Securing the Healthcare Supply Chain

Written by: Richard Staynings, Chief Security Strategist at Cylera

It’s perhaps not that surprising to learn that the healthcare sector, including the NHS, is the third most targeted industry globally by cybercriminals thanks to the rich amount of sensitive and highly valuable patient data stored within, and the significant disruption a single breach could potentially cause. What is mind blowing is how the sector experiences, on average, 1463 malicious attack attempts per week, an increase of 74% since 2021.  

It’s therefore critical for Heads of IT to have complete visibility and knowledge of their entire cyber landscape including anticipating what could introduce risk into your organisation. Cyber threats in healthcare are not limited to data centres, nursing stations, or protected health information (PHI) data sent between health insurers, electronic health information exchange (HIE), government agencies, and patients. The risk matrix is far more extensive. It includes thousands of suppliers, vendors, and partners around the world. Everything from business process and IT outsourcing service providers, to complex manufacturing supply chains for medical equipment can fall under the umbrella of access points susceptible to cyber risk. 

We’ve seen on multiple occasions just how devastating a supply chain attack can be on the NHS. Many of us recall the ransomware attack on NHS service provider, Advanced, which provides digital services such as patient check-ins and NHS 111. The breach affected multiple services including ambulance dispatch, patient referrals, out-of-hours appointment bookings, mental health services and emergency prescriptions. Advanced’s own report on the incident described how the attacker moved laterally through Advanced’s Health and Care environment, escalating privileges which then allowed them to carry out reconnaissance and deploy encryption malware. Client data was also accessed and removed by the threat actors.   

More recently in July of this year, Swedish e-health company, Ortivus, another NHS supplier, was hit with a cyberattack leaving two British ambulance Trusts, serving 12 million people in the south of England, struggling to access and record electronic patient data.   

What's more, growing geopolitical tensions between the Western world and countries like Russia and China has fuelled concerns over the security and safety of the supply chain for critical infrastructure. This has already resulted in telecommunications providers like ZTE and Huawei being banned in western countries.  

So, what steps can you take to secure your healthcare organisation’s own supply chain? 

1. Comprehensive Vendor Assessment  

Firstly, diversify and de-risk your supply chain to ensure that all your eggs aren’t placed in one basket. Consider geography and transportation as supply chain risks and consider geopolitical risks. Then, conduct in-depth evaluations of possible vendors, suppliers, and partners. This should include 4th and 5th party suppliers and so on. Examine their cybersecurity policies, practices, and security incident history. Prioritise vendors who follow industry-specific guidelines and regulations such as ISO27001 certification, and check UK suppliers hold ‘Cyber Essentials’ certification as a minimum.  

2. Security Requirements 

When partnering with a third-party company, specify in the contract agreement the security criteria that vendors must adhere to, such as data encryption, regular security updates and patches, and particular access controls. Consider elements like availability, integrity, and confidentiality in your risk analysis to guarantee that critical patient information and organisational secrets cannot be stolen or manipulated via a vendor. Conduct regular audits to ensure that security requirements are met on an ongoing basis or insist upon an audit attestation such as an SSAE 18 SOC2 Type II that meets your security control requirements

3. Cybersecurity Training and Awareness 

Educate healthcare professionals on the importance of supply chain security and how to spot potential cyber threats and vulnerabilities. Extend this training to third-party vendors on how to safely handle and share sensitive patient information. 

There's no doubting that the threat to the supply chain will continue to grow significantly. Partly because we’re constantly learning about the potential vulnerabilities within the supply chain, and partly because cybercriminals and threat actors continue to discover new ways to exploit flaws across our delivery and distribution networks. As a top prize for threat actors, healthcare organisations should always be thinking beyond their own cyber hygiene. Ensure your cybersecurity strategy extends beyond your own perimeter and risk-assess your entire supply network - only then can you be confident that all steps have been taken to try to close any back doors into your IT network.  

Find out more at HETT Show!

Cylera is exhibiting at Hett between 26-27th September at ExCeL London. Come visit us at Booth E30, where we will be demonstrating the capabilities of our cutting-edge cybersecurity platform, designed specifically to help secure medical devices and IoT devices against cyber threats. 

About the author  

Richard Staynings, Chief Security Strategist at Cylera 

Richard Staynings is a globally renowned thought leader, author, public speaker, and international luminary for healthcare cybersecurity. He has served on numerous working groups and boards and has helped governments and private providers formulate long term strategies and tactical action plans for improved cybersecurity and patient safety across the industry and across the world.  
   
Richard serves as Chief Security Strategist for Cylera, a pioneer in the space of medical device and HIoT security. He is also author of Cyber Thoughts, a leading healthcare cybersecurity blog, and teaches postgraduate courses in cybersecurity and health informatics at the University of Denver, University College.