Cybersecurity News

Healthcare Sector Faces Critical Challenges With Supply Chain Risk Management

A new survey conducted by Ponemon Institute on behalf of the Health Sector Coordinating Council (HSCC) showed that healthcare organizations are struggling to maintain basic supply chain risk management practices.

Healthcare Sector Faces Critical Challenges With Supply Chain Risk Management

Source: Getty Images

By Jill McKeon

- Budget and capability constraints are contributing to persisting supply chain risk management challenges across the healthcare sector, a new survey conducted by Ponemon Institute on behalf of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group revealed.

More than 400 IT and IT security practitioners took part in the survey, all of whom are actively involved in their organization’s supply chain risk management program. The results revealed ongoing critical challenges across the sector as organizations struggle to maintain basic supply chain risk management practices.

For example, only 19 percent of survey respondents reported having a complete inventory of their organization’s suppliers. Smaller organizations were three times more likely to have no inventory whatsoever.

What’s more, 20 percent of respondents said that they only conduct security evaluations of business-critical suppliers when a security incident occurs, while 24 percent said that they conduct these assessments on an ad-hoc basis.

The survey also highlighted a lack of standardized language in security contracts, a lack of integration between procurement and contracting departments and the supply chain risk management program, and a lack of cooperation from suppliers.

When asked to identify their organization’s barriers to having a successful supply chain risk management program, 59 percent of respondents cited a lack of in-house expertise. Respondents also pointed to a lack of support from senior leadership and the need for a formal budget dedicated to supply chain risk management.

“This survey shows that healthcare organizations of all sizes still face an uphill battle to effectively manage cyber risk across the supply chain function, with smaller organizations still facing critical gaps in the resources and budget available to them,” Greg Garcia, HSCC executive director, explained in an accompanying press release.

In fact, 57 percent of smaller organizations reported having annual supply chain risk management budgets of $500,00 or less, while 51 percent of larger organizations reported having budgets between $1 million and $5 million.

Budget is not the only challenge that is exacerbated among smaller healthcare organizations. More than a third of surveyed organizations said that they did not evaluate risks through the lens of how new suppliers will impact patient care outcomes, and smaller organizations were more than twice as likely to report this gap compared to larger organizations.

The survey highlighted several areas of improvement for supply chain risk management teams to focus on in the immediate future. Integrating procurement and contracting teams, maintaining a reliable inventory, and considering potential patient care outcomes when evaluating vendors can help organizations better manage supply chain risk and further prioritize patient safety.

Even with a limited budget, organizations can leverage free resources to enhance their supply chain risk management postures.

HSCC encouraged organizations to adopt the National Institute of Standards and Technology's Cyber Security Framework supply chain management practices (HIC-SCRiM), a guide aimed at helping small and mid-sized healthcare organizations maintain a successful supply chain risk management program. Large organizations and industry associations can also use the guide to raise awareness of supply chain risks across the sector.

“The healthcare supply chain team is under an increasing amount of pressure to move quickly while managing a multitude of risks during the procurement process,” explained Ed Gaudet, CEO and founder of Censinet and HSCC Supply Chain Cybersecurity Task Group Member.

“As cyberattacks like ransomware become more sophisticated, this survey hammers home the urgent need for automation and actionable risk insights to help supply chain leaders effectively manage inventory, cyber risk, fraud, safety, and supplier redundancy.”