Supply Chain Cover.jpg
8 ways a supply chain raises cyber security risks
A new report from healthcare data security firms Trend Micro and HITRUST examines the supply chain, which the organizations believe is an overlooked part of hospital and clinic operations that hackers can use to establish a foothold in the organization.

“We strongly recommend a blend of security technology and employee/partner awareness and education, including a threat response protocol,” they caution. “Healthcare IT teams must create, enforce and frequently review a risk management system and governance framework related to the transfer of resources to and from any entity outside a network’s trusted circle to minimize the risk of supply chain attacks.”
Supply Chain Show AdobeStock_59484657 A.jpeg
Nurses arranging stock in hospital storage room
Medical products, medicine and supplies manufacturers
The hospital or clinic acquiring products may not have control over the manufacturing process, specifically whether it is secure enough to prevent threat actors from tampering with the product during manufacture.
Supply Chain Show AdobeStock_40537716 B.jpeg
medical factory supplies storage indoor with workers people
Distribution centers
The hospital or clinic that eventually buys products may not have intimate knowledge of the security enforced by the distribution centers, or whether their employees or their third-party contractors have access to the products prior to shipping to actual hospital suppliers.
Supply Chain Show AdobeStock_55377889 C.jpeg
rack stack arrangement of cardboard boxes in a store warehouse
Shipping and transportation companies
A hospital or clinic buying products may not have intimate knowledge of the security enforced by their or the distribution center’s logistics vendor, or whether their employees or their third-party contractors have access to the products prior to delivery to end users.
Supply Chain Show AdobeStock_60166175 D.jpeg
Warehouse worker packaging product for a customer
The hospital or clinic buying the products or services may not have control over the storage or repacking practices of suppliers, if any, or whether cybersecurity practices are in place in the supplier’s network that the hospital is expected to be connecting to regularly.
Supply Chain Show AdobeStock_54247217 E.jpeg
Shallow depth of field close-up of a PBX (private branch exchange), which is a phone exchange for a particular business/office. A technician is plugging in a network cable to the line socket.
Vendors/contractors or hospital staff
The hospital or clinic may not have control over vendor hiring practices for services such as equipment, HVAC, ISP, telephony or the like. These types of vendors may not be enforcing sufficient background checks on their own staff, either of whom may introduce a threat into the network.
Supply Chain Show AdobeStock_55386318 F.jpeg
Mobile health app, HIS or other software developer
The hospital or clinic may not have control or knowledge about the security of the code or the developers’ coding practices, whether the developer has ensured enough safeguards are in place to prevent the discovery, or exploitation of vulnerabilities in their apps or software. Taken further back up the supply chain, the operating system used in various segments in healthcare networks can have vulnerabilities.
Supply Chain Show AdobeStock_64932604 G.jpeg
loading tablet updates illustration design over a blue background
Outdated and unpatched firmware in medical devices or equipment
The hospital or clinic may not realize that even medical devices and equipment have embedded firmware that must be updated when necessary, or that they may be infected with malware. Threat actors can leverage these open security holes to either compromise the hardware or move laterally inside the network.
Supply Chain Show AdobeStock_143270278 H.jpeg
Previous employees or non-core services staff
The hospital or clinic may not have control over the behavior of previously employed staff (if IT has not terminated their access completely) or current vendor staff to check whether they are abusing access privileges or are using hospital resources in an unsecure manner. These previous employees may even take advantage of weak authentication procedures knowing what they do about internal processes.
Supply Chain Show AdobeStock_61568304 I.jpeg
Education concept: text Learn More on Black chalkboard background, 3d render
More information

The full report from Trend Micro and HITRUST is available here.