Healthcare Orgs Struggle With Software Supply Chain Risk Management Policies

April 18, 2022 - Despite increased attention toward supply chain security after the 2020 SolarWinds cyberattack, 74 percent of surveyed US healthcare organizations reported not having comprehensive software supply chain risk management policies, a survey commissioned by Trellix and conducted by Vanson Bourne found.

Researchers surveyed 900 cybersecurity professionals from a variety of critical infrastructure sectors. The report pointed to President Biden’s May 2021 executive order on improving the nation’s cybersecurity as a catalyst for change within many US organizations.

The executive order stressed the need for zero trust security policies, multifactor authentication, endpoint detection and response (EDR), extended detection and response (XDR), and software bill of materials (SBOM) implementation.

US survey respondents reported EDR and XDR as the most difficult cybersecurity solutions to implement and said that multifactor authentication was the easiest.

Over 80 percent of surveyed healthcare organizations said that they had implemented some degree of software supply chain risk management policies. However, only 26 percent reported fully implementing the policies and procedures.

Over 90 percent of healthcare respondents said that they found software supply chain risk management policies difficult to measure and implement.

“Eighty-three percent of respondents believe that if the U.S. federal government demands higher software cybersecurity standards within government agencies, this would play a role in raising standards for software developers across the software industry,” the report pointed out.

“Eighty-eight percent of sector respondents believe cybersecurity standards for software development should be mandated by government.”

Despite these widely-held beliefs, most respondents reported believing that government cybersecurity standards for software may be too complex to implement.

In early April, two US senators introduced the Protecting and Transforming Cyber Health Care (PATCH) Act with the intention of ensuring medical device security at the premarket stage. The legislation would require medical device manufacturers to create a software bill of materials (SBOM) for their product and its components.  

If passed, the legislation could set an example for future regulations surrounding software standards.

“The sector respondents had a variety of ideas on how the US government could take more action as a cybersecurity partner to the sector,” the Trellix report noted.

“Forty-four percent favored greater consequences for perpetrators of cybercrime, 42 percent tighter cooperation on cyber incident management while attacks are in progress, and 39 percent a combination of incident notification and liability protection to facilitate sharing of attack data between impacted organizations, government partners and industry audiences.”

Underinvestment issues were a recurring theme among healthcare respondents, but only 38 percent of respondents favored US government funding toward improving sector security.

“By raising security requirements in areas such as software development for government implementations, the federal government is in a unique position to influence and raise related standards for the entire software industry,” Thomas Gann, chief public policy officer at Trellix, explained in an accompanying press release.

“The Biden Administration has demonstrated constructive, responsible cybersecurity leadership over the last year, and we foresee the existing public-private partnerships as a sound foundation for building policy initiatives in this and other areas.”