By Jeff Wardon, Jr., Assistant Editor

The deluge of cyberattacks on healthcare organizations continues to happen daily. If that wasn’t bad enough, entities in the healthcare supply chain are also being targeted and becoming potential attack vectors towards the healthcare organizations.  

Not much light has been shed on this weak point — it is even considered a “critical blind spot” in healthcare cybersecurity, says Errol Weiss, chief security officer at Health-ISAC.  

Entangled in a web 

With healthcare having many interconnections, its organizations rely on several other businesses and partners to be able to provide crucial services.  

“All these modern-day hospitals, for example, are super dependent on IT to be able to run efficiently and effectively,” says Weiss. “Of course, that IT now transcends these organizational boundaries. So, all these connection points have become incredibly complicated.” 

Essentially, one breach in that intertwined web will create a ripple effect all throughout it, ultimately entangling all connected parties in a larger problem. When the healthcare supply chain is disrupted, it leaves healthcare organizations exposed to potential cyberattacks in addition to their services being impacted. Given this, hackers can use this weakness as leverage for their attacks. 

“When I think about the current environment, these system disruptions and data breaches are really the digital weapons of choice for today's cyber criminals and nation states to achieve their goals,” says Weiss. 

Case in point: Change Healthcare 

One of the more prominent disruptions in recent history was the data breach at Change Healthcare, a provider of revenue and payment cycle management. The breach happened because Change hadn’t implemented multifactor authentication (MFA) to a remote desktop access portal, allowing hackers to use compromised credentials to access their systems. 

According to Weiss, there were three major issues from this incident: 

1. Disruptions in patient care: Insurance information wasn’t readily available, meaning patients couldn’t verify their information to schedule procedures or get medications. It ultimately impacts the health of patients because of these disruptions. 
2. Financial strains: With Change Healthcare being an integral part of the insurance payment process, any disruption or breach is going to bottleneck a healthcare organization’s financials. That will trickle down and affect individual facilities given enough time as well, as they may not have enough funds to keep operating. 
3. Eroding the public’s trust: Given the hampered caregiving and operability due to the breach, people’s opinions and trust will eventually decay to a point that is unfavorable for healthcare organizations and their facilities. 

If these issues are left unaddressed, they can coalesce into a miasma of detrimental forces that weather away at the public image of healthcare. Fortunately, not all scenarios have to become that dire if healthcare organizations promptly mitigate these breaches. 

Addressing supply chain breaches 

Facility managers and other employees in charge of purchasing at the organization should analyze their third-party suppliers. Also, it is important to review where critical business processes are being outsourced and where they are sharing sensitive patient information as well.  

All these can be vulnerable points in their business model, so Weiss says healthcare organizations must pay attention to them from a risk management standpoint. 

“It’s one thing if they're buying pencils and office supplies from some organization – that I wouldn't put into this high-risk category obviously,” says Weiss. “However, if there's an organization that's running a critical business process and they're sharing a ton of sensitive patient information, I would be looking into their business processes and security policies. This is to make sure that they're taking security seriously and doing the right things internally when it comes to cybersecurity.” 

Weiss adds that there is a white paper offered called the Health Industry Cybersecurity Supply Chain Risk Management Guide, which acts as a toolkit for creating a supplier risk management program. The document contains templates for healthcare organizations to create policies, procedures, roles and responsibilities so they can establish the governance for their program.  

“They would also be encouraged to share that same document with the key suppliers that their organization uses as well,” says Weiss. “They in turn then can use this document to create their own risk management program as well.” 

Jeff Wardon, Jr. is the assistant editor for the facilities market.