Healthcare organizations can put a host of cybersecurity measures in place to secure their networks and prevent direct attacks by malicious actors, but significant challenges are faced securing the supply chain. Healthcare organizations use vendors to provide services that cannot be handled in-house, and while they provide important services they also create risks that need to be effectively managed. Vendors often require privileged access to networks to perform their functions, which means an attack on a vendor can allow a threat actor to gain access to a healthcare organization’s network through the backdoor.
Cybercriminals have been increasingly attacking healthcare vendors because they are a much less secure part of the supply chain and in 2022, many of the largest healthcare data breaches reported involved vendors. Shields Health Care Group, which provides medical imaging services to more than 50 healthcare facilities, suffered a breach of more than 2 million records, Professional Finance Company, which provides a debt collection service to healthcare organizations, suffered a breach affecting many of its clients and exposed the data of 1.91 million patients, there was also an attack on the electronic medical record vendor, Eye Care Leaders, that affected at least 41 eye care providers and more than 3.6 million patients, to name but a few. While efforts need to continue to secure healthcare networks from direct attacks, urgent action is required to secure the supply chain.
A recent survey conducted by the Ponemon Institute on behalf of the Healthcare and Public Health Sector Coordinating Councils (HSCC) explored the current state of supply chain risk in healthcare and confirmed that a great deal needs to be done, with many healthcare organizations found to experience significant challenges in securing their supply chains. The survey, which was conducted on 400 U.S. healthcare organizations, confirmed that there continues to be significant capability and budget gaps between large and small healthcare organizations when it comes to managing and reducing supply chain risk, but organizations of all sizes are failing at the basics of supply chain risk management.
To accurately measure and address risk, healthcare organizations must have a full inventory of all suppliers that they use, yet the survey revealed that only 20% of the 400 surveyed organizations had a complete inventory of all of their suppliers, and smaller healthcare organizations were three times more likely to have no inventory at all. One common approach taken by healthcare organizations is to focus their supply chain risk management programs on new vendors as they are onboarded, yet they fail to assess and manage risk for their existing suppliers, which was the case for almost half (46%) of surveyed organizations. 35% of surveyed organizations were not evaluating supplier risks related to patient outcomes, with smaller healthcare organizations twice as likely to have this gap than larger organizations, and only 41% of organizations had integrated their cyber risk programs with their procurement and contracting teams. Smaller healthcare organizations were found to lack the budgetary resources to properly manage supply chain risk, with 57% of smaller organizations having supply chain risk management budgets of $500,000 or less, compared to 51% of large organizations that had supply chain risk management budgets of between $1 million and $5 million.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) includes supply chain risk management practices that can – and should – be adopted – but doing so can be a challenge for small- and medium-sized healthcare organizations. To make supply chain risk management more straightforward, the HSCC has tailored this resource and developed a free toolkit (HICSCRiM) specifically for small to mid-sized healthcare organizations which typically have more limited budgets and resources for managing supply chain risk.
“The healthcare supply chain team is under an increasing amount of pressure to move quickly while managing a multitude of risks during the procurement process,” said Ed Gaudet, CEO, and Founder of Censinet and HSCC Supply Chain Cybersecurity Task Group Member. “As cyberattacks like ransomware become more sophisticated, this survey hammers home the urgent need for automation and actionable risk insights to help supply chain leaders effectively manage inventory, cyber risk, fraud, and supplier redundancy.”
The post Healthcare Organizations Failing to Assess and Mitigate Supply Chain Risks appeared first on HIPAA Journal.