MedCity Influencers, Health IT

Healthcare’s Digitization: Coming to Terms with Cybersecurity Supply Chain Risk

Providers are, in many cases, getting the equivalent of a Russian nesting doll of third-party risks whenever they acquire a complex new technology solution. Cybersecurity supply chain risk management is the process of identifying and mitigating potential risks that may arise from these third-party products and services within an organization’s IT infrastructure.

Healthcare technology has evolved significantly in recent years. For example, electronic health record systems, clinical information systems, patient portals, and electronic billing systems are commonplace today. New solutions leveraging machine learning and artificial intelligence are transforming how we diagnose and treat disease. Telemedicine networks connect patients to doctors and specialists across the country, and nanomedicine has the potential to revolutionize treatments for cancer, diabetes, and many other conditions.

Just like the digital technologies that preceded them, these new technologies bring new security risks that organizations must address to protect patients and their data. The authors of HIPAA predicted these risks two decades ago, leading to the implementation of the HIPAA Security Rule. The Security Rule continues to provide the security framework by which healthcare providers and their business associate partners must abide when implementing and operating systems that create, receive, maintain or transmit electronic protected health information (ePHI). However, simply asking a third party to sign a business associate agreement promising to abide by the HIPAA Security Rule requirements is no longer enough to manage the associated risk of adopting current and emerging technology solutions.

As the speed and scale of positive impact increases with new technology, so does the potential harm.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center (HC3) recently issued a threat brief regarding the security risks of the most promising emerging technologies impacting healthcare. On the list of emerging technology, HHS HC3 included artificial intelligence, 5G cellular, nanomedicine, smart hospitals, and quantum computing and cryptography.

We are particularly concerned that a vulnerability in technology may ultimately result in loss of life. Unfortunately, all the technologies listed in the HHS HC3 threat brief could fall into that category.

Organizations must prepare for the new wave of technology to avoid security and privacy risks.

Cybersecurity supply chain risks have been a growing concern for healthcare organizations for several years. Specifically, these risks relate to the acquisition, development, maintenance, and disposal of IT products and services from external suppliers. The concern is warranted as for three years in a row, the most significant breach impacting the healthcare industry resulted from a breach at a vendor that supported large numbers of healthcare organizations.

Healthcare providers usually purchase or license their technology solutions from vendors or share platforms with partners. Historically, providers would license software products and purchase the IT hardware necessary to support their use. Today, an organization’s IT portfolio likely also includes software-as-a-service solutions hosted in the cloud and cloud-based infrastructure as a service upon which the provider establishes its virtual infrastructure, servers, and data storage.

Often, the solutions providers purchase, license, or subscribe to include software libraries and other components that the developers or manufacturers source from other third parties. The solutions may also be hosted on hardware or cloud services provided by different vendors leveraging even more third parties. Providers are, in many cases, getting the equivalent of a Russian nesting doll of third-party risks whenever they acquire a complex new technology solution.

While the technical vulnerabilities that can be exploited will vary with new technology, the higher-level issues are the same.

Cybersecurity supply chain risk management is the process of identifying and mitigating potential risks that may arise from third-party products and services within an organization’s information technology (IT) infrastructure. Given the growing dependence on information technology infrastructure to deliver care, a healthcare organization should also consider the risk to patients, employees, and the business. The goal is to manage this risk to a level acceptable to the organization.

To understand the risk, the organization needs to know the safeguards the developer or manufacturer put in place during the design, development, manufacture, deployment, and ongoing operation of the technology to protect the confidentiality, integrity, and availability of information processed as well as the physical safety of users and others exposed to the technology. It is also essential to understand what components, particularly third-party components, the developer or manufacturer used within the solution as they, too, have their own risks. Requesting a software bill of materials is recommended when appropriate. Depending on the level of risk, including the potential impact, organizations might also consider requiring that the manufacturer produce reports of independent testing of the technology or, even better, be allowed to test it independently. Suppose the vendor will be receiving or storing ePHI on behalf of the provider. In that case, a prospective purchaser must understand the security program and controls in place to protect the information and decide if they are sufficient, given the potential impact of a breach.

When dealing with information technology, organizations should consider what happens if the information processed by the technology is accessed or exposed through human error, negligence, or unauthorized access. What if the technology becomes unavailable or the data is corrupted?

Organizations should ask:

  • How do we know data is exposed, and can we determine how?
  • What if the integrity is compromised? How do we know what was changed?
  • How will we understand the implications, and how do we fix them?
  • What if the technology goes down? Can we function without it?
  • What is the impact, how do we manage until we get it back online, how do we get it back online, and how fast do we need to do it?
  • Are people at physical risk from the use of this technology?
  • Do the benefits outweigh the cost?
  • What is our obligation to inform of the risk?

When an organization decides to accept the risk and implement technology, it must continue to manage that risk on an ongoing basis. Ongoing risk management includes monitoring the technology for new threats and vulnerabilities and testing the safeguards in place to ensure they are functioning as intended. Finally, they must regularly analyze the risk to see if it is still in an acceptable range and take appropriate action if it is not.

We often get caught up in the hype associated with new technology. It’s exciting to think of the possibilities, but every technology comes with risks we must understand and manage before they become a reality.

Establishing a strong cybersecurity supply chain risk management program helps organizations develop controls within the acquisition process to measure and manage risk. Implementing a robust vendor risk management program enables organizations to adopt emerging technology in the future while protecting systems and data in the process.

Photo: roshi11, Getty Images

Jon Moore is an experienced professional with a background in privacy and security law, technology and healthcare. As Chief Risk Officer and Senior Vice President of Professional Services at Clearwater, Jon works with healthcare leaders to safeguard their patients' health, health information, corporate capital and earnings through the creation and development of strong, proactive privacy and information security programs. Together with his colleagues at Clearwater, Jon provides the strategic advice, services, training and tools needed for a complete Cyber Risk Management and HIPAA Compliance solution.

During an eight-year tenure with PricewaterhouseCoopers (PwC), Jon served in multiple roles. He was a leader of the Federal Healthcare Practice, Federal Practice IT Operational Leader, and a member of the Federal Practice’s Operational Leadership Team. Among the major federal clients supported by Moore and his team were the National Institute of Standards and Technology (NIST), National Institutes of Health (NIH), Indian Health Service (IHS), Department of Health and Human Services (HHS), U.S. Nuclear Regulatory Commission (NRC), Environmental Protection Agency (EPA), and Administration for Children and Families (ACF).

Jon holds a BA in Economics from Haverford College, a law degree from Penn State University’s Dickinson Law, and an MS in Electronic Commerce from Carnegie Mellon’s School of Computer Science and Tepper School of Business.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.