allows organizations to exert control without stifling innovation and collaboration. The NHS story is not an outlier in this sense. On the contrary, it reflects the shift in organizational behavior and risks associated with it. With the expansion of digital ecosystems, the risks inherent in third-party access are no longer a question. The question is whether organizations have visibility and the ability to control those risks.
The NHS story is not an outlier in this sense. On the contrary, it reflects a broader reality across many organizations. Like the NHS, many businesses are operating with legacy systems, fragmented IT infrastructure and limited visibility across their environments. With the expansion of digital ecosystems, the risks inherent in third-party access are no longer a question.
It also raises an important consideration: do organizations truly have full oversight of their third-party relationships and can they confidently assess the level of risk and security controls in place?
You cannot secure what you cannot see and increasingly, what you cannot see is exactly where the risk lies.
We feature the best online cybersecurity courses.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit