Determining an organization’s supply chain cybersecurity risk can be more overt than covert.
By R. Dana Barlow
July 2024 – The Journal of Healthcare Contracting
Media reports of increasing numbers of healthcare system breaches negate any lack of awareness.
Instead, Bruce Goff, senior director, Category Management, Mayo Clinic, Rochester, Minnesota, points to an organization’s failure to acknowledge cybersecurity issues within their own systems as particularly challenging. This can span the lack of an assigned security official or similar lack of structure cybersecurity risks as the vendor list grows; a lack of understanding about the healthcare environment and requirements of covered entities; any financial data that suggests a lack of investment in risk management; a lack of HITRUST certification and SOC 2 Type II compliance; and more obviously, experiencing recent cyber incidents.
Meanwhile, Jacob Groenewold, System Vice President and Chief Supply Chain Officer, Froedtert ThedaCare Health Inc., Milwaukee, identifies erratic or slow behavior of the systems running as well as information that may not look accurate or consistent as other alerts, for which Jack Koczela, director, Sourcing & Transformation, Supply Chain, echoes in agreement.
“When it comes to phishing and other scams, I look for simple signs such as unexpected email addresses, erroneous information, attachments and misspellings,” Koczela said. “For more advanced security issues, our IT security team helps us to identify industry standard security methods to secure systems and data. When vendors cannot quickly answer these security configuration questions, this raises red flags.”
At BJC HealthCare, St. Louis, Tom Harvieux, Chief Supply Chain Officer, remembers older equipment running on earlier software versions as raising alarms.
“We had an old X-ray machine in radiology and some lab equipment running on [an older Windows version], which didn’t allow us to secure those items,” he said. “We have a very robust IT security team, and they work to locate all those access points where people can get in. IT put a firewall around those computers on the network so that if someone got in through a vulnerability point, they would be isolated from our network.” Harvieux further noted an example of how hackers penetrated one healthcare system’s network by accessing their HVAC system, which was identified as the weakest point.
Healthcare organizations must avoid an ostrich mentality, according to Amanda Chawla, MHA, FACHE, CMRP, senior vice president and Chief Supply Chain Officer, Stanford (CA) Medicine.
“Organizations that say they don’t have cyber incidents or admit that they don’t have a lead for cyber risks, or programs for monitoring and response should be a warning sign,” she said. “Everyone has cyber issues in modern times, so if your head is in the sand, you’re already at incredible risk. A first level of due diligence is to ask some simple questions about cyber controls or governance. If the organization has no response, or an unenthusiastic one, that’s a warning sign. If your supplier or partner is silent or indicates that they do not have cyber security risks or issues you need to lean in and ask more questions. What is their downtime plan? How do they communicate? Is there standard work? Ask lots of questions.”
Fortress of fortitude
As healthcare provider and supplier organizations scramble to erect digital defenses around their systems through supply chain-IT security collaboration and detailed risk assessment processes and surveys, questions arise about whether anything can be done even earlier?
For example, what if the federal government or a regulatory agency like The Joint Commission (TJC) or payers established and developed universal best practices and data security standards for the industry to satisfy?
IDN supply chain and IT security experts express cautious optimism and realistic skepticism.
“A consistent framework is essential, so federal guidance is important,” Mayo Clinic’s Goff indicated. “But given the pace of change, a different regulatory framework would be needed to continually update what is low-, medium- or industry-leading effectiveness. The federal government may be best at setting the floor, where TJC and the insurance carriers can have leverage on what is acceptable based upon price signals. There must be standards, including a regulatory floor. I just question what level of government or other organizations can meaningfully keep up.”
Froedtert’s Groenewold stands behind ongoing physical and digital vigilance as a baseline.
“Continuous monitoring of external ‘attack’ threats is clearly a best practice,” he noted. “Use of available IT platforms that automatically monitor and funnel these types of ‘distractions’ into defense mechanisms would certainly be a proactive way to fend off some of these threats. We at Froedtert Health have proactive measures in place to monitor our emails, and place anything that might be suspicious into a ‘hold’ file on a personal portal that then requires us to review and approve or delete. This mechanism works very well. I think TJC could look at how systems work to secure and prevent cyberattacks, and could certainly create some guidelines around this, but in the end, as was seen by the recent Change Healthcare, even some of the strongest companies can be vulnerable to a cyberattack, as strong as your defense is.”
Might the levying of financial penalties for non-compliance influence behaviors?
“Many of our contracts do include security measures as part of the agreement,” Froedtert’s Koczela reassured. “A vendor who fails to meet agreed-upon standards of security may be considered in breach of the contract.”
BJC’s Harvieux contends the industry already has standards and guidelines, such as HITRUST, SOC 2, ISO 27001. “Those are third parties that we look to see if our trading partners have a SOC2 report, ISO 27001 certification, etc., then we know that they’ve gone through rigorous IT security,” he said. “We also look to make sure they have a certificate of insurance for cybersecurity liability and that they’re doing strong encryption.
“We would do everything in our power not to do business with those who don’t meet those criteria,” Harvieux insisted. “The security risk is too high. It would likely be a hard no. We couldn’t do business with them.”
Stanford’s Chawla urges examination of the financial resources necessary.
“Best practices are a complicated topic because it is easy to list more steps to take for protection, but the best practice lists don’t address funding,” she said. “Unfunded mandates don’t work and can lead to worse outcomes. That said, some of the more straightforward choices are multi-factor authentication and encrypting data by default, since these measures directly solve some very practical problems and directly reduce risks.”
At Baptist Health South Florida, Coral Gables, Florida, George Godfrey, Chief Supply Chain Officer and corporate vice president, Financial Shared Services, mulls whether FDA approval or clearance for marketing of products could include cybersecurity stipulations based on the premise of potential patient harm or impact if a certain device were hacked. “Whether it’s the FDA or some other regulatory agency, there’s someone that says you’re not going to be able to sell or ship any products or services into this provider ecosystem without this certification or documentation,” he noted.
Godfrey further indicates that payers likely will care more once cyberattacks impact their business directly. Incidents against individual healthcare provider organizations may not trigger much of a response, he adds.
“The question becomes how do we fortify the industry to motivate people NOT to want to hack into individual hospitals or major systems or major infrastructure that supports this important resource of providing patient services?” Godfrey asked. “If hacking has a material effect on patient care, such as a hospital cannot operate or accept patients, then you certainly want to figure out how to avoid it at all costs.”
Reinforcing digital infrastructure
Healthcare providers must think meaningfully about strategies and tactics to protect themselves from outside digital intrusions, whether that’s through internal expertise or external third-party service companies. But supply chain and IT security leaders extol the value of both exploring issues on a case-by-case basis.
“In either path, leadership must stay actively engaged to become fluent in the issues and ensure the work is being completed as agreed,” advised Mayo Clinic’s Goff. “Even where leadership may not have the expertise, they should still work closely with their contracting teams to create deliverables and timelines that hold the vendor accountable. If work is not getting completed as agreed, there is then a great starting point for comparison moving forward.
“Leadership needs to constantly assess what is core versus not core,” Goff continued. “But they must also ensure that as a team they have the ability to lead and manage things even if they are not core. Solidly worded contracts are oftentimes one of the best tools.”
Joe Dudas, Mayo Clinic’s division chair, Supply Chain Management Innovation and Planning, contends that security is a functional requirement: “There are ways to isolate various technologies and firewall them. It really depends on how critical the system is and what alternatives we have. Today, just about everything has a processor and some sort of software so this is not limited to typical IT systems.”
Froedtert’s Koczela places some of the onus on the provider.
“We should own our general cybersecurity strategy, but we do not have the expertise or scale to own all aspects,” he admitted. “We must partner with experts who understand things like enterprise cloud security.”
Much depends on health system maturity and resources so that hybrid modeling may be the optimal course of action, according to BJC’s Harvieux. “Smaller hospitals may be best to outsource as resources and talent are limited. Larger health systems will do more in-house and outsource highly technical monitoring and security systems. Mid-sized facilities may lean more toward outsourcing. It all comes down to internal capabilities and level of security you’re aiming for,” he said.
Stanford’s Chawla favors a mix of internal and external resources.
“Internal experts are needed to own the business outcome, manage third parties and map cyber investments to business goals,” she said. “External experts are needed to aggregate global knowledge and skills on a scale that a single organization can’t typically bring to bear. For example, aggregating enough data to keep up to date on the latest phishing attacks is a global problem for service providers that aggregate cyber incident data on a global, multi-thousand customer scale. Individual organizations can’t replicate that, but they can and need to leverage those services. You need to assess where your organization is at and what is best for you in terms of expertise, resources, sensitivity and complexity of data and risk.”