October is Cybersecurity Awareness Month
Each week this month we will take on a new cybersecurity subject and ask our experts in the healthcare industry to weigh in.
Week 4: Healthcare supply chains
According to ZeroFox, Healthcare Sector Report, 2023 Threat Landscape, a key is threat actors able to target upstream elements of increasingly complex healthcare supply chains.
Healthcare is driven on its vendors and their technologies. However, that dependence can come with risks, specifically through increased attack surfaces and attack vectors via your vendors, suppliers, and third parties. The risk associated with third parties and supply chain throughout healthcare is the fastest-growing attack vector. Based on the most current data trends, 2023 will emerge as the worst year ever in for cyber attacks in healthcare. In fact, it might be the worst year ever in the US in terms of the amount of individual personal information that has been leaked or stolen.
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
Cyberattacks have had and will likely continue to have a significant impact on the healthcare supply chain. The healthcare supply chain has always been high risk, but the pandemic exacerbated the issue. Throughout the pandemic, cybercriminals exploited new opportunities and they began to target hospitals, clinics and other organizations that supported providers on the front line of the COVID-19 battles. In 2020, coordinated ransomware attacks surged against the healthcare sector. These attacks not only hinder operations, but they also have endangered patient safety and negatively impacted care. There are studies that indicate that victims of these attacks have reported increases in mortality rates. Third Party Risk Management (TPRM) is not an option for a healthcare organization today. In 2022, most of the top ten healthcare data breaches stemmed from third party vendors. TPRM is not a simple task. It includes working closely with vendors to establish contractual expectations, maintain on-going and regular communications with key vendors and develop a risk-based tiering approach that drives your assessments, reviews, and levels of risk acceptance.
Rick Passero, Chief Information Security Officer, Anatomy IT
The interconnectedness of systems and the reliance on various vendors expose healthcare providers to a multitude of threats, and the risk is compounded by a lack of visibility and inability to effectively monitor their partners’ adherence to security requirements. Addressing these risks requires a multi-faceted approach involving robust risk management, thorough vendor assessments, implementation of security controls, continuous monitoring, and incident response planning, all of which require time, cybersecurity expertise, and other resources which are in short supply in healthcare. Increasingly, hospitals and health systems are coming to us to help set up and manage these essential processes, because the complexity is simply overwhelming.
Leaders need to understand which participants in their supply chain are single-source and determine the effect on their organizations if those suppliers are compromised. The answer comes through business impact analysis to understand how important each vendor is to the organization, what services they supply, and how long the organization can last without those services. This exercise helps organizations make informed decisions about which services they need to seek an alternate supplier to deliver.
In any organization, an information supply chain is required to transact information with external entities and conduct business with customers, suppliers, vendors, financial institutions, analytics services, government agencies, and so on. Each of those entities, in turn, transacts information with other external entities. Each step along this information journey represents another opportunity for threat actors to exploit cybersecurity problems like misconfigurations, unpatched software, and zero-day vulnerabilities.
When the processes by which data files are moved along the digital supply chain are not properly secured, threat actors can take advantage. Think of it like using a drawbridge over which data moves in and out of the organization’s castle. Even with a deep moat or thick walls, if you don’t secure access to the drawbridge and verify the files coming in, or encrypt the files going out, you put the organization at risk of falling victim to a cyberattack. We have learned from recent events that the very software platforms that are used to exchange data are a weak point in the supply chain, since they necessarily have access to all that sensitive data. That is why it is imperative to review an organization’s fundamental mechanisms for securely exchanging information with third parties, and to review policies and procedures to ensure rigorous security standards are also maintained by every link in the healthcare digital supply chain.
Over the past few years, the healthcare industry has embraced digital transformation to reduce costs, eliminate inefficiencies, and improve patient outcomes. As a result, the number of connected devices, third party applications and healthcare supply chain ‘connections’ have also increased.
This expands the attack surface.
A cybersecurity issue with a supply chain partner can have a significant impact on healthcare providers. In July 2017, Nuance, a supplier of dictation and transcription service for healthcare systems, was impacted by the NotPetya ransomware attack, which shut down the company’s operations for an extended period, leaving healthcare providers unable to see as many, or in some cases, any, patients. A ransomware attack on Kronos in January 2022 ground payroll to a halt at many healthcare systems, among other industries, forcing manual — often late — payroll runs. The timing — during an Omicron surge — made this attack even more insidious.
For threat actors, targeting healthcare supply chains may be easier than directly attacking a healthcare provider, for several reasons. First, healthcare supply chains are becoming more complex, and it may be hard to continuously ensure supply chain partners are keeping up to date with cybersecurity protections. Second, any vulnerability that a supply chain partner has, such as unpatched software, can be exploited and impact every healthcare provider the partner works with, providing attacker economies of scale.
To prevent supply chain attacks, healthcare organizations must protect themselves from anyone in their ecosystem that connects to their network. This means taking the appropriate steps to:
- Continuously assess the security risks brought by suppliers
- Build a true asset inventory of all software and hardware connecting to your network by supply chain partners. This can be helpful to identify if you’re impacted by Zero-Day vulnerabilities like SolarWinds, Log4j or MOVEit
- Create a baseline of acceptable device behavior in order to spot anomalous behavior
- Implement segmentation to reduce the impact of lateral movement if an attack does occur
- Establish automated security policy actions, to accelerate response and prevent any issues from impacting the broader organization
Zandy McAllister, Virtual Chief Information Security Officer, Anatomy IT
Securing the healthcare supply chain is challenging because it is so massive and complex. The supply chain is not just drugs and scrubs; it touches nearly every department from food service to building maintenance to finance. Some healthcare organizations may assume that these partners are secure because they comply with certain requirements, but compliance doesn’t always equal security. That is why provider organizations are seeking more than just compliance attestations from their supply-chain partners, but rather are directly verifying their security protocols and other safeguards to ensure proper steps are followed.