Success is risky business: The cyber danger of SaaS partners
As interconnectivity becomes more widespread, an attack on one vendor becomes an attack on everyone with whom they’re connected in the digital supply chain.

The more successful a SaaS or PaaS company becomes, the more dangerous it is — for everyone.
Recently, J.P. Morgan’s CISO, Patrick Opet shared as much in his open letter to SaaS companies. “An attack on one major SaaS or PaaS provider can immediately ripple through its customers,” he wrote. More customers means more opportunities to attack and, thus, more risk.
It’s not hypothetical either — it’s reality. A hacker’s favorite trick is lateral movement and credential-harvesting. A single breach can cascade across connected systems, compromising downstream organizations, their data and inherent trust.
This is especially true in healthcare, where high-value targets full of rich data are built on aging infrastructure and outmoded security models. We’re not just talking about email addresses or marketing preferences. We’re talking about protected health information (PHI) — the digital lifeblood of the U.S. health system. And we’re storing, sharing and securing it (barely) across a tangle of cloud platforms, connected apps, and data aggregators.
Success equals risk
Traditionally growth is deemed to be good. More users, more integrations, more APIs — these all signal traction. But in cybersecurity, those same signs of scale mean more attack surface. Every integration becomes a possible access point. Every user account is a potential credential to phish. Every API or VPN becomes a door that could be left open just wide enough.
In his letter, Opet underscored that “suppliers are increasingly the entry point for cyber attackers.” He’s right. In fact, this has become the standard play among bad actors: find the weakest point of entry in the supply chain and then move laterally from organization to organization (a so-called “serial” attack) or move laterally inside an organization to find administrative permissions (a privilege escalation attack).
An attack on one vendor becomes an attack on everyone with whom they’re connected. That’s not fear-mongering — it’s the hard truth facing healthcare’s digital supply chain. One of our CIO friends still tells the story of racing into the server room and pulling the plug on everything after a VPN-connected partner of theirs was ravaged in a ransomware hit.
Just ask the hundreds of hospitals, clinics, and pharmacies still recovering from the Change Healthcare breach. It’s not just the breached company that suffers — every dependent system grinds to a halt, and every patient feels it.
Healthcare: A hacker’s paradise
So what happens when a vulnerable SaaS provider sits at the intersection of hundreds of healthcare systems? You get a veritable hacker’s paradise — massive volumes of PHI, often lacking strong access controls, and ripe for lateral movement.
U.S. Healthcare's built a digital health ecosystem on compromise-able credentials. Even two-factor authentication (yes, it’s better than nothing) is just a mere bandage. As attackers become more sophisticated, credential harvesting and session hijacking have only become easier. Once inside, daisy-chaining from user to user or app to app isn’t just possible — it’s expected.
Let’s not pretend our current posture is sufficient.
As Opet puts it: “‘Secure and resilient by design’ must go beyond slogans — it requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks.”
Meeting the minimum bar doesn’t protect against today’s threats. In a world of polymorphic malware, AI-generated phishing and credential-stuffing botnets, security programs built to compliance-alone don't stand a chance.
The shared surface problem
It’s time for healthcare SaaS vendors to stop thinking of themselves as isolated platforms. They’re not. They’re aggregators. They’re shared surfaces. They are the connective tissue binding together an ecosystem. That means they also become a shared risk factor.
It used to be that perimeter security was enough. Think of networks as a medieval town. The town’s safety once depended on high stone walls, watchtowers and a clear perimeter. That was traditional network security — strong outer defenses and trusted internals.
But in today’s cloud-enabled healthcare landscape, that town doesn’t exist anymore. The walls are gone. The perimeter has dissolved. The network is, frankly, wherever you put an endpoint. It’s wherever your users are — and your users are everywhere. Attackers know that. They’re targeting you, not just to compromise your data, but ideally to get at everyone you touch.
Even so, some vendors still operate like they’re islands. That mindset has to change. The ripple effect of a breach doesn’t stop at your customer. It spills into patient care, into lives disrupted, into downstream chaos.
Shifting to service-edge security
So what’s the answer? It’s not thicker walls. It’s not more complex perimeters.
It’s time we shift focus. Because we can’t protect the “town” anymore (the town as we knew it no longer exists), we must secure every house, every doorstep. That means embracing Zero Trust — not as slogans, but as our design criteria.
Opet calls on vendors to “urgently reprioritize security.” But the best way (perhaps the only way) to do that is through Secure Access Service Edges (SASE); locking down every endpoint and removing the distinction between your ‘trusted’ network and the “dangerous” Internet at large. Understand; it’s all dangerous.
New open-source standards like Key Event Receipt Infrastructure (KERI) offer a solution: cryptographic assurance of identity and provenance. This allows systems to “sign everything” and verify without ever trusting third parties.
Shared responsibility, real accountability
The JP Morgan letter gets down to the essential basics. “We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers' vulnerabilities.
Traditional measures like network segmentation, tiering and protocol termination were durable in legacy principles but may no longer be viable today in a SaaS integration model. Instead, we need sophisticated authorization methods, advanced detection capabilities and proactive measures to prevent the abuse of interconnected systems.”
This is where JP Morgan’s open letter resonates most. While the health systems providing critical care must focus on resilience (how quickly they stand back up after an attack); the onus is on healthcare IT vendors to steel themselves against attacks in the first place.
Health systems know that it’s time to pressure their vendors to prove — not just claim — secure practices. Payers should bake third-party security into contracting processes. Regulators must recognize that shared surfaces require shared oversight.
Vendors need to act like critical infrastructure, because they are. They must secure themselves accordingly.
The more connected we become, the more risk we take on. Growth cannot come at the expense of security. Systems need to be built that scale data safety as fast as they scale adoption.
If you’re a vendor in healthcare today, don’t just ask “Are we secure enough?” Ask: “If we were breached, who else would suffer?” That answer should guide every architectural decision, every vendor integration and every new product launch.
Because in this new digital health landscape, vendor security is our shared risk.
Jared Jeffery, FACHDM is CEO of healthKERI and Phil Feairheller, FACHDM is CTO of healthKERI.