A new CSA paper is designed to support healthcare delivery organizations in securing one of its biggest blind spots: supply chain vendors. (Mass Communication Specialist 2nd Class Sara Eshleman/US Navy)

On the heels of a federal agency alert on managed service provider (MSP) attacks, the Cloud Security Alliance released a new white paper to support cybersecurity risk management across the healthcare supply chain.

Developed in collaboration with the Health Information Management Working Group, the report details best practice measures for healthcare delivery organizations to manage the range of risk posed by the sector’s heavy reliance on third-party vendors and other partners, such as food suppliers, medical device vendors, pharmaceuticals, and the like.

The complexity of the healthcare ecosystem and the challenges with securing the overall enterprise are well-documented, impacting even the largest organizations with strong security teams and resources. A previous CynergisTek report found just 23% of providers have passing security grades for their supply chains, confirming it was one of healthcare’s biggest blindspots.

In fact, the data found that supply chain management was the least mature category assessed against the NIST Cybersecurity Framework, even for entities with high-ranked security programs. On average, providers earned a score of 2.7 out of 5 on supply chain management.

At the same time, estimates show the sector spends billions of dollars on thousands of suppliers each year, explained James Angle, co-chair of the Health Information Management Working Group and the paper’s lead author. However, the current approaches to assessing and managing vendor risks aren’t working.

As CSA notes, the “extended interdependency” drastically increases the consequences of cyberattacks and any subsequent outage, thus posing a serious risk to patient safety, data privacy, and potential disruptions of the supply chain itself.

“The move to the cloud and edge computing have expanded healthcare delivery organizations’ electronic perimeters, not only making it harder for them to secure their infrastructure but also making them more attractive targets for cyberattacks,” Angle said in the release. 

The guidance takes aim at these critical issues, supporting these entities with identifying, assessing, and mitigating supply chain cyber risks to bolster business resilience.

Specifically, the insights include recommendations for creating an inventory of suppliers and prioritizing those deemed to be strategic to business operations, in addition to ranking suppliers based on risk and contractual considerations for security standard requirements.

The guide is broken down by risks, assessments, treatments, monitoring, response needs, and a host of invaluable recommendations for the needed steps to secure the supply chain. Given the heightened cost of cyberattacks against the healthcare sector and the continued targeting of suppliers, provider organizations should prioritize these needed measures to ensure resilience.

For CSA Fellow Michael Roza, “supply chain exploitation is not just a potential risk, it’s a reality.” Failure to address these pain points can “significantly impact” an entity’s security posture and risk profile, as well as its bottomline.

“It’s incumbent on healthcare delivery organizations, therefore, to ensure that their supply chain partners comply with data management policies in order to keep their organizations and their users safe,” Roza said in the release.

The guidance joins previous insights from The Healthcare and Public Health Sector Coordinating Council, which target supply chain risk management for small and mid-sized healthcare organizations and a follow-up toolkit that supports ensuring adherence to contractual terms and testing response and recovery for supplier cybersecurity incidents.