Best Practices for Managing Cyber Threats in Healthcare

What should healthcare companies do to better manage cyber risks to their supply chains? A recent report from the Cloud Security Alliance (CSA), a global organization dedicated to setting standards, certifications and recommendations that help ensure more secure cloud computing environments, has provided a best practices in this area.

The report highlights that many types of supply chains are at risk when it comes to healthcare organizations, from food and pharmaceutical suppliers to medical device manufacturers and software distributors. This complexity and interdependence of chains dramatically increases the consequences in the event of cyber incidents, which can include leaking medical record information to disrupting the supply of essential items for medical treatment.

“Healthcare providers spend billions of dollars with thousands of suppliers each year. However, research indicates that current approaches to assessing and managing risks associated with supply chains are failing. The move to cloud and edge computing has expanded the cyber risk surfaces of these organisations, making it difficult to protect digital infrastructures and also making them increasingly attractive to cyber attacks. It is therefore critical that they identify, assess and mitigate these risks to ensure the resilience of their business,” said Dr. James Angle, lead author of the paper and co-chair of the CSA Health Information Management Working Group.

Cyber attacks on healthcare companies are more expensive than ever. In addition to the costs related to cyberattacks, there are now other financial burdens from potential lawsuits and fines and investigations by the U.S. Department of Health and Human Services and the Office for Civil Rights, the report highlights.

There are several reasons why supply chain management and risk management fail in healthcare:

1. Lack of automation and reliance on manual processes for risk management, which makes it challenging to monitor the proliferation of digital medical apps and devices used in healthcare and respective cyber threats.

2. Assessing risks associated with suppliers is time-consuming and expensive, so few companies end up doing this analysis.

3. Controls and processes critical to supplier management are generally only partially implemented or not implemented at all.

monitoring" target="_blank" rel="nofollow noopener">

There are two different concerns when addressing cyber risks in supply chains. The first has to do with managing risk in cyber supply chains. The second concerns the management of cyber risks that may affect supply chains. The first approach focuses on the security of IT networks, hardware and software, while the second includes conventional supply chains and their cyber risks. Both need to be addressed.

Cybersecurity risks in supply chains have the potential to cause damage or compromise due to failures to protect the IT environments of suppliers, their products and services. Supply chain risks are an additional concern for healthcare companies, as they can directly affect the delivery of products or services and consequently business. 

The report emphasises that it is imperative that healthcare companies have an effective four-step programme for managing their supply chain risks:

• Determination of criteria for supplier evaluation

• Risk assessment

• Treatment of risks

• Monitoring and definition of response methods 

While it is not realistic to imagine that it would be possible to carry out risk assessment of all suppliers, figure 2 shows an alternative course of action that describes supply chain visibility barriers, with various levels of involvement. The recommendation is to focus on the primary suppliers and their suppliers’ suppliers.