The importance of a secure supply chain in this industry is critical for any country but hits the US especially hard due to the vast amount of U.S. (67% in 2021) adults who take prescription drugs on a daily basis.

The most nefarious part about a supply chain attack is that it puts everyone at risk – the enterprise, the downstream suppliers, and everyone connected to them. However, when it comes to healthcare, that risk radius extends to human lives. And yet, to defend them, medical providers are forced to increase their supply chain ties. The stakes are higher, and the consequences more deadly as increasingly connected healthcare organizations struggle to contain an ever-expanding attack surface.

A High-Value Target

“If you don’t have your health, you don’t have anything,” the saying goes. The same is true of a nation’s health. Hackers know this, and the high-stakes, immediate, and interconnected nature of the medical industry make it a prime target for attack. To that point, the healthcare sector now experiences more attacks from external third parties than from insiders.

We don’t need additional evidence to know that widespread sickness can defeat societal morale, nor do we need any proof that destroying hospitals ruins human lives. Neither do threat actors. As critical national infrastructure continues to be the target of nation-state cyberwarfare, hospitals find themselves in the direct line of fire.

The high-stakes and immediate nature of the medical industry make it a prime target for attack. And threat actors go where the money is. In the wake of a global pandemic, now more than ever, that means the healthcare economy. US annual health spending is predicted to rise over 5 percentage points a year over the next five years and is forecast to reach $6.2 trillion by 2028. It is estimated that health will represent a one-fifth share of the national economy that year and that the price of medical goods and Medicare will go up, while the number of insured Americans will go down. For better or worse, healthcare promises to be a lucrative industry for years to come.

This will draw the increased attention of hackers, but chances are they won’t come through the front door. Hospitals, medical groups, and pharmaceuticals have long and far-reaching supply chains, and even more so after the demands of Covid-19. These highways are built to deliver quick impact to the front lines of healthcare, and in the wrong hands can exponentiate impact for the worse. The number of supply chain attacks involving third-party components has increased over 600% in the past year, and the number of native vulnerabilities arising within software dependencies now affects two-thirds of open-source libraries. Chances are high that any industry with a significant string of downstream partners – healthcare not excluded – will be affected in some way.

Healthcare Supply Chain Trends

Some subsets, however, are more likely to be affected than others. And for different reasons.

  • Cybercriminals are now targeting smaller hospital systems and clinics with the (often correct) assumption that their limited resources make them less cyber-prepared than their well-established counterparts.
  • Healthcare groups are a treasure trove of sensitive information. Identity thieves mine for demographic information, and cybercriminals sell Personal Identifiable Information (PII) and HIPPA- protected Protected Health Information (PHI) on the dark web.
  • Increasingly, third-party-based attacks have been leveraged against medical groups in place of standard supply-chain compromise. The Shields Health Care Group breach, in which 50 facilities were impacted, was the result of a compromise of their third-party imaging provider. Over 2 million individuals were affected by the fallout. A third party was also involved in the Partnership HealthPlan of California breach, which reached over three-quarters of a million people.
  • Medical supplies and services (such as pharmacies, provider alliances, and medical supply companies) made up 14% of breaches in the first half of 2022.
  • Sometimes hackers get to healthcare providers via more innocuous means, such as their business partnerships. These include consultants, billing companies, cloud services, medical device manufacturers, and more. These types of attacks accounted for 15% of breaches during the same period.

Medical Providers Increase Connection with Supply Chains

The fact remains that not only is each company downstream more digitally connected than ever before but there are more of them involved in each supply chain. The attack surface increases at an exponential rate as chip manufacturers, plastics producers, and shippers of bio-hazardous materials used in hospitals each take on more remote workers, IoT devices, and potentially Shadow IT.

However, the problem is compounded because the world, and healthcare in particular, has increased its dependence upon supply chain strategies. One could argue that they weren’t given much of a choice, and they could be right. In the throes of Covid-19, medical providers were forced to rely on their vendor partners to an extent never before anticipated. The sudden, intense onslaught of orders for high-demand items like N95 masks, testing kits, and even toilet paper highlighted the importance of a well-oiled supply chain. However, post-pandemic, healthcare operations are still struggling to find normal, and in large part, that means keeping the lights on.

While it may seem like a necessary evil, many health groups are turning to clever supply chain management to shore up their bottom line in a still-rocky health climate post-Covid 19. Being able to provide the best service depends on having the best equipment, materials, and resources and having them handy at the most attainable prices. Global supply chains have a lot to do with that.

Securing Against Downstream Attacks

While vetting each supplier with a full battery of security standards prior to taking them on would be preferable, its simply not practical. Therefore, the burden of securing against supply-chain attacks still rests primarily on the organization at the head of the chain. The same goes for each individual supplier. That’s why partnering with a company that specializes in defending critical national infrastructure sectors such as healthcare is invaluable as you build out your zero-trust third-party approach.

We can’t always control what vendors track into our environments, but we can control what stays there. Our cybersecurity resilience programs enable you to detect breaches, reduce recovery time, and minimize business disruption during an event, and we’ve worked extensively with HIPAA-compliant agencies before.

ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit.  Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.

Contact Us:

ITEGRITI Services: