WANAN YOSSINGKUM/istock via Gett

Mitigating risk as healthcare supply chain attacks prevail

A focus on cyber resilience is essential for mitigating the risk of healthcare supply chain attacks, which have the potential to cause widespread disruptions.

Healthcare supply chain attacks have the potential to disrupt care and operations across the healthcare system through just one successful infiltration. The single points of failure that exist across the sector make the risk of supply chain attacks even greater.

"The bad guys have figured out that if they can hit this small supplier who's a single-source supplier in a particular region, they could cause a lot of impact to the healthcare sector more broadly and maximize their payoffs downstream," said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (Health-ISAC)."It's definitely different from what we were seeing before."

Mitigating supply chain attacks requires healthcare organizations to maintain strong, security-minded relationships with their critical suppliers, beginning at the contract stage. Tabletop exercises, response and recovery plans, and a focus on cyber resilience can help health IT security leaders mitigate the risks of this pervasive threat.

Exploring the prevalence of healthcare supply chain attacks

Several healthcare supply chain attacks caused disruptions to healthcare systems around the world in 2024.

For example, in April 2024, BlackSuit ransomware actors targeted Octapharma, a blood plasma provider, resulting in the closure of more than 190 plasma donation centers in the U.S. as well as disruptions in the European Union.

In June 2024, the QiLin ransomware gang attacked pathology provider Synnovis, forcing several London hospitals to reschedule operations and cancel thousands of appointments in the weeks following the attack.

In July 2024, Florida-based blood supplier OneBlood suffered a ransomware attack that resulted in a software outage that affected inventory availability, forcing hospitals to activate critical blood shortage protocols.

These attacks were the basis of an August 2024 joint threat bulletin by the Health-ISAC and the American Hospital Association (AHA) that warned members of the prevalence of supply chain attacks perpetrated by Russian cyberthreat actors.

"These ransomware incidents demonstrate how catastrophic failures can occur in healthcare delivery when mission-critical and life-critical suppliers are attacked. For healthcare delivery organizations (HDOs), hospitals and health systems, these attacks had massive impacts to patient care because the entities that were attacked provided mission-critical services to a multitude of healthcare providers, including hospitals, ambulances and medical clinics," the bulletin stated. "The physical supply chain disruptions caused by these attacks highlight the potential for cascading impacts to patient care as a result of disrupting niche, critical healthcare suppliers."

The healthcare sector also saw widespread disruptions in February 2024, when the Change Healthcare cyberattack occurred, raising concerns about third-party risk management and exemplifying what can happen when a vendor that serves a specific function for healthcare customers across the country goes down.

These events show that whether a cyberattack causes physical supply chain delays or digital disruptions, it can still affect patient care and operations.

Supply chain risk mitigation strategies

Mitigating these risks necessitates a focus on cyber resilience and business continuity amid a cyberattack.

"If we're attacked, whether it's a manmade event, or a cyberattack, or whether it's natural disaster, how are we maintaining operations and keeping these critical systems up and running?" Weiss asked. "Are we identifying single points of failure that could eventually run into cascading impacts that could cause more widespread outages across healthcare?"

The healthcare supply chain attacks that hit the sector in 2024 have also further underscored the importance of third-party risk management, Weiss noted. He recommended that organizations ensure that they are bringing third-party security into the conversation when conducting a business risk analysis and tabletop exercises.

What's more, organizations should try to identify alternative suppliers, so they are not as reliant on a single source for life-saving supplies in the event of a cyberattack against that supplier.

"And if there aren't other alternative suppliers available, to me, that's one of the things that ought to be raised to the federal, the government level," Weiss stated. "We as a sector and as a society need to do something about that to minimize the risk to the American public."

Weiss pointed to guidance from the Health Sector Cybersecurity Coordinating Council (HSCC) as a reliable resource for tackling this issue. The guidance, last updated in October 2023, offers small and mid-size healthcare organizations strategies for establishing and maintaining a supplier risk management program.

The HSCC document includes templates for policies and procedures and establishing governance, language for contracts and guidance for testing response and recovery efforts from supplier cybersecurity incidents.

"Properly managing cyber risk within the supply chain requires a proactive strategy to protect patient information and sensitive data against an ever-increasing risk from bad actors outside, and sometimes within, the health system," the guidance stated. "A supply chain cybersecurity risk management program also serves as a strategy to support and increase preparedness and business continuity planning and countermeasures."

While this guidance is intended for small to mid-size organizations, HSCC encouraged larger organizations with more resources to use their reach to disseminate the guidance to their suppliers and assess their own programs against the best practices contained in the document.

As healthcare organizations continue to face cyberattacks directly and through their suppliers, it is crucial to prepare for instances in which critical services go down to ensure that they can continue to deliver patient care.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Next Steps

HHS has not adopted all GAO cybersecurity recommendations

Dig Deeper on Cybersecurity strategies