8 ways a supply chain raises cyber security risks

Published
  • April 10 2018, 4:00am EDT

8 ways a supply chain raises cyber security risks

A new report from healthcare data security firms Trend Micro and HITRUST examines the supply chain, which the organizations believe is an overlooked part of hospital and clinic operations that hackers can use to establish a foothold in the organization.

“We strongly recommend a blend of security technology and employee/partner awareness and education, including a threat response protocol,” they caution. “Healthcare IT teams must create, enforce and frequently review a risk management system and governance framework related to the transfer of resources to and from any entity outside a network’s trusted circle to minimize the risk of supply chain attacks.”

Medical products, medicine and supplies manufacturers

The hospital or clinic acquiring products may not have control over the manufacturing process, specifically whether it is secure enough to prevent threat actors from tampering with the product during manufacture.

Content Continues Below

Distribution centers

The hospital or clinic that eventually buys products may not have intimate knowledge of the security enforced by the distribution centers, or whether their employees or their third-party contractors have access to the products prior to shipping to actual hospital suppliers.

Shipping and transportation companies

A hospital or clinic buying products may not have intimate knowledge of the security enforced by their or the distribution center’s logistics vendor, or whether their employees or their third-party contractors have access to the products prior to delivery to end users.

Suppliers

The hospital or clinic buying the products or services may not have control over the storage or repacking practices of suppliers, if any, or whether cybersecurity practices are in place in the supplier’s network that the hospital is expected to be connecting to regularly.

Content Continues Below

Vendors/contractors or hospital staff

The hospital or clinic may not have control over vendor hiring practices for services such as equipment, HVAC, ISP, telephony or the like. These types of vendors may not be enforcing sufficient background checks on their own staff, either of whom may introduce a threat into the network.

Mobile health app, HIS or other software developer

The hospital or clinic may not have control or knowledge about the security of the code or the developers’ coding practices, whether the developer has ensured enough safeguards are in place to prevent the discovery, or exploitation of vulnerabilities in their apps or software. Taken further back up the supply chain, the operating system used in various segments in healthcare networks can have vulnerabilities.

Outdated and unpatched firmware in medical devices or equipment

The hospital or clinic may not realize that even medical devices and equipment have embedded firmware that must be updated when necessary, or that they may be infected with malware. Threat actors can leverage these open security holes to either compromise the hardware or move laterally inside the network.

Content Continues Below

Previous employees or non-core services staff

The hospital or clinic may not have control over the behavior of previously employed staff (if IT has not terminated their access completely) or current vendor staff to check whether they are abusing access privileges or are using hospital resources in an unsecure manner. These previous employees may even take advantage of weak authentication procedures knowing what they do about internal processes.

More information



The full report from Trend Micro and HITRUST is available here.