Supply Chain Cover.jpg
8 ways a supply chain raises cyber security risks
A new report from healthcare data security firms Trend Micro and HITRUST examines the supply chain, which the organizations believe is an overlooked part of hospital and clinic operations that hackers can use to establish a foothold in the organization.

“We strongly recommend a blend of security technology and employee/partner awareness and education, including a threat response protocol,” they caution. “Healthcare IT teams must create, enforce and frequently review a risk management system and governance framework related to the transfer of resources to and from any entity outside a network’s trusted circle to minimize the risk of supply chain attacks.”
Supply Chain Show AdobeStock_59484657 A.jpeg
Medical products, medicine and supplies manufacturers
The hospital or clinic acquiring products may not have control over the manufacturing process, specifically whether it is secure enough to prevent threat actors from tampering with the product during manufacture.
Supply Chain Show AdobeStock_40537716 B.jpeg
Distribution centers
The hospital or clinic that eventually buys products may not have intimate knowledge of the security enforced by the distribution centers, or whether their employees or their third-party contractors have access to the products prior to shipping to actual hospital suppliers.
Supply Chain Show AdobeStock_55377889 C.jpeg
Shipping and transportation companies
A hospital or clinic buying products may not have intimate knowledge of the security enforced by their or the distribution center’s logistics vendor, or whether their employees or their third-party contractors have access to the products prior to delivery to end users.
Supply Chain Show AdobeStock_60166175 D.jpeg
Suppliers
The hospital or clinic buying the products or services may not have control over the storage or repacking practices of suppliers, if any, or whether cybersecurity practices are in place in the supplier’s network that the hospital is expected to be connecting to regularly.
Supply Chain Show AdobeStock_54247217 E.jpeg
Vendors/contractors or hospital staff
The hospital or clinic may not have control over vendor hiring practices for services such as equipment, HVAC, ISP, telephony or the like. These types of vendors may not be enforcing sufficient background checks on their own staff, either of whom may introduce a threat into the network.
Supply Chain Show AdobeStock_55386318 F.jpeg
Mobile health app, HIS or other software developer
The hospital or clinic may not have control or knowledge about the security of the code or the developers’ coding practices, whether the developer has ensured enough safeguards are in place to prevent the discovery, or exploitation of vulnerabilities in their apps or software. Taken further back up the supply chain, the operating system used in various segments in healthcare networks can have vulnerabilities.
Supply Chain Show AdobeStock_64932604 G.jpeg
Outdated and unpatched firmware in medical devices or equipment
The hospital or clinic may not realize that even medical devices and equipment have embedded firmware that must be updated when necessary, or that they may be infected with malware. Threat actors can leverage these open security holes to either compromise the hardware or move laterally inside the network.
Supply Chain Show AdobeStock_143270278 H.jpeg
Previous employees or non-core services staff
The hospital or clinic may not have control over the behavior of previously employed staff (if IT has not terminated their access completely) or current vendor staff to check whether they are abusing access privileges or are using hospital resources in an unsecure manner. These previous employees may even take advantage of weak authentication procedures knowing what they do about internal processes.
Supply Chain Show AdobeStock_61568304 I.jpeg
More information


The full report from Trend Micro and HITRUST is available here.