Health care supply chain attacks have the potential to disrupt care and operations across the entire healthcare system with a single successful infiltration. The single points of failure that exist across the industry make the risk of supply chain attacks even greater.
“The bad guys realized that if they could go after this small vendor that is a single provider in a particular region, they could have a huge impact on the healthcare industry more broadly and maximize their downstream profits ” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (Health-ISAC). “It’s definitely different than what we were seeing before.”
Mitigating Supply Chain Attacks requires healthcare organizations to maintain strong, security-focused relationships with their essential suppliers, beginning at the contractual stage. Tabletop exercises, response and recovery plans, and a focus on cyber resilience can help healthcare IT security leaders mitigate the risks of this pervasive threat.
Exploring the Prevalence of Healthcare Supply Chain Attacks
Several attacks on the healthcare supply chain have caused disruptions to healthcare systems around the world in 2024.
For example, in April 2024, BlackSuit ransomware actors targeted Octapharma, a blood plasma supplier, leading to the closure of more than 190 plasma donation centers in the United States as well as disruptions in the European Union.
In June 2024, the QiLin ransomware gang attacked pathology provider Synnovis, forcing several London hospitals to reschedule their operations and canceled thousands of appointments in the weeks following the attack.
In July 2024, a Florida-based blood provider OneBlood suffered a ransomware attack this resulted in a software outage that affected stock availability, forcing hospitals to activate critical blood shortage protocols.
These attacks were the basis of a joint threat bulletin issued in August 2024 by Health-ISAC and the American Hospital Association (AHA) which warned members of the prevalence of supply chain attacks perpetrated by Russian cyber threat actors.
“These ransomware incidents demonstrate how catastrophic failures can occur in healthcare delivery when mission- and life-critical providers are attacked. For healthcare delivery organizations (HDOs), hospitals and health systems, these attacks have had massive impacts on patient care, as the entities that were attacked provided essential services to a multitude of healthcare providers, including hospitals, ambulances and medical clinics,” the bulletin said. “The physical supply chain disruptions caused by these attacks highlight the potential for cascading impacts on healthcare to patients due to disruption of healthcare providers essential and niche health products.
The healthcare sector also saw widespread disruption in February 2024, when the Cyberattack Change Healthcare occurred, raising concerns about third-party risk management and illustrating what can happen when a vendor that performs a specific function for healthcare customers across the country goes down.
These events show that whether a cyberattack results in physical supply chain delays or digital disruptions, it can still impact patient care and operations.
Supply Chain Risk Mitigation Strategies
Mitigating these risks requires focusing on cyber resilience and business continuity in the event of a cyber attack.
“If we are attacked, whether it’s a man-made event, a cyberattack or a natural disaster, how can we maintain our operations and keep these critical systems up and running? » » Weiss asked. “Are we identifying single points of failure that could potentially lead to cascading impacts that could cause more widespread failures in healthcare?
The healthcare supply chain attacks that hit the sector in 2024 have also highlighted the importance of third party risk managementWeiss noted. He recommended that organizations be sure to bring third-party security into the conversation when conducting business risk analysis and simulation exercises.
Additionally, organizations should try to identify alternative suppliers, so as not to be as dependent on a single source of vital supplies in the event of a cyberattack against that supplier.
“And if there are no other alternative providers available, in my opinion, that’s one of the things that should be brought to the attention of the federal level,” Weiss said. “As an industry and as a society, we must do something to minimize the risks to the American public.”
Weiss highlighted guidance from the Healthcare Cybersecurity Coordinating Council (HSCC) as a reliable resource for addressing this issue. The guidance, last updated in October 2023, offers Strategies of small and mid-sized healthcare organizations to establish and maintain a supplier risk management program.
The HSCC document includes model policies and procedures, as well as establishing governance, contract language, and guidance for testing. response and recovery efforts supplier cybersecurity incidents.
“Properly managing cyber risks within the supply chain requires a proactive strategy to protect patient information and sensitive data from ever-increasing risk from bad actors outside, and sometimes within the healthcare system,” indicates the guide. “A supply chain cybersecurity risk management program also serves as a strategy to support and increase business continuity preparedness and planning and countermeasures.”
Although these guidelines are intended for small and medium-sized organizations, HSCC encouraged larger organizations with more resources to use their reach to disseminate the guidelines to their vendors and benchmark their own programs against the best practices contained in the document .
As health organizations continue to face cyberattacks directly and through their providers, it is crucial to prepare for critical service outages to ensure they can continue to provide patient care.
Jill McKeon has been covering cybersecurity and healthcare privacy news since 2021.