When the supply chain makes headlines, it usually isn’t good news. Hospitals and health systems scrambled to find new sources of personal protective equipment (PPE) and other supplies as the Coronavirus disease (COVID-19) spiraled out of control and unearthed critical shortages. In addition to the rationing of mission-critical supplies and sourcing from unvetted vendors, healthcare leaders also began contending with another nefarious challenge—hackers trying to infiltrate via the supply chain.
Recent research has uncovered that the healthcare supply chain is a major offender in terms of not meeting key national cybersecurity standards. To illustrate the severity of the problem, the FBI issued three separate alerts earlier this year about increased attacks on the supply chain, which penetrated hospital network systems across the globe “through vendor software supply chain and hardware products.”
Healthcare providers have a very large, complex supply chain with layers of contractors and subcontractors. Being the only industry providing access to electronic protected health information (ePHI), this requires another layer of oversight where healthcare institutions must also closely monitor their own supply chain partner’s own security posture. With this type of access, supply chain vendors are perfect targets for hackers.
If a lapse occurs and attackers are able to infiltrate the supply chain, they can access highly sensitive information like patient data and are able manipulate data or coding to disrupt daily operations, affecting business continuity and potentially upending patient care. A recent report found information-heavy vendors like electronic health records (HER) providers and collection agencies are examples of supply chain companies associated with the most breaches.
Additionally, the threat landscape is in a great deal of flux. People are working from everywhere and devices are being shared on insecure WiFi networks, which creates more vulnerabilities and gaps ripe for the picking.
What makes the supply chain vulnerable
Given ePHI data is so sensitive and widely available across the supply chain, bad guys can easily access demographic, financial and clinical data all in one place.
There is risk both in interconnectivity and points of entry. For example, a group purchasing organization (GPO) requires unparalleled access to help hospitals with purchasing supplies enterprise-wide. The supply chain can also be very diverse—hospitals tap hundreds, even thousands of contractors and vendors, for daily operations.
Interconnected networks and unfettered access allow hackers to quickly move laterally without detection and the number of vendors hospitals work with also presents opportunities for entry.
Who’s most vulnerable for attacks
Companies that are not accustomed to working with healthcare institutions may present the greatest threats.
Some vendors misunderstand the security needs in healthcare and how to safely manage patient data. Additionally, due to the breakdown across supply chains triggered by COVID-19, many providers are “approving” new vendors without fully vetting them, creating additional points of weakness.
What can be done now to defend the healthcare supply chain
To shore up vulnerabilities within the healthcare supply chain, healthcare leaders and their respective supply chain vendors must work together to bolster defenses and prevent future attacks. Key steps include:
● Create an inventory of all third-party relationships. It’s essential to map out all vendor relationships and assign responsibilities for assessing and overhauling security best practices.
● Tier vendor vulnerabilities. Assess and segment all vendors’ risk profiles and put a risk remediation plan in place to ensure key checks and balances are aligned with an organization’s own baseline program.
● Create vendor security best practices. Educate vendors on security policies and procedures and mandate that training and certifications are necessary to be eligible for business contracts.
● Establish governance around ePHI. Hospitals should establish a governance structure and a committee that reviews each vendor contract from a privacy and security perspective.
Hospitals and healthcare systems have a tangled security web to manage. While often overlooked, the supply chain should be top-of-mind for healthcare leaders and security executives. If ignored, hackers will continue to exploit these weaknesses and disrupt operations. While a complex undertaking, leaders must take time to understand where the systems’ weaknesses lie and ensure vendors also prioritize security and data privacy because in today’s hyper-connected world, we’re only as good as our weakest link.
