A Guide to Preventing Next-Generation Supply Chain Attacks
Health Industry Impact: The Numbers
In the Shai-Hulud 2.0 attack data set we explored, 13 health and life sciences organizations were compromised, exposing 1,082 total secrets across major pharmaceutical companies, medical device manufacturers, healthcare IT providers, and retail pharmacy operations. Of these exposed credentials, 116 secrets (9.7%) remained valid at the time of analysis, meaning attackers likely retained access to companies’ systems weeks after the attack was discovered.
The health sector’s concentration in a single supply chain attack creates cascading risks across the entire ecosystem. Critical finding: Validity rates varied from 3% (indicating rapid revocation) to 100% (suggesting little to no detection or response).
During 2025, Health-ISAC surveyed its membership about the top cybersecurity concerns going into 2026. Third-party breaches and data breaches were consistently cited across health sector organizations of all sizes and specialties as major organizational concerns. This concern was also shared by the analysts of the Health- ISAC Threat Operations Center, who observed threat actors making a shift toward targeting client-rich third parties as opposed to large organizations.
This new model placed supply chain security at the forefront of the cybersecurity debate in the health sector. As all aspects of health undergo digitization, it is imperative that organizations maintain a comprehensive list of third-party vendors and software bill of materials (SBOM) for internal projects. This allows organizations to swiftly determine if they are impacted by large-scale supply chain attacks like Shai Hulud.
Read this white paper by Git Guardian, a Health-ISAC Community Services Champion to learn three immediate steps that can significantly reduce your exposure.
