In January 2026, someone got into Nissan’s network through a third-party IT contractor running their customer sales and service data applications. By the time the Everest extortion group published negotiation logs, 910 gigabytes had already been exfiltrated:180,000+ files spanning 13 years of records, including financial data, source code, and private encryption keys.

‍

Nissan’s defense, according to the threat actors, was to blame the vendor.

‍

But that defense doesn’t work in healthcare, especially now.

‍

The Same Story, Three Times in a Row

The pattern across recent headlines is hard to ignore.

‍

In March 2026, the Trivy security scanner, software used by thousands of development teams to check for vulnerabilities, was itself compromised. Organizations that relied on it were running compromised tooling in the middle of their own software builds, with no way of knowing it. For health tech vendors selling to large hospital systems, the question “are you affected?” didn’t have a quick answer. Engineering teams couldn’t produce documentation. Deals stalled. Clients called.

‍

Next came Axios, which is deeply embedded in applications across the healthcare software ecosystem. A critical vulnerability had been quietly sitting in production codebases for months before it was flagged publicly. The organizations that knew immediately were the ones with continuous dependency monitoring. The ones that found out later were the ones relying on annual audits and point-in-time scans that were already out of date the moment they were finished.

‍

And now it’s Nissan, with the same root cause but a different logo.

‍

The mechanism is identical every time. A trusted third party, whether a vendor, a contractor, an open-source tool, becomes the entry point. The breach happens upstream. The damage lands downstream.

‍

Why Healthcare Leaders Should Be Paying Close Attention

Most industries can absorb a vendor breach with some reputational damage and an insurance claim. But in healthcare, that is not the case.

‍

Software supply chain attacks accounted for 15% of healthcare breaches in 2024, up from 4% in 2021. That trajectory is only gaining speed. 58% of healthcare breaches in 2024 came from third parties. And when HIPAA’s 60-day breach notification clock starts, it doesn’t start when your vendor notifies you. It starts at discovery. But when the breach came through a vendor’s compromised tooling, “discovery” is a legal argument, not a timestamp.

‍

The financial exposure isn’t abstract. OCR penalty tiers reach $1.9 million per violation category per year. Cyber insurance underwriters are adding supply chain exclusions and asking questions at renewal that most healthcare organizations can’t answer today. And an enterprise deal that stalls in security review because a client wants documentation you can’t produce is recurring revenue (ARR) that doesn’t close.

‍

These are not cybersecurity risks alone. They’re business risks that live in your software stack.

‍

The Problem with the Vendor Defense

When Nissan’s leadership pointed to the third-party contractor, they weren’t wrong about the source.They were wrong about the responsibility.

‍

A Business Associate Agreement doesn’t transfer your liability. It merely documents a shared obligation. Healthcare leaders know this instinctively. If a vendor you’ve contracted touches patient data and their software has a critical unpatched vulnerability that enables a breach, the conversation with OCR is yours to have. The notification letters go out under your letterhead. The board question comes to your desk.

‍

The vendor defense is just a starting point for a much longer, more expensive conversation.

‍

What changes that conversation, even before it starts, is visibility that goes beyond an annual security questionnaire and a SOC 2 certificate issued six months ago. It is the continuous, documented visibility into what’s running in the software your vendors are shipping, updated daily, with documentation that can be produced on demand.

‍

That’s the gap the last three major supply chain incidents have exposed. It’s the gap that most healthcare organizations and most of the vendors selling to them still haven’t closed.

‍

What Healthcare Leaders Are Asking For Now

Enterprise health systems have noticed. Their procurement teams are formalizing vendor security evaluations as a standard stage in the buying process. SBOMs (Software Bills of Materials), essentially an inventory of everything inside a piece of software, are now being requested at contract signing and renewal. Vendor security questionnaires have expanded to include questions about dependency risk that most vendors’ engineering teams can’t answer in a week, let alone in a deal cycle.

‍

For health tech CEOs, this is a deal velocity issue. For VPs of Sales, it’s the question their AEs can’t answer in discovery. For CFOs, it’s the financial exposure that shows up in diligence. For legal teams, it’s the contract warranty they’re being asked to sign without the documentation to back it up.

‍

The Nissan breach didn’t make this problem worse. It made it more visible. 

Software risk is invisible until it isn’t. And that problem has been compounding for years.

‍

What Continuous Visibility Actually Looks Like

Healthcare software guides life-critical decisions, yet software risk remains invisible until it’s too late. After Trivy, Axios, and Nissan, the question every healthcare leader should be able to answer is whether they can see their software risk before it is exploited.

‍

TripleKey was built to close that gap. TripleScan, our core product, runs daily, scanning the dependencies inside your software and surfacing risk as it emerges. Not after the audit cycle. Not after the client asks. Before. In real time.

‍

The architecture is designed for organizations that can’t afford pipeline disruption. TripleScan runs on a read-only repository token. Nothing installs in your build process, and your engineering team doesn’t need to alter how they work.. The scan runs, the risk score updates, and a Software Bill of Materials is available on demand within minutes.

‍

For the health system evaluating a new vendor: you get daily visibility into your vendor ecosystem without requiring a single technical credential from your team.

‍

For the health tech vendor in procurement: you can answer the SBOM request before the client asks twice. You can show up to the security review with documentation, not a timeline estimate.

‍

For the executive team reviewing the Nissan headlines and wondering if your exposure is comparable: TripleScan tells you what’s in your software stack today, not what was in it six months ago.

‍

The Pattern Is Clear

Trivy. Axios. Nissan. The mechanism is the same each time. A trusted third party becomes a vector. The breach flows downstream. The organization with patient data, enterprise contracts, and regulatory obligations absorbs the consequence.

‍

Point-in-time audits and guesswork don’t suffice. 

The organizations that answered “are we affected?” within hours of the breach were the ones with continuous monitoring already in place. The ones still piecing together an answer are the ones that will be slower in the next one.

‍

There will be a next one.

Healthcare innovation shouldn’t be a liability. But it will be, for any organization that treats software risk as something you audit once a year and call solved.

See what is running in your software stack today:

‍