The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Organizations Failing to Assess and Mitigate Supply Chain Risks

Posted By on Jan 12, 2023

Healthcare organizations can put a host of cybersecurity measures in place to secure their networks and prevent direct attacks by malicious actors, but significant challenges are faced securing the supply chain. Healthcare organizations use vendors to provide services that cannot be handled in-house, and while they provide important services they also create risks that need to be effectively managed. Vendors often require privileged access to networks to perform their functions, which means an attack on a vendor can allow a threat actor to gain access to a healthcare organization’s network through the backdoor.

Cybercriminals have been increasingly attacking healthcare vendors because they are a much less secure part of the supply chain and in 2022, many of the largest healthcare data breaches reported involved vendors. Shields Health Care Group, which provides medical imaging services to more than 50 healthcare facilities, suffered a breach of more than 2 million records, Professional Finance Company, which provides a debt collection service to healthcare organizations, suffered a breach affecting many of its clients and exposed the data of 1.91 million patients, there was also an attack on the electronic medical record vendor, Eye Care Leaders, that affected at least 41 eye care providers and more than 3.6 million patients, to name but a few. While efforts need to continue to secure healthcare networks from direct attacks, urgent action is required to secure the supply chain.

A recent survey conducted by the Ponemon Institute on behalf of the Healthcare and Public Health Sector Coordinating Councils (HSCC) explored the current state of supply chain risk in healthcare and confirmed that a great deal needs to be done, with many healthcare organizations found to experience significant challenges in securing their supply chains. The survey, which was conducted on 400 U.S. healthcare organizations, confirmed that there continues to be significant capability and budget gaps between large and small healthcare organizations when it comes to managing and reducing supply chain risk, but organizations of all sizes are failing at the basics of supply chain risk management.

To accurately measure and address risk, healthcare organizations must have a full inventory of all suppliers that they use, yet the survey revealed that only 20% of the 400 surveyed organizations had a complete inventory of all of their suppliers, and smaller healthcare organizations were three times more likely to have no inventory at all. One common approach taken by healthcare organizations is to focus their supply chain risk management programs on new vendors as they are onboarded, yet they fail to assess and manage risk for their existing suppliers, which was the case for almost half (46%) of surveyed organizations. 35% of surveyed organizations were not evaluating supplier risks related to patient outcomes, with smaller healthcare organizations twice as likely to have this gap than larger organizations, and only 41% of organizations had integrated their cyber risk programs with their procurement and contracting teams. Smaller healthcare organizations were found to lack the budgetary resources to properly manage supply chain risk, with 57% of smaller organizations having supply chain risk management budgets of $500,000 or less, compared to 51% of large organizations that had supply chain risk management budgets of between $1 million and $5 million.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) includes supply chain risk management practices that can – and should – be adopted – but doing so can be a challenge for small- and medium-sized healthcare organizations.  To make supply chain risk management more straightforward, the HSCC has tailored this resource and developed a free toolkit (HICSCRiM) specifically for small to mid-sized healthcare organizations which typically have more limited budgets and resources for managing supply chain risk.

“The healthcare supply chain team is under an increasing amount of pressure to move quickly while managing a multitude of risks during the procurement process,” said Ed Gaudet, CEO, and Founder of Censinet and HSCC Supply Chain Cybersecurity Task Group Member. “As cyberattacks like ransomware become more sophisticated, this survey hammers home the urgent need for automation and actionable risk insights to help supply chain leaders effectively manage inventory, cyber risk, fraud, and supplier redundancy.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist