Partnering with IT helps to construct digital rampart around transactional data.
By R. Dana Barlow
June 2024 – The Journal of Healthcare Contracting
Editor’s note: The following is part 1 of a series of articles on cybersecurity in the U.S. healthcare system.
Burgeoning cyberattacks against healthcare provider organizations, payers, suppliers, vendors and retail corporations continue to make headlines and tax both the defensive and offensive playbooks of the victims, no matter how many resources – financial, operational, technological or workforce – they erect to fortify and shore up IT infrastructure.
In fact, a wealth of studies and surveys hearkening back to the pre-pandemic years show that healthcare organizations are still playing catch-up in a desperate but perpetual chase toward cybersecurity throughout the enterprise.
The digital realm in which healthcare supply chain operates comprises networks and clouds accessed internally by large groups of staffers and contractors as well as externally by remote versions of the same, a trend accelerated by the global pandemic.
Much of the media coverage on cyberattacks in the U.S. healthcare sector centers on breaches for financial and patient data rather than on product and service strategic sourcing, contracting and transactions, but this doesn’t lure supply chain executives into a false sense of security.
Whether hackers electronically reach into contracting catalogues, email systems, product and purchasing databases all linked with clinical, financial and patient systems, hackers and hacktivists (from thrill-seeking enthusiasts to hired contractual goons or corporate stooges) know how to navigate their way through the complex web of confidential, private and heretofore thought-to-be-secure information via data breaches, phishing scams and ransomware attacks.
Factor in artificial intelligence (AI) either as a new defensive or offensive weapon, and depending on your intent, the digital fortress under which you operate that is designed to protect servers, desktops, laptops, tablets, mobile smartphones, likely no longer feels impenetrable. It’s enough to motivate a yearning for those analog days of fax machines, land lines, pagers and sticky notes.
Fortress of certitude
Supply chain executives at some of the leading integrated delivery networks (IDNs) across the country express confidence in their cybersecurity playbooks for both defensive (protective) and offensive (preventive) measures. They acknowledge the need for comprehensive and ongoing risk assessments linked with information security executives like never before.
In the past, supply chain largely relied on inventory management systems, materials management information systems or supply chain modules of enterprise resource planning (ERP) systems, but nowadays the software spread extends to a variety of integrated business intelligence tools that include contract and customer relationship management, demand management, lifecycle costing and warehouse management specialties that can incorporate robotic process automation (RPA) and internet of things (IoT)/machine-to-machine (M2M) communications with external equipment.
One of supply chain’s fundamental tactics involves working with IT and collaborating on a business partner assessment questionnaire.
“Mayo Clinic has a comprehensive intake and lifecycle third-party risk management process,” said Bruce Goff, senior director, Category Management, Supply Chain, who oversees third-party risk management for the Rochester, Minnesota-based organization. “The TPRM process is managed by our Supply Chain, but actual risks and their severity are defined by our IT, cybersecurity, compliance, and other areas. As risks are identified, risk management tasks – mainly related to contract language and obligations – are defined. Higher risks that are outside norms are escalated to the appropriate oversite committee. After an agreement is executed, there is an implementation assurance process before go-live. Finally, during the course of the contract, we also conduct lifecycle management activities on a one-, two-, or three-year cycle depending on the level of risk or if the vendor has a security incident.”
Joe Dudas, division chair, Supply Chain Management Innovation and Planning at Mayo, emphasizes supply chain’s hands-on involvement in this process as opposed to shifting accountability and responsibility to IT alone.
“Our most senior leadership is engaged in this as is our Chief Supply Chain Officer (Jim Francis) who governs the process and oversees the results,” Dudas noted. “Supply Chain is the active manager of our TPRM processes – meaning all our supplier relationships – and built into our procurement and supplier relationship processes. While we understand the basic requirements and standards associated with cybersecurity, our IT Security Team – and consultants under management of IT – conduct the assessments, determine risk and work with the supplier to ensure appropriate mitigation is put in place per the risk. This is comprehensive, not limited to supply chain systems.”
Any organization, regardless of location, size or type, can and should apply this logic to their own processes, according to Goff.
“[Mayo Clinic] has a very integrated and clinically driven supply chain function,” Goff said. “We work across all categories of supply – direct, indirect, purchased services. So, we already occupy a key position. For organizations not as integrated, the function needs to be located and empowered to facilitate these issues based upon your culture. It also requires a strong internal customer service attitude so that things stay moving.
“The bottom line is that no department gets a pass or can throw it over the cube wall,” he continued. “Design a process that takes in various data points so they can review through their risk lens. Put some reasonable turnaround metrics in place that are sized for your organization. Try to document decisions so that over time you have more objectives – think playbooks – for faster and more consistent decision making. That is doable at all-sized organizations.”
Mayo Clinic’s assessments are multi-dimensional and are based on the criticality of the system, the information contained and transmitted and the vulnerability per architectural, security, finance and historical risks, etc., Dudas insisted. “We would not purchase a system or enable it if risks were high and not mitigated,” he added.
Goff cited the use of “offshore services” as one example “where we have less control and less information to analyze the risk.”
Parallel pathways
At BJC HealthCare, St. Louis, supply chain and IT mutually embrace their respective expertise when it comes to assessing third-party risk.
“Supply chain’s role is to assess risk and engage IT security to determine organizational risk and actions required of a supplier to do business with our company,” said Tom Harvieux, BJC’s Chief Supply Chain Officer. Harvieux’s team worked with IT security to develop an assessment questionnaire that suppliers and vendors must complete prior to any contract signing or product purchasing.
“The bottom line is that almost anything we buy that’s not a disposable product and that touches a patient in some way or form tries to collect [operating and patient] data and connect to our network. For example, a knee implant now will have a sensor in it to see how the knee is performing, and that’s looking to connect to the internet. That’s how far this is going. Every device you buy – whether it be minor equipment, capital, blood pressure cuffs, IV pumps, compression sleeves – everything is connecting to the internet so you can integrate it with your network.”
Harvieux acknowledges that any piece of capital equipment not only connects online to the manufacturer for maintenance and technology upgrading but also to the electronic health or medical record of the patient. “That’s why we make sure our IT security looks at our agreements with the understanding that these products are both online and inside our network,” he added. “That’s the norm now.”
Milwaukee-based Froedtert ThedaCare Health Inc.’s supply chain team operates with similar caution and preparation.
“We work closely with our IT department to ensure that our supply chain systems are monitored frequently and remain secure,” assured Jacob Groenewold, vice president and Chief Supply Chain Officer. “We also work closely with our ERP provider to maintain a secure environment and provide regular updates to maintain up to date software platforms across our enterprise. Our IT department has a very robust cyber security program, which includes frequent testing of employees and regular education to keep us of us informed of current threats in the market. ‘Phishing’ emails are constantly attacking us, and our IT team does a good job of working to educate us on the ever-increasing threat to our systems.”
Froedtert’s supply chain team relies on an IT assessment, too.
“Each of our vendors must go through third-party risk assessments to ensure they meet our standards for security,” indicated Jack Koczela, director, Sourcing & Transformation, Supply Chain. “In partnership with IT, we re-evaluate our vendors on a regular basis depending on the level of risk they bring to our organization.”
The cybersecurity assessment also includes teeth to close doors.
“We have had a few vendors that were unable to meet our security standards for the [software-as-a-service] solution they were hosting,” Koczela noted. “We followed our standard IT security vetting process, and they were unable to demonstrate full compliance with our requirements. After numerous conversations with the vendor, we agreed to remove the problematic function from the contract and proceed with the rest.”
At Stanford (CA) Medicine, the supply chain team invokes its risk detection and management procedures before contracting and onboarding of a supplier, according to Amanda Chawla, MHA, FACHE, CMRP, senior vice president and Chief Supply Chain Officer.
“At this foundation layer, it is essential to have clear vetting criteria and standards of expectations of the partnership upfront, negotiating and being super clear on cybersecurity criteria/role is important,” Chawla said. “Setting that clear expectation of what we directly control and what the supplier controls is essential.
“For supplier cyber risks, you have to pick where the line is between what you’ll direct versus what you demand your suppliers take care of,” she continued. “Where do you focus your teams, investments and controls versus legal shifting of risk to suppliers? You can invest in active auditing of your supplier’s remote operations, but there’s always some point at which you have to rely on them to meet their contract obligations to keep their services functioning. Once you know where you’ll draw the line, you can establish technical and process controls to detect problems. For example, your cyber monitoring and business process monitoring should link to each other so that cyber issues like phishing are detected and your organization can realize and react to phishing coming from your supply chain. It could be a sign your supplier is under larger attack that could affect their ability to service customers.”
A ‘team sport’
Such efforts should offer mutual value, according to Mike Mucha, Stanford’s Chief Information Security Officer.
“Giving your partner a heads up about a problem you’re seeing should be presented and received as helpful,” he added. “We’re all in this together!”
For Coral Gables, Florida-based Baptist Health South Florida, cybersecurity remains a team sport, notes George Godfrey, Chief Supply Chain Officer and corporate vice president, Financial Shared Services.
“We are joined at the hip with our IT partners on an ongoing basis for any new technology we’re sourcing,” he said. “We’re doing technical reviews so if it’s a new technology that we’ve never deployed or even when we go to replace a technology, we’re also making sure that there’s no other connection points that we’re not aware of that changes the game. That’s an ongoing, day-to-day process that two groups manage because we will not issue a PO until those reviews are completed and until the group is satisfied that we have minimized the risk to the system.
“The clinical partners can push for something really quick, and we will honor that, but we will make sure we don’t move superfast and make a mistake that could [affect] the system,” he added.
Much depends on the size and type of an organization’s IT system as well, according to Godfrey. He says that larger platforms – including ERPs, business intelligence tools and contract management systems – may offer different levels of security than smaller niche systems.
“When you’re building a fortress, you have to be pure,” he noted. “You have to put in layers of protection no matter what system you have. If you get too fragmented it gives you more systems you must monitor, more systems you have to fortify, more systems you have to pay attention to versus trying to do your best to leverage larger applications that can do many things. You try to implement technology that you can leverage over multiple applications.” In short, larger organizations tend to use larger systems with more sophisticated technologies.
Godfrey admits the challenges in assessing data access and transmission risks among the myriad suppliers, vendors and service companies that providers use, including online exchanges, pharmaceutical distributors and wholesalers, product manufacturers and distributors, transportation services and payment services.
“The challenge is how to ensure external suppliers are well protected from a cybersecurity standpoint,” he said. “It’s very difficult and expensive for a single healthcare provider to assess the many suppliers – even when having a supplier fill out a multi-page risk assessment form. Hopefully, we’re doing enough and that it’s providing value.
“We’re typically requiring this for any medical device that will connect to our system,” Godfrey continued. “It’s not that we’re requiring a multi-form security review for a vendor that’s supplying snacks in vending machine. But if I’m connecting a [magnetic resonance imaging] unit or a [computed tomography] scanner, any type of major medical equipment that could have patient information, we’re going through a lot of due diligence to ensure that the manufacturer has followed strict guidelines that are stated by the FDA, and then there’s guidelines about what firewalls we’re going to have and what firewalls they’re going to have and how we’re going to connect.”
The breach of UnitedHealthcare’s Change Healthcare system admittedly gives Godfrey pause about the effectiveness of provider assessment efforts. “This was a major clearinghouse where you could have given them a survey and they could have provided a long list of steps they take to prevent cybersecurity issues,” he observed. “But at the end of the day, whatever they did didn’t work.” Per an “AMA Update” report, Change Healthcare isolated its systems to prevent the cyberattack from affecting the connected systems of UnitedHealthcare, UnitedHealth Group and Optum.
Back in March, the “AMA Update” cited a Cisco Talos Intelligence Group report that found healthcare as the industry most targeted by cybercriminals during the first half of 2023. In fact, in nearly half of the attacks, hackers “exploited public-facing applications to establish initial access.” Healthcare slipped off Cisco Talos’ “top targeted” list in the third quarter, according to the “AMA Update,” but finished the year as No. 3 behind manufacturing and education.
Per the “AMA Update,” the Department of Health and Human Services Office for Civil Rights reported 733 large data breaches involving nearly 134.8 million people in 2023, compared with 55.9 million people affected by breaches reported in 2022. See ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
For the 13th consecutive year, the United States held the title for the highest data breach costs in the world with an average total cost of $9.48 million, according to IBM Security’s report titled, “Cost of a Data Breach Report 2023.” See www.ibm.com/downloads/cas/E3G5JMBP. Within the healthcare sector alone the average cost of a studied breach approached $11 million in 2023, a 53% increase since 2020, according to the report.