CSA Provides Best Practices For Healthcare Supply Chain Cybersecurity

May 16, 2022 - The Cloud Security Alliance (CSA) released guidance to help organizations effectively address healthcare supply chain cybersecurity. From software components to medical devices, pharmaceuticals, and food suppliers, healthcare organizations are responsible for keeping tabs on each step of the supply chain. 

The 2020 SolarWinds cyberattack brought national attention to supply chain security. A recent survey commissioned by Trellix and conducted by Vanson Bourne found that over 80 percent of surveyed healthcare organizations had implemented some degree of software supply chain risk management policies. However, only 26 percent reported fully implementing the policies and procedures.

Over 90 percent of healthcare respondents said that they found software supply chain risk management policies difficult to measure and implement.

CSA urged healthcare organizations to inventory all suppliers, tier suppliers based on risk, develop a schedule for reevaluating suppliers, and require suppliers to maintain security standards.

“Healthcare delivery organizations spend billions of dollars across thousands of suppliers each year. However, research indicates that current approaches to assessing and managing vendor risks are failing,” James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group, explained in an accompanying press release.

“The move to the cloud and edge computing have expanded HDOs’ electronic perimeters, not only making it harder for them to secure their infrastructure but also making them more attractive targets for cyberattacks. Given the importance of the supply chain, it’s critical that HDOs identify, assess, and mitigate supply chain cyber risks to ensure their business resilience.”

CSA noted that the healthcare supply chain has become increasingly dependent on cloud computing for tasks such as order processing, transportation, and inventory management. Due to the highly connected nature of the supply chain, CSA suggested that addressing supply chain cyber risks is crucial to enterprise resilience.

CSA posited several reasons why healthcare supply chain and risk management programs may be unsuccessful:

• The lack of automation and reliance upon manual risk management processes makes it challenging to keep pace with cyber threats and the proliferation of digital applications and medical devices used in healthcare.
• Vendor risk assessments are time-consuming and costly, so few organizations conduct risk assessments of their vendors.
• Critical vendor management controls and processes are often only partially deployed or not deployed at all

The report noted that organizations must account for cyber supply chain risk management, which focuses on software and hardware systems and IT networks. In addition, healthcare organizaitons must keep tabs on supply chain cyber risk management, which involves “conventional supply chains addressing cyber risk.”

Both risk management programs must be effective in order to ensure overall supply chain security, CSA reasoned.

“An essential element of a supply chain risk management program is applying a risk rating to all suppliers. The risk rating should be applied using a predefined criterion. The HDO can use this rating to compare suppliers based on their present risk,” the report stated.

“The risk rating provides the HDO with an effective way to evaluate its supply chain. This formal risk rating process enables the HDO to apply the rating-based parameters such as risk tolerance and risk appetite. The risk rating process must be applied to all supply chain vendors to determine the level of risk that is acceptable.”

In order to mitigate risk, CSA recommended that organizations prioritize risk assessments and integrate strong security standards into contractual language when engaging with vendors.