Jun 12 2024

Tackling Cyber Resilience in Healthcare’s Supply Chain Management

With the reliance of third-party vendors in healthcare’s environment, organizations should consider four key areas to improve cyber resiliency.

Healthcare IT managers are held to a higher standard than other IT groups when it comes to information security. Patient data and other personal identifiable information are considered the most sensitive data in any commercial environment. A system outage could impact orders for diagnostic procedures or lifesaving medication. Healthcare IT teams also have to meet a higher level of regulatory requirements while having a smaller pool of software and hardware suppliers than their enterprise counterparts.

Focusing on these third-party suppliers is an important part of maintaining cyber resilience and reducing risk. Some of the most significant breaches over the past decade have been traced to third parties, which increases the pressure on healthcare IT teams to pay special attention to their software and hardware supply chains.

Some strategies are common to all environments, such as conducting security assessments of software and hardware vendors, and adding contractual requirements for notification and Software Bill of Materials information. When it comes to improving healthcare’s cyber resilience in the supply chain management, here are four areas IT teams may want to direct their focus.

Click the banner below to learn why cyber resilience is essential to healthcare success.


1. How Are You Monitoring the Internet of Things?

Healthcare environments are filled with IoT devices, each carrying the risks of embedded hardware with unknown bugs, obscure software and infrequent patches.

A key strategy is isolation, not with just a single, separate wired VLAN or wireless SSID for all IoT devices, but with multiple VLANs and SSIDs that segment by product to separate IoT devices from each other. Enterprise wireless and wired networks can help by blocking device-to-device communication, which is an excellent starting point. Specific flows required can be added as needed, reducing the options for hackers to move laterally in IoT networks.

Traffic from an IoT device out to the internet should also be carefully controlled using firewalls. Even if IoT vendors are unwilling to commit to specific IP addresses (a common issue when cloud computing is mixed in), IT managers can use time-based limits to ensure that only unrestricted traffic is allowed during specific time periods.

Finally, logging and reviewing policy violations can help fine-tune rules and identify anomalous or suspicious activity.

LEARN MORE: How can healthcare organizations secure IoMT devices?

2. How Strict Are Your Third-Party Access Policies?

Healthcare IT systems are highly dependent on third-party suppliers for both support and day-to-day maintenance. From printers to lab systems, there’s a vendor that needs to log in and make update.

However, IT teams should take tight control of all remote access. Because the people logging in to their networks are unknown, requiring frequent password changes and multifactor authentication are only starting points. If possible, a privileged access management system should be used to further control logins and add logging and auditing.

Many newer software and hardware products are using a “meet me” strategy, where the on-premises device makes an outbound connection to a cloud service to allow vendor support teams to connect in and do debugging and maintenance. The advantage is that this happens without opening an inbound hole in the on-premises firewall.

Cyber resilience visual sidebar


That’s very convenient for the vendor, but it creates a security nightmare for IT managers. These types of connections need to be blocked by on-premises firewalls except when specific vendor intervention is requested.

Healthcare IT teams must also maintain a checklist of actions to take when a support ticket is closed, including ensuring that any temporary configuration changes to devices and network firewalls are reversed or otherwise properly documented.

IT managers should also provide specific training to their teams on the dangers of working with third-party vendor support teams. For example, it’s common to upload device configurations to third-party vendor support sites, complete with lightly encrypted passwords. Identifying and mitigating the risks associated with third-party support should be included in internal policies and training.

3. How Mature Is Your Advanced Network Security?

Enterprise IT teams assume limited physical access by strangers to their network infrastructure; healthcare IT teams are operating in an environment where people are wandering around everywhere at all hours. This calls for a level of network security beyond simple network access control tools. As with IoT, the key strategy is isolation, ensuring that communications between devices are as tightly limited as possible.

Healthcare IT teams have to address both the physical presence of third parties in their facilities and the virtual presence of third-party suppliers and support teams on their networks. With a high level of device isolation, the risk that unauthorized access will spread across the network is minimized.

Further encryption steps are warranted in healthcare IT departments. Physical-layer network encryption used to be an unfamiliar, military-only requirement, but enterprise network vendors now make it easy to enable switch-to-switch encryption.

Healthcare IT managers should take advantage of this free feature. It’s unlikely that an intruder would gain access to switch-to-switch communications, but it could happen, and remote network monitoring tools make it easier than before.

READ MORE: Follow these best practices to improve cyber resilience in healthcare.

4. How Can You Adopt More Application Encryption?

While network-layer encryption is being rolled out, application-layer encryption should become a nonnegotiable requirement for any software used in a healthcare environment.

For legacy applications that don’t include encryption, IT teams can use an application delivery controller (or load balancer) to add encryption, but this is only a partial step. One of the common techniques of attackers is to use a packet-sniffing tool such as “tcpdump” on the local host or virtualization server, and if the traffic is encrypted only up to the ADC, passwords and patient data will still be flowing in the clear.

Closing the vulnerability of unencrypted traffic should be a priority for healthcare IT teams, and not just because of the obvious threat vector. Unencrypted traffic is a symptom of very outdated software without a solid secure development commitment from the vendor. Products that vendors insist can’t be encrypted need to be moved to the top of the list for retirement and replacement.

dusanpetkovic/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.