This post was originally published on this site

supply chain cybersecurity risk management healthcare

By Jessica Davis

– The Healthcare and Public Health Sector Coordinating Council (HSCC) released guidance on supply chain cybersecurity risk management targeted to small and mid-sized healthcare organizations in an effort to improve the security of products and services obtained by vendors.

The guide provides practical tools and best practice policies to get the most out of limited security resources to protect healthcare organizations’ dependence on the supply chain.

“The supply chain in the health industry is a complex eco-system of interdependent organizations of all sizes, spanning patient care, payment and data management systems, pharmaceutical, and technology research and manufacturing, and public health administration,” the guide authors wrote.

“These interdependencies mean that a cybersecurity event in one organization is likely to have ripple-effects on multiple other links within the supply chain,” they added. In response, larger organizations have dedicated resources to improve their resiliency. Many small-to-medium sized organizations, however, lack the scale or the budget to staff dedicated teams of cybersecurity experts.”

In response, HSCC developed the guidance primarily for the leaders of these organizations to provide insight into ways to combat supply chain risk and raise awareness of the overall healthcare sector.

HSCC has been routinely releasing guidance on critical healthcare security pain-points over the last year to help providers struggling with keeping pace in a rapidly evolving threat landscape. In September, the group released a resource on cybersecurity information sharing organizations in the healthcare sector.

The group also provided guidance on medical device security and ways healthcare organizations can shore up cybersecurity staffing gaps. HSCC developed a guide on healthcare cybersecurity best practices, in coordination with the Department of Health and Human Services.

The latest guide aligns with the new supply chain requirements outlined in the 2018 update to the NIST Cyber Security Framework and outlines processes, governance, and practical tools to protect the various supplier relationship types, risk assessment, supplier inventory, and policy examples.

While directed at smaller and mid-sized organizations, HSCC officials said the guide can also serve as a call to action for larger organizations, associations, and consultancies in hopes to raise awareness and encourage adoption.

“By enabling these organizations to ensure secure products and services from their suppliers, we will leverage market forces to raise the bar across the healthcare supply chain to the benefit of all,” Greg Garcia, HSCC executive director of its cyber security working group, said in a statement.

The guidance identifies, establishes, and assesses cyber supply chain risk management processes to meet the NIST CSF requirement, while outlining the processes needed to identify, prioritize, and assess cyber supply chain risk.

Further, the guide provides information on contracting needs for suppliers and other third-party partners, including ways to implement strong measures that will meet organizational objectives for its cybersecurity program and its cyber supply chain risk management plan.

Organizations can find a definition of key supplier risk areas, as well as suggestions on where security leaders should begin to assess those risks and what’s at stake for failing to address these risks. HSCC also outlined roles and responsibilities for the overall supply chain cyber risk management program.

HSCC suggested the leader should be chosen for their ability to influence and direct resources, such as a chief procurement officer, head of enterprise risk committee, or the chief financial officer. Medium and large organizations should use a committee-based model, including representation from legal, quality, facilities, compliance, and others relevant to the role. The guide also outlines the supplier scope.

“Supply chain risk management is an ongoing process,” the guide authors wrote. “This document provides guidance for health providers and companies on establishing a supplier risk management program involving new and existing suppliers, and how to sustain those activities operationally.”

“It also provides specific templates that can be used as a starting point for your organization’s needs,” they continued. “Once the risk posture of the supplier is identified and measured, if the risk level falls within the risk appetite established by the executive sponsor, the next step is for the organization to ensure that the contract with that supplier adequately covers the necessary controls.”

Given an April report from Carbon Black showed that 50 percent of cyberattacks target the supply chain, the guidance could be crucial to organizations working to shore up these gaps. The complete guide can be found on HSCC’s site, and officials said feedback is welcomed.