Cybersecurity News

HSCC Shares Toolkit for Supply Chain Cybersecurity Risk Management

The second release of the HSCC Supply Chain Cybersecurity Risk Management guidance for small- to mid-sized healthcare organizations provides a toolkit completing the five NIST CF requirements.

healthcare supply chain risk management NIST cybersecurity framework HSCC cyber resilience insights guidance security posture

By Jessica Davis

- The Healthcare and Public Health Sector Coordinating Council (HSCC) published the second release of its Supply Chain Cybersecurity Risk Management guide for small- to mid-sized healthcare organizations, which provides guidance and a toolkit. 

The first release of the HSCC guidance for healthcare supply chain was released in October 2019 and designed to improve the security of products and services obtained through vendors.

The guidance gives practical insights into the tools and best practice policies to get the most out of limited security resources. 

HSCC officials explained the initial guidance has become a flagship product that has been accessed by more than 10,000 individuals. Supply chain risk has steadily increased across the sector in recent years, with ransomware and other threats frequently targeting the sector’s supply chain and third-party vendors. 

“By enabling these organizations to ensure secure products and services from their suppliers, we will leverage market forces to raise the bar across the healthcare supply chain to the benefit of all,” Greg Garcia, HSCC executive director of its Cyber Security Working Group, said in a statement. 

“Whether in the administrative offices or in the operating room, the technology and services we introduce into the circulatory system of clinical care must be deployed with patient safety at top of mind,” Ed Gaudet, Censinet CEO, who led the work on the new release, said in a statement.. 

For Gaudet, healthcare organizations must ensure a structured, repeatable, and measure enterprise supply chain risk management system to assure patient safety. 

The guidance is centered on the supply chain requirements outlined in the NIST Cybersecurity Framework (CF). Notably, CynergisTek found that just 44 percent of healthcare organizations conform to the NIST standard. 

The first release provided insights for three of the five NIST CF supply chain requirements and the tools needed bolster these crucial vulnerabilities, such as risk assessment templates and contractual language, while the final release completes the NIST requirements by providing guidance for adherence to contractual terms and testing response and recovery for supplier cybersecurity incidents. 

The guidance also asks healthcare organizations, associations, and consultancies to drive awareness and adoption of supply chain cybersecurity management across the sector. Organizations can find detailed insights into the extent of the risk posed by the supply chain, as well as the rippling effect the risk plays across the enterprise and business operations. 

Healthcare organizations should leverage the guide to determine how to routinely assess third-party partners and suppliers through audits, test results, and other evaluation methods to ensure business partners are adhering to their contractual obligations. 

Further, the guide provides cybersecurity requirements and processes to establish and sustain the supplier risk management program, including inventory, risk assessments, and risk treatment. Healthcare entities can also find templates and incident planning and response insights. 

“Properly managing cyber risk within the supply chain requires a proactive strategy to protect patient information and sensitive data against an ever-increasing risk from bad actors outside, and sometimes within, the health system,” researchers wrote. “This is not just an operational imperative, but a regulatory one.” 

“To adequately maintain patient safety and protect our sector’s information and data, there must be a culture change and acceptance of the importance and necessity of cybersecurity as an integrated part of patient care,” they concluded. “The changes and the resulting effect required will not abate, but will rather change with the times, technologies, threats, and events.” 

This is the 11th best practice guidance released by HSCC since 2019, which includes insights for cybersecurity staffing, cyber threat information sharing and related organizations, tactical crisis response, protecting healthcare trade secrets, and several others.