Cybersecurity Awareness Throughout the Technical Supply Chain

October is Cybersecurity Awareness Month

The National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency invite you to celebrate Cybersecurity Awareness Month 2022 this October as we raise awareness about the importance of cybersecurity and ensure that all individuals and organizations have the information and tools they need to be safer and more secure online. “Do Your Part. #BeCyberSmart.”

Cybersecurity Awareness Month was created by the Department of Homeland Security and the National Cyber Security Alliance in October of 2004. It was launched in an effort to help Americans to be safe in the rapidly growing Internet. Since its inception, the month has only grown more important as our lives become increasingly digitized. We are only one of many industry participants who are taking this month to educate our community on the importance of cybersecurity.

As always, follow our posts this month and hear what the healthcare security experts have to say. This week they are commenting on the technical supply chain.

David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
Twitter: @DavidSFinn

Attacks on and through supply chains are growing more widespread. Cybersecurity – Supply Chain Risk Management (C-SCRM), not a phrase that got much mention 10 years ago is absolutely critical now, particularly regarding medical devices. Like so many things in cybersecurity, it starts with governance, with the intent of reducing supply chain compromise by increasing the organization’s capability to detect, respond and recover from events that disrupt business. Again, like security overall, it starts with understanding and documenting the supply chain; have an enterprise-wide governance plan for risk management of the supply chain; identifying critical suppliers; ensuring that those suppliers are built into your overall SCRM activities. And because the supply chain is – – and your vendors and materials are always changing, it goes on continuously. It must include Vendor Risk Assessment that fit into your own risk assessment framework and your ERM plan as well as your Data Governance model and plan.

Russell Teague, Vice President, Advisory Services, Fortified Health Security
Twitter: @FortifiedHITSec

Healthcare providers are heavily reliant on their third party vendors and suppliers as a core component of continuous patient care. The technical supply chain – third parties, suppliers, business associates, vendors, etc. – are increasingly being targeted by threat actors, posing a significant risk to healthcare’s ability to safely deliver continuous patient care. Medical technology, also known as IoMT or CMED presents significant risk due to the number of interactions needed to communicate with manufacturers and the need to continuously address security vulnerabilities, fixes and patches. Given the large number of legacy medical technology systems still in use at many healthcare organizations, it’s imperative for healthcare providers to partner with cybersecurity experts who have expertise in monitoring and managing risks associated with the devices that store, process, and interact with patient healthcare information.

Michael Parisi, Vice President of Adoption, Business Development, HITRUST
Twitter: @HITRUST

Securing the supply chain is a long-standing struggle for healthcare. Understanding the inherent risk of the supply chain must drive appropriate assurance between parties. There is no silver bullet in this endeavor. Organizations must work with their vendors collaboratively to identify risk and choose an assurance mechanism/assessment that aligns with the level of risk presented. Since not all assessments are created equal, it is imperative to choose wisely to ensure the highest reliability and transparency relative to a vendor’s security program.

Bronwyn Spira, CEO and Co-founder, Force Therapeutics
Twitter: @FORCETherEx
Twitter: @BronwynSpira

A good Technical Supply Chain helps us achieve a higher level of security by ensuring that any sub-processors or individuals with access to data are held to the same high standards as the data on our own internal systems. Securing our supply chain against attacks ensures that it is not the weakest link to our sensitive data.

Ben Denkers, Chief Innovation Officer, CynergisTek, a Clearwater Company
Twitter: @cynergistek

  • Organizations need to understand what their potential threat surface looks like. Understanding who their vendors are and what type of data/access they have is a great first step.
  • Leverage industry recognized framework, NIST SP 800-161r1 to build a supply chain risk management program will help guide organizations and allow for a structured process to properly evaluate vendors.
  • Resources can be limited, so prioritization becomes key; however, having a continuous means of validating critical vendors helps organizations understand what their exposure looks like.
  • Don’t forget about contractual enforcements. This could be ensuring vendors are required to notify of a material change to the environment or even simply if there was a suspected breach.

Milan Shah, Chief Technology Officer, Biofourmis
Twitter: @biofourmis

Health systems across the country are rapidly expanding their virtual care and remote patient monitoring (RPM) programs to support the growing need and desire for care-at-home. This change brings with it a need to ensure cybersecurity approaches are aligned. One way health system leaders can do that is to provide remotely managed patients with a health system-owned and secured ‘locked-down’ mobile device to communicate and share data with providers. The device may have Bluetooth and WiFi capabilities for data exchange, but it is not able to download third-party apps or use a web browser that enables patients to click on a potentially malicious links. For anything beyond a short telehealth visit, health systems are unnecessarily exposing their data and systems to vulnerabilities if they are connected to a patient’s unsecured personal device for an extended period of time.

Karthik Kanakaraj, Enterprise Architect, HSBlox

For organizations that deal with healthcare data, there is no higher priority than protecting their customers’ data. Heavy dependency on effective security frameworks to maintain privacy, confidentiality, security and compliance of patient’s PHI data is paramount for such entities. Hence, the need for transformation to cutting-edge cybersecurity practices is key to remaining competitive and gain more trust from customers. Adherence to such best practices can be achieved by ensuring that annual certifications of SOC 2 Type II (across all service principles), HITRUST, FedRAMP, CMMC and NIST are maintained by such organizations.