Cybersecurity in the healthcare supply chain

Posted on: 22.09.2016 Tags:



Cybersecurity is a hot issue that impacts every single aspect of our life. Traditionally security had not been a top priority in the healthcare sector but times have changed. The information healthcare organisations manage on a daily basis has now an incredible value for attackers. The risk is not only coming from our patients’ data but from the supply chain. Without the right systems and the adequate tools to supply all the needs, lives can be lost. It is a serious threat that we cannot dismiss. We need a just in time policy to anticipate our needs even in the worst scenarios. In healthcare the amount of medication and consumables needed to keep the system working is huge and heterogeneous. Some countries have already started to protect the healthcare supply chain from malware, ransom and other persistent threats.

The same way we put efforts in protecting critical infrastructures in other sectors, in healthcare we need to extend these rules and policies to the supply chain. We need to be aware of the importance of having a full resilient supply chain.

What happens when cybersecurity in the supply chain is not taken seriously?

  • In 2013 Target suffered a breach losing 110M customer´s data and 40 million credit cards
  • In 2014 Home Depot suffered a similar attack
  • Community Health Systems suffered a breach having 4.5M patient records stolen
  • NHS also suffered attacks

Is it the organisations fault? Of course not, attacks are now more targeted and we have discovered that ANY information is a valuable asset to protect.

The worse is that this is just the top of the iceberg. In healthcare millions of records of sensitive data are stolen but only a few of them are public.

Most attacks come from “trusted” providers and are due to poor screening of the security contra measures around them.

It is obvious that a shortage of meds would be an important problem for our society. So handling the security around the supply chain is of a huge importance. Therefore, we should make a full resilient chain with our providers, protecting them as if they were part of our own network.

Are we considering the healthcare supply chain a critical infrastructure? Not yet, at least in Europe. In the US they starting to put efforts into it. We consider our hospitals resilient but what would happen in the event of a big incident? Are we ready to deal with it? We protect airports, railways and public buildings. We shouldn’t forget about healthcare. Here are a few examples of the consequences of having a weak healthcare supply chain.

So is there any solution…..?

  • The H1N1 vaccine shortage in 2009 is something to learn about. Are we now more ready than we were? Are our protocols up to date for a big attack and our supplies guaranteed for a long term?
  • What happened with the Personal Protective Equipment (PPE) when WHO declared the Ebola outbreak? Those who were prepared with a resilient supply chain were ready for the worst situation. But many countries suffered for not having a strong supply chain.
  • We need to consider using IA and Business Intelligence to be able to anticipate our needs and implement Just-In-Time supplies
  • Consider the provider as part of our network: running security exercises as in my own networks, SECURITY is an ongoing process
  • Every single system must be protected as an entry point to my network (all devices protected)
  • Cloud services must be used instead of local infrastructure: leave the security in the hands of the experts
  • Global threats, global solutions: global standards and health needs are always the same, the approach must be global

If you want to know more, please join us first in the Tweetchat “Cybersecurity in the supply healthcare chain” on Tuesday September 27 6PM CET (#eHealthChat) and then at the Cybersecurity Summit which is part of the HIMSS Europe World of Health IT (WoHIT) Conference & Exhibition.

Óscar Maqueda

Healthcare Cybersecurity Expert