How healthcare orgs can protect their supply chain from cyber risks

A new report from the Cloud Security Alliance explains that it's essential to apply a risk rating, using predefined criteria, to all subscribers.
By Kat Jercich
12:35 PM

Photo: Soumil Kumar/Pexels

The Cloud Security Alliance this past week released a report outlining the cyber risks faced by healthcare delivery organizations when it comes to supply chain management.

Experts from CSA explained that healthcare organizations face two main concerns:

  • Risk management involving the cyber supply chain, which includes IT networks, hardware and software.
  •  Risk management involving the conventional supply chain.  

"With the move to the cloud and edge computing, HDOs are finding it increasingly challenging to secure their infrastructure," read the report.

"Cyberattacks target HDOs and their suppliers in this expanded attack surface," it continued.  

WHY IT MATTERS  

As the report authors noted, cyberattacks can be very costly, particularly as healthcare organizations and suppliers present juicy targets for bad actors.  

And as the supply chain has become more dependent on the Internet, the risk profile has also become more complex.  

"It is incumbent on HDOs to ensure that their supply chain partners comply with data management policies and ensure the safety and security of the supply chain," said report authors.  

They explored several causes for supply chain and risk management program failure:  

  1. A lack of automation, which makes keeping up with cyber threats challenging.
  2. The cost and time-consumption of vendor risk-assessments.
  3. Partial or full failure to deploy critical vendor-management controls and processes  

"Regardless of the reason, it is imperative HDOs have an effective supply chain risk-management program to manage the process throughout the supply chain risk-assessment life cycle," said the report.

That life cycle, it continued, comprises determining criteria for supplier evaluation, assessing and treating risk, and monitoring and responding to further developments.  

"We must engage with our supply chain vendors to address tactical and systemic security performance measures necessary to achieve a satisfactory risk rating,” said the report.  

"Additionally, we must reduce our risk exposure by holding our supply chain accountable to meeting our risk management performance standards.  

"Risk feedback to vendors that is timely, relevant and actionable is a powerful motivator for supply chain vendors to do the right thing," it continued.  

THE LARGER TREND  

The COVID-19 pandemic shone an urgent new light on supply chain cybersecurity, particularly when it came to vaccine development and distribution.  

But even for more smaller-scale endeavors, the vendor ecosystem presents a potential concern.

Organizations often work with thousands of third-party businesses, where network vulnerabilities may go unnoticed until it's too late.

ON THE RECORD  

"Supply chain exploitation is not just a potential risk; it is a reality," said CSA report authors.  

"To address this risk, look at how you assess and mitigate internal risk, and compare that to how you assess your supply chain risk. Do you apply the same rigor to your supply chain assessments?" they asked.  

"HDOs need to act now to minimize the effects of a supply chain incident that could impact them. When a part of your supply chain gets compromised, it can compromise your network and put your systems at risk."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.