Close

Join the Insider Program

Explore exclusive HealthTech coverage and enjoy early access to the latest stories.

Nov 28 2022
Security

Top 3 Priorities for Strengthening Supply Chain Security in Healthcare

Organizations can focus on these specific areas to bolster their strategy and ultimately prevent exposure of sensitive data.

Supply chain attacks on vendors and third-party suppliers have far-reaching ramifications on healthcare organizations. Malicious actors can insert malware into a vendor’s code (or software updates), and when a client downloads the software, the attacker gains access to an organization’s networked systems.

However, there is another version of supply chain risk that results from an interconnected digital world that needs close attention: third-party risk management. For example, in December 2021, a ransomware attack against a workforce management company wreaked havoc on its customers’ payroll processes. Those impacted included healthcare facilities across the U.S. at a time during the COVID-19 pandemic when medical workers were dealing with a surge of the Omicron variant. Healthcare facilities had difficulty processing payrolls as well as managing the complex employee schedules at 24-hour facilities.

EXPLORE: How healthcare organizations can benefit from real-time supply chain visibility solutions.

In 2020, a cloud software company was the victim of a ransomware attack that exposed patient and donor information for millions of people across the country. Meanwhile, a provider of artificial intelligence solutions was attacked twice in 2017, a victim of NotPetya, a global wiper malware attack. The virus impacted the systems used by the provider’s healthcare customers, primarily its transcription services, as well as its imaging division systems used to receive and process orders.

Click the banner below for access to exclusive HealthTech content and a customized experience.

The healthcare organizations weren’t breached, but attacks on their vendors and third-party suppliers had major consequences across the ecosystem. In some cases, that included exposing the healthcare systems’ data, and patient and family data, to cybercriminals. CrowdStrike’s 2022 Global Threat Report offers more insight on the current state of cybersecurity and challenges surrounding the mission to stop breaches.

It might seem like too daunting a task to monitor all the suppliers and vendors of commercial software and services used by healthcare systems, but those institutions can fortify their security posture with these three actions.

DISCOVER: Supply chain management strategies for healthcare organizations.

1. Keep Inventory Updated

Healthcare facilities should always have an up-to-date inventory of all vendors and suppliers. This means working closely with supply chain, finance and compliance teams.

If an institution does not have a well-managed third-party risk management program, then developing that inventory will take some detective work:

  • Supply chain managers should know all the contracts the organization has signed. If they do not, that’s a different problem and another layer of the onion. Assuming they do, then those contracts should identify technology or application partners that might expose an organization to third-party risk. There should be a complete, end-to-end acquisition policy that is followed by the entire healthcare institution that mandates cybersecurity, compliance and other reviews before signing on new vendors.
  • Finance pays all the invoices and is another source for identifying all third-party partners that may be introducing risk. Since many services can now be purchased online with a credit card, risk managers might have to do even more digging should one of the departments decide to contract with a supplier without going through proper channels.
  • Legal and compliance officers help create contract documents and policies that align vendor compliance with healthcare requirements, such as adherence to HIPAA. They conduct investigations and regular reviews of the effectiveness of compliance programs, reporting to senior management and the institution’s board of directors.

2. Establish A Third-Party Risk Management Program

Risk assessment starts during the initial evaluation of a potential partner. Security and compliance teams should assess if the vendor or partner meets the institution’s cybersecurity and compliance requirements.

If the vendor cannot meet those requirements, do not proceed with the relationship unless there is a compelling requirement that outweighs the associated risk. If an exception is to be made, the team should document what controls will be in place to monitor and manage the vendor’s cybersecurity shortfalls. Someone at the senior executive level should be responsible for signing off and accepting the risk for the organization.

3. Conduct Ongoing Reviews of Vendors

One review of third-party vendors at intake is not enough. All programs evolve over time, so there must be an ongoing review and evaluation of all vendors and suppliers in the ecosystem.

Yes, this is an incredibly difficult challenge and a place where most organizations lack personnel, support and documentation of their work. However, there are consulting firms and tools that can be applied to help with the ongoing review process.

The institution must be focused on how its data is being used and stored to understand the risks associated with sharing that data.

READ MORE: Lessons from healthcare supply chain leaders.

Bottom Line: Protect All Assets

Healthcare organizations face risks from many different types of supply chain vendors — from food suppliers and software makers to medical device manufacturers, pharmaceutical companies and day-to-day medical supply sellers.

Because these products and services are often deeply integrated into the delivery of care, a cybersecurity incident or other kind of disruption at any one of these vendors can degrade a health system’s ability to deliver care to patients and families.

To mitigate supply chain risk, healthcare organizations must know who all of their vendors and suppliers are, establish a third-party risk management program to assess their cybersecurity standards and compliance, and conduct reviews on a regular basis to ensure their suppliers remain compliant with all requirements.

Alvarez/Getty Images