There has been plenty of awareness generated about the vulnerability of healthcare organizations to hackers. Hospitals and biomedical facilities have been ramping up their efforts in fortifying their cyberdefenses.
Healthcare organizations are projected to spend $125 billion on cybersecurity from 2020 – to 2025. This massive spending amount is in response to healthcare being a prime target for hackers.
More than 93 percent of healthcare organizations have experienced a data breach over the past three years, and 57 percent have had more than five data breaches during the same time frame. While hospitals have been hardening their defenses, the same can’t always be said for the complex ecosystem of suppliers that feed into the hospital and biomedical space.
The Cloud Security Alliance recently released a draft of best practices that any business identified as a healthcare delivery organization should follow. The report comes as the healthcare supply chain is increasingly vulnerable.
The draft report states:
HDOs face risks from many different types of supply chain vendors, everything from food suppliers, software providers, medical devices, pharmaceuticals, and day-to-day medical supplies. This complexity and extended interdependency dramatically increase the consequences of a cyber incident, ranging from the leakage of sensitive personal information to the disruption of the actual provision of the supply chain.
“So much of cybersecurity is a `weakest link’ game,” says Stuart Collins, a healthcare cybersecurity expert in Minneapolis. “And this means that a hospital can turn themselves into Fort Knox, but if the supplier of uniforms for the radiologists has a sloppy cybersecurity regimen, that can jeopardize every entity on the chain – including the hospital.”
MSPs are a crucial bulwark when defending against medical-related hackers
“A lot of hospitals have their own internal IT departments, but once you start getting down to all the `feeder businesses’ from biomedical suppliers, labs, hospital food service, and janitorial, that is where MSPs are generally in charge of security, and if there is a weak link in the supply chain, hackers will find it,” Collins says.
Besides the vulnerability of healthcare organizations to hackers who find personal health information (PHI) to be among the most valuable data, the healthcare space is highly regulated for patient privacy.
“It is conceivable that an MSP that manages the security for a business that supplies trays to the hospital cafeteria could find themselves ensnared in running afoul of medical legislation or regulation,” Collins shares. “I had one MSP that insisted they were not operating anywhere in the healthcare space and therefore, many of the regulations didn’t apply to them, but one of their manufacturing clients made supplies that ultimately found their way into hospital HVAC systems.
The importance of healthcare audits
“That’s not to say that HIPAA suddenly binds every business that touches a hospital, but it is something to be aware of,” Collins says. He concurs with CSA’s recommendations, which number one is to do a healthcare “audit.” Here are suggestions from Collins and the CSA report for MSPs that may have clients in the healthcare supply chain space:
Audit: Do a specific healthcare audit of your clients. You might think that garment manufacturer has nothing to do with healthcare, but perhaps they make lab coats.
Risk scoring: Using a third-party risk rating service, once you have identified which suppliers are in the healthcare space, score them based on risk. Perhaps that client that supplies muffins to the hospital cafeteria isn’t a huge risk, while the client that provides radiology equipment is a high risk, Collins says.
Know the law: The healthcare space is a labyrinth of laws that vary by state and country.
“This is a good time for your MSP to develop a relationship with a cybersecurity attorney,” Collins says. Or someone on your already stretched-thin staff to familiarize themselves with laws or regulations in the healthcare space that may or may not apply.
Require compliance: MSPs dealing with any customer in the healthcare ecosystem should require vendors and supplies of all stripes to maintain strict security standards.
The CSA report stresses that the faster a breach is caught, the quicker the damage can be contained:
Supply chain monitoring aims to detect disruptions as early as possible to avoid or minimize adverse effects on the HDO’s operation.17 Continuous monitoring may involve periodic screening of the HDOs existing supply chain. A critical factor with any effective compliance program is regular monitoring and auditing to ensure that the HDO is made aware of anything new that might change a risk profile. Remember, things can change rapidly.
And MSPs need to be able to respond rapidly, and in the healthcare supply chain ecosystem that rapid response is increasingly needed.
Photo: Khakimullin Aleksandr / Shutterstock