Protecting the Healthcare Supply Chain from Cyberattacks

Vulnerabilities within the healthcare supply chain can become avenues for cyberattacks and subsequent disruptions.

By Jeff Wardon, Jr., Assistant Editor


The deluge of cyberattacks on healthcare organizations continues to happen daily. If that wasn’t bad enough, entities in the healthcare supply chain are also being targeted and becoming potential attack vectors towards the healthcare organizations.  

Not much light has been shed on this weak point — it is even considered a “critical blind spot” in healthcare cybersecurity, says Errol Weiss, chief security officer at Health-ISAC.  

Entangled in a web 

With healthcare having many interconnections, its organizations rely on several other businesses and partners to be able to provide crucial services.  

“All these modern-day hospitals, for example, are super dependent on IT to be able to run efficiently and effectively,” says Weiss. “Of course, that IT now transcends these organizational boundaries. So, all these connection points have become incredibly complicated.” 

Essentially, one breach in that intertwined web will create a ripple effect all throughout it, ultimately entangling all connected parties in a larger problem. When the healthcare supply chain is disrupted, it leaves healthcare organizations exposed to potential cyberattacks in addition to their services being impacted. Given this, hackers can use this weakness as leverage for their attacks. 

“When I think about the current environment, these system disruptions and data breaches are really the digital weapons of choice for today's cyber criminals and nation states to achieve their goals,” says Weiss. 

Case in point: Change Healthcare 

One of the more prominent disruptions in recent history was the data breach at Change Healthcare, a provider of revenue and payment cycle management. The breach happened because Change hadn’t implemented multifactor authentication (MFA) to a remote desktop access portal, allowing hackers to use compromised credentials to access their systems. 

According to Weiss, there were three major issues from this incident: 

  1. Disruptions in patient care: Insurance information wasn’t readily available, meaning patients couldn’t verify their information to schedule procedures or get medications. It ultimately impacts the health of patients because of these disruptions. 
  2. Financial strains: With Change Healthcare being an integral part of the insurance payment process, any disruption or breach is going to bottleneck a healthcare organization’s financials. That will trickle down and affect individual facilities given enough time as well, as they may not have enough funds to keep operating. 
  3. Eroding the public’s trust: Given the hampered caregiving and operability due to the breach, people’s opinions and trust will eventually decay to a point that is unfavorable for healthcare organizations and their facilities. 

If these issues are left unaddressed, they can coalesce into a miasma of detrimental forces that weather away at the public image of healthcare. Fortunately, not all scenarios have to become that dire if healthcare organizations promptly mitigate these breaches. 

Addressing supply chain breaches 

Facility managers and other employees in charge of purchasing at the organization should analyze their third-party suppliers. Also, it is important to review where critical business processes are being outsourced and where they are sharing sensitive patient information as well.  

All these can be vulnerable points in their business model, so Weiss says healthcare organizations must pay attention to them from a risk management standpoint. 

“It’s one thing if they're buying pencils and office supplies from some organization – that I wouldn't put into this high-risk category obviously,” says Weiss. “However, if there's an organization that's running a critical business process and they're sharing a ton of sensitive patient information, I would be looking into their business processes and security policies. This is to make sure that they're taking security seriously and doing the right things internally when it comes to cybersecurity.” 

Weiss adds that there is a white paper offered called the Health Industry Cybersecurity Supply Chain Risk Management Guide, which acts as a toolkit for creating a supplier risk management program. The document contains templates for healthcare organizations to create policies, procedures, roles and responsibilities so they can establish the governance for their program.  

“They would also be encouraged to share that same document with the key suppliers that their organization uses as well,” says Weiss. “They in turn then can use this document to create their own risk management program as well.” 

Jeff Wardon, Jr. is the assistant editor for the facilities market. 



July 25, 2024


Topic Area: Information Technology , Security


Recent Posts

Frederick Health Hospital Faces 5 Lawsuits Following Ransomware Attack

The lawsuits accuse FHH of inadequate cybersecurity, poor breach notification and failing to protect patients from identity theft risks.


Arkansas Methodist Medical Center and Baptist Memorial Health Care to Merge

They have signed a non-binding letter of intent to complete a shared mission agreement to merge the two organizations.


Ground Broken on Intermountain Saratoga Springs Multi-Specialty Clinic

The clinic is scheduled to open and start seeing patients in the fall of 2026.


Electrical Fire Tests Resilience of Massachusetts Hospital

Signature Healthcare Brockton Hospital used opportunity to renovate key systems and components and expand facility operations.


Bomb Threat Alleged at Illinois Hospital

The alleged suspect was taken into police custody, and the threat was determined to be unfounded.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.