The Cyber Case for Supply Chain and IT Collaboration

A lot has changed in healthcare since the start of the pandemic, including an increased use of telehealth and the ability of employees to work remotely. All of this has been made possible by a dramatic increase in the use of cloud-based applications that have expanded where and how healthcare can be delivered by supporting remote access to critical data.  As healthcare’s digital footprint increases, so, too, has the cybersecurity risk, with more than 90% of healthcare organizations reporting an attack in 2024, according to the Ponemon Institute “2024 Study on Cyber Insecurity in Healthcare.”

This is of particular interest for the supply chain, which is a prime target for cybercriminals.  Nearly 70% of those participating in the Ponemon study said they experienced an average of four supply chain-directed attacks over the past 2 years, with the vast majority (82%) saying those attacks negatively impacted patient care, e.g., by delaying critical procedures. With cyberattacks in healthcare increasing faster than in other industries, it makes sense that health system executives told Guidehouse researchers in November 2023 that cybersecurity was their IT budget priority. But a little over a year later, despite some large attacks in 2024 (hitting Ascension, the Kaiser health plan, and Change Healthcare), there was little mention of cybersecurity at the recently completed JPM Healthcare Conference. At the same time, many of the investments cited by healthcare systems will only increase their cybersecurity risk. For example, many not-for-profit healthcare systems spoke about partnering more with third parties to help operate home healthcare, pharmacies, diagnostics, and other ancillary aspects of their business.  Many of these steps are seen as cost-saving strategies, but they also increase the points of digital access to a healthcare system’s infrastructure and data that can be exploited by cybercriminals. 

With supply chain responsible for relationships with thousands of third parties, any effective health system cybersecurity risk management program must include a strong partnership between supply chain and IT. Together, supply chain is responsible for the availability and safety of a multitude of products and services used in patient care, while IT maintains the operation and security of the technology systems, many of which are cloud-based, that manage the procurement, distribution, storage, and payment for those resources. 

Below are some recommended steps that IT and supply chain can take together to protect against costly and often life-threatening cyber attacks to both a health system’s internal systems as well as those run by their partners and in turn their business partners and vendors. 

1. Start by identifying all of your suppliers and points of digital connectivity. Then prioritize your most strategic suppliers, based on the criticality of the products, services, and data they provide and/or manage. 
2. For suppliers that utilize the cloud, also assess the risk level associated with their cloud service providers. 
3. Develop a standardized approach to risk assessment based on the factors that raise the probability of attacks, such as the type and volume of data handled.  
4. Incorporate contract language that specifies supplier responsibilities for maintaining security standards, including with their vendors and business partners.
5. Determine the level of risk associated with each supplier, starting with the most strategic.
6. Conduct individual supplier risk assessments with the frequency and scope based on their assigned level of risk. 
7. Share results of assessments with the vendors and internal staff. Follow up on any outstanding issues. 

During the pandemic, the critical nature of supply chain to the delivery of safe and effective healthcare became apparent to both healthcare leaders and the general public. Unfortunately, it also caught the attention of cybercriminals. It is incumbent upon supply chain leaders to expand their own cybersecurity risk capabilities, in partnership with the IT experts in their own organizations and the expertise of their vendors and business partners.