In the wake of an alert from the federal agency about attacks on managed service providers (MSPs), the Cloud Security Alliance published a new whitepaper to support cybersecurity risk management across the healthcare supply chain.
Developed in collaboration with the Health Information Management Task Force, The report details best practices for healthcare delivery organizations to manage the range of risks posed by the industry’s heavy reliance on third-party vendors and other partners, such as food suppliers, suppliers of medical devices, pharmaceuticals, etc.
The complexity of the healthcare ecosystem and the challenges of securing the enterprise as a whole are well documented, impacting even the largest organizations with strong security teams and resources. A previous report from CynergisTek found that only 23% of suppliers passed security ratings for their supply chains, confirming that this is one of healthcare’s biggest blind spots.
In fact, the data revealed that supply chain management was the least mature category assessed against the NIST cybersecurity framework, even for entities with high-level security programs. On average, suppliers scored 2.7 out of 5 for supply chain management.
At the same time, estimates show the industry spends billions of dollars annually on thousands of providers, said James Angle, co-chair of the health information management task force and lead author of the paper. However, current approaches to assessing and managing vendor risk are not working.
As CSA notes, “expanded interdependency” dramatically increases the consequences of cyberattacks and any subsequent outages, thereby posing a serious risk to patient safety, data privacy, and potential disruptions to the supply chain itself. same.
“The shift to cloud and edge computing has expanded the electronic perimeters of healthcare delivery organizations, not only making it more difficult to secure their infrastructure, but also making them more attractive targets for cyberattacks,” Angle said in the statement.
The guidance targets these critical issues, helping these entities identify, assess and mitigate supply chain cyber risks to build business resilience.
Specifically, the information includes recommendations for creating an inventory of vendors and prioritizing those deemed strategic to business operations, in addition to ranking vendors based on risk and contractual considerations for security standards requirements.
The guide is broken down by risks, assessments, treatments, monitoring, intervention needs and a host of invaluable recommendations on the steps needed to secure the supply chain. Given the increased cost of cyberattacks against the healthcare sector and the continued targeting of providers, provider organizations must prioritize these necessary measures to ensure resilience.
For CSA member Michael Roza, “Supply chain exploitation is not just a potential risk, it is a reality.” Failure to address these issues can “significantly impact” an entity’s security posture and risk profile, as well as its bottom line.
“It is therefore incumbent on healthcare delivery organizations to ensure that their supply chain partners adhere to data management policies to keep their organizations and users safe,” Roza said. in the press release.
The advice adds to previous ideas from the Health and Public Health Sector Coordinating Council, which target the supply chain risk management for small and medium healthcare organizations and a tracking toolkit which helps to ensure compliance with contractual terms and to test supplier cybersecurity incident response and recovery.