How healthcare orgs can protect their supply chain from cyber risks


The Cloud Security Alliance this past week released a report outlining the cyber risks faced by healthcare delivery organizations when it comes to supply chain management.

Experts from CSA explained that healthcare organizations face two main concerns:

  • Risk management involving the cyber supply chain, which includes IT networks, hardware and software.
  •  Risk management involving the conventional supply chain.

“With the move to the cloud and edge computing, HDOs are finding it increasingly challenging to secure their infrastructure,” read the report.

“Cyberattacks target HDOs and their suppliers in this expanded attack surface,” it continued.


As the report authors noted, cyberattacks can be very costly, particularly as healthcare organizations and suppliers present juicy targets for bad actors.

And as the supply chain has become more dependent on the Internet, the risk profile has also become more complex.

“It is incumbent on HDOs to ensure that their supply chain partners comply with data management policies and ensure the safety and security of the supply chain,” said report authors.

They explored several causes for supply chain and risk management program failure:

1. A lack of automation, which makes keeping up with cyber threats challenging.

2. The cost and time-consumption of vendor risk-assessments.

3. Partial or full failure to deploy critical vendor-management controls and processes

“Regardless of the reason, it is imperative HDOs have an effective supply chain risk-management program to manage the process throughout the supply chain risk-assessment life cycle,” said the report.

That life cycle, it continued, comprises determining criteria for supplier evaluation, assessing and treating risk, and monitoring and responding to further developments.

“We must engage with our supply chain vendors to address tactical and systemic security performance measures necessary to achieve a satisfactory risk rating,” said the report.

“Additionally, we must reduce our risk exposure by holding our supply chain accountable to meeting our risk management performance standards.

“Risk feedback to vendors that is timely, relevant and actionable is a powerful motivator for supply chain vendors to do the right thing,” it continued.


The COVID-19 pandemic shone an urgent new light on supply chain cybersecurity, particularly when it came to vaccine development and distribution.

But even for more smaller-scale endeavors, the vendor ecosystem presents a potential concern.

Organizations often work with thousands of third-party businesses, where network vulnerabilities may go unnoticed until it’s too late.


“Supply chain exploitation is not just a potential risk; it is a reality,” said CSA report authors.

“To address this risk, look at how you assess and mitigate internal risk, and compare that to how you assess your supply chain risk. Do you apply the same rigor to your supply chain assessments?” they asked.

“HDOs need to act now to minimize the effects of a supply chain incident that could impact them. When a part of your supply chain gets compromised, it can compromise your network and put your systems at risk.”

Next Post

The Evolving Global UDI Requirements

The final US UDI deadline, 24 September 2022, is quickly approaching. The initial EU MDR and IVDR UDI label and package requirement deadlines have already passed (MDR-complaint implantable and class III devices was 26 May 2021) and the other MDR and IVDR deadlines are also approaching (e.g., MDR complaint Class […]