Hospital Supply Chain Systems Security Lacking

August 3, 2021

CynergisTek released its fourth annual report, “Maturity Paradox: New World, New Threats, New Focus,” which revealed that most hospitals critically lack the ability to secure their supply chain systems.

In this report, CynergisTek reviewed just under 100 assessments of healthcare providers across the continuum, including hospitals, physician practices, Accountable Care Organizations (ACOs), and Business Associates. These assessments measure organizations’ security posture against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), a standardized framework first published in 2014 intended to help protect American critical infrastructure.

Assessments were categorized into two cohorts: high performers with NIST conformance scores over 80% and low performers with conformance scores under 80%. CynergisTek’s 2021 report focuses on the industry’s overall status in cybersecurity preparedness, with 64% of organizations below 80% conformance. The report identified several areas for continued improvement in planning and preparedness, especially seeing as only 75% improved during the coronavirus pandemic – even then only slightly. While that is progress, it isn’t the progress the industry needs to shore up defenses. Investing in security, in the long run, is often ultimately more cost effective than paying the recent exorbitant ransoms.

“The past year has been arguably the most trying on the U.S. and global healthcare systems. We saw cybercriminals attack hospitals and healthcare institutions when they were at their most vulnerable – the industry made it through, granted with some bumps and bruises,” said David Finn, EVP at CynergisTek. “It is the responsibility now – of stakeholders, C-suite, IT managers, and anyone involved in protecting our healthcare system – to ensure that patient care remains resilient even in an environment with growing cyberattacks. The report demonstrates there is work to be done, but there are also immediate opportunities to shore up risk management practices.”

Supply Chain Proves Biggest Health System Weakness

Overall, Supply Chain Management was the second lowest-scoring and least mature category assessed. Even among high-performing organizations that have significantly improved over the past four years, scores averaged 2.7 out of 5, reflecting a universal challenge that companies face in identifying and addressing risks across their supply chains. With an acceptable score above a 3, only 23% of organizations passed on supply chain security – and barely – not even high performers achieved above a 3.

In particular, CynergisTek found that organizations struggle to validate whether third-party partners are meeting contractual security obligations. Given recent attacks on these critical third parties and suppliers – ranging from SolarWinds to Microsoft Exchange – and given the decentralized nature of global supply chains, it is imperative for organizations to dedicate time and resources to supply chain security before risks expand exponentially.

You need to look no further than the U.S. Department of Defense (DoD) for where the industry may head next from here. The DoD has mandated, through the Cybersecurity Maturity Model Certification (CMMC), that its suppliers demonstrate a minimum level of cyber hygiene standards. In fact, CynergisTek’s Redspin subsidiary was the first organization that received approval to perform audit work to determine the cyber readiness level of contractors before they do business with the DoD. This standard is likely to soon be implemented across other industries, as well.

“It's clear that this is not the right time to cut back on cybersecurity, and that smart spending will be necessary to secure organizations against a rising tide of ransomware threats against critical infrastructure generally, and healthcare specifically. As we ride out the remainder of 2021, it's within your power to ensure that the economic impacts of the digital transformation on your organization are net positive – assuming you make the right, proactive decisions to protect your assets, patients, and environment now,” added Finn.

Treat Security as a Journey, Not a Destination

Cybersecurity preparedness is a long-term initiative that requires consistent attention and proactive action to match the latest threats. Given current trends, as well as data revealed in CynergisTek’s 2021 report, healthcare organizations need to focus on the following:

Perform exercises and drills at the enterprise level, testing all components of the business. To have an effective response when the “boom” happens, do what the military does: Practice, on a large scale, and then build out a playbook and continue to iterate as needed.

Prioritize securing the supply chain. As Cybersecurity and Infrastructure Security Agency (CISA) puts it, the “supply chain is only as strong as its weakest link.” As demonstrated in this year’s findings, supply chains present a potential vulnerability with wide-ranging and unpredictable impact. Security leaders need to assess current investments and devise a plan of action that aims to rapidly remediate this major vulnerability. That should include, minimally, a risk-based assessment of critical third-party vendors based on access, data they hold or access and services they provide.

The key words are ‘automate’ and ‘validate.’ Automating security functions and validating technical controls for people and processes are foundational in any solid security. Security automation can detect, investigate, and even remediate cyber events and threats in near-real-time, so it is crucial to focus on automation that can be manually diagrammed. Then, adopt that automation gradually and roll out training to effectively leverage the tools so the right people can follow the appropriate procedures.

Double down on organizational awareness and training: People are an organization’s first and last line of defense, and despite the industry’s overall year-over-year improvement in cybersecurity posture, awareness and training remain an alarmingly unaddressed portion of companies’ strategies. CynergisTek’s 2021 report found that half of organizations are not training and informing end users regarding security on an ongoing basis. This trend is pervasive both within and outside of organizations. CynergisTek found a critical lack of education and understanding among C-Suite executives and board members, who have unique obligations and fiduciary responsibilities. Consistent with this year’s findings regarding the overall vulnerability of the supply chain, CynergisTek also found that many third-party vendors and partners lack training and understanding of their role in cybersecurity preparedness.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement