A new report from healthcare data security firms Trend Micro and HITRUST examines the supply chain, which the organizations believe is an overlooked part of hospital and clinic operations that hackers can use to establish a foothold in the organization.
“We strongly recommend a blend of security technology and employee/partner awareness and education, including a threat response protocol,” they caution. “Healthcare IT teams must create, enforce and frequently review a risk management system and governance framework related to the transfer of resources to and from any entity outside a network’s trusted circle to minimize the risk of supply chain attacks.”
Medical products, medicine and supplies manufacturers
The hospital or clinic acquiring products may not have control over the manufacturing process, specifically whether it is secure enough to prevent threat actors from tampering with the product during manufacture.
medical factory supplies storage indoor with workers people
WWW.SHOCK.CO.BA/.shock - stock.adobe.com
The hospital or clinic that eventually buys products may not have intimate knowledge of the security enforced by the distribution centers, or whether their employees or their third-party contractors have access to the products prior to shipping to actual hospital suppliers.
rack stack arrangement of cardboard boxes in a store warehouse
/Kadmy - stock.adobe.com
Shipping and transportation companies
A hospital or clinic buying products may not have intimate knowledge of the security enforced by their or the distribution center’s logistics vendor, or whether their employees or their third-party contractors have access to the products prior to delivery to end users.
Warehouse worker packaging product for a customer
Photographee.eu - stock.adobe.com
The hospital or clinic buying the products or services may not have control over the storage or repacking practices of suppliers, if any, or whether cybersecurity practices are in place in the supplier’s network that the hospital is expected to be connecting to regularly.
Shallow depth of field close-up of a PBX (private branch exchange), which is a phone exchange for a particular business/office. A technician is plugging in a network cable to the line socket.
The hospital or clinic may not have control over vendor hiring practices for services such as equipment, HVAC, ISP, telephony or the like. These types of vendors may not be enforcing sufficient background checks on their own staff, either of whom may introduce a threat into the network.
Max - stock.adobe.com
Mobile health app, HIS or other software developer
The hospital or clinic may not have control or knowledge about the security of the code or the developers’ coding practices, whether the developer has ensured enough safeguards are in place to prevent the discovery, or exploitation of vulnerabilities in their apps or software. Taken further back up the supply chain, the operating system used in various segments in healthcare networks can have vulnerabilities.
loading tablet updates illustration design over a blue background
rf/alexmillos - stock.adobe.com
Outdated and unpatched firmware in medical devices or equipment
The hospital or clinic may not realize that even medical devices and equipment have embedded firmware that must be updated when necessary, or that they may be infected with malware. Threat actors can leverage these open security holes to either compromise the hardware or move laterally inside the network.
designer491 - stock.adobe.com
Previous employees or non-core services staff
The hospital or clinic may not have control over the behavior of previously employed staff (if IT has not terminated their access completely) or current vendor staff to check whether they are abusing access privileges or are using hospital resources in an unsecure manner. These previous employees may even take advantage of weak authentication procedures knowing what they do about internal processes.
Education concept: text Learn More on Black chalkboard background, 3d render