Speaking of Supply Chain

The Three Be's for Better Supply Chain Cybersecurity Pre- and Post-COVID-19
Randy Bradley
By Randy V Bradley, PhD, CPHIMS, FHIMSS Associate Professor of Information Systems and Supply Chain Management, The University of Tennessee-Knoxville
EVP for Digital Transformation in Life Sciences, Bio Supply Management Alliance
[email protected]


Many have said that a burgeoning epidemic pertains to data breaches and HIPAA violations[1]. So, let’s take a look at that issue from a Supply Chain perspective. It’s important to understand that cybersecurity is not just a singular thing. There are multiple aspects of cybersecurity that fall under the broad moniker “cybersecurity”, including information security (AKA infosec), information technology (IT) security, and operational technology (OT) security.

I’ve long been concerned that healthcare’s approach to cybersecurity is imbalanced on the privacy versus security continuum and includes misconceptions around the two. Many professionals in healthcare tend to use those terms interchangeably, despite the fact these are quite different. Healthcare organizations are traditionally bent towards privacy. Privacy, which in short, is really about unauthorized disclosure, whereas security is about unauthorized access and transmission. When a healthcare organization and its personnel focus more on privacy and less on security, there are pitfalls that can result.  We need to think more about balancing the two, so we don’t lose a focus on security.

From a security perspective, the top two attack vectors are extremely pertinent to healthcare and supply chain - exploit-kit targeting specific vulnerabilities/OS (i.e., an exploit is taking advantage of a vulnerability in the device or the software that helps to control the way the device performs) and malware (i.e., malicious software) that has been embedded in a device.  Sometimes devices even arrive with malicious software already embedded because it happened before the device was shipped. When you think about the importance of this from a supply chain perspective, it is a great opportunity for supply chain professionals to be thought leaders for their organizations.

Here are three things supply chain leaders and suppliers can both do to help bolster the cyber hygiene and security posture of their organizations.

  1. Be the glue – It is common for there to be different teams that manage, protect, and defend devices and assets in an organization. Where the IT team focuses on the organization’s IT assets (e.g., computers, network equipment, etc.) OT, which are non-IT assets, such as medical devices and security cameras, could be the responsibility of facilities, engineering, or security. These disparate teams have a tendency to produce disparate approaches, yet the manifestation of a breach or HIPAA violations may not be isolated to an asset in one category. Enter the supply chain professional. Supply chain professionals are likely involved in multiple aspects of identifying, vetting, procuring, and receiving both IT and OT. They are likely the ones that have the conversations with vendors and suppliers of both types of assets. As such, supply chain professionals are in an excellent position to be the liaison between the IT and OT teams to ensure that they are asking the questions that could and should be asked of vendors and suppliers.
  2. Be the “gray matter” –Supply chain professionals are in a perfect position to help others process the appropriate information. In particular, supply chain professionals should educate cybersecurity leads on the nuances of supply chain management and the relationships between various upstream partners involved in any particular asset. The gray market (unauthorized distribution channels through which authentic and counterfeit products might be procured) is real and there is a real need to ensure suppliers are transparent about their distribution channels.
  3. Be vigilant – Supply chains are starting to become one of the leading attack surfaces for hackers. While this is not solely due to COVID-19, COVID-19 has created an environment in which “when the cat’s away the mice will play”. IT security professionals across the United States, Canada, U.K., Mexico, Australia, Germany, Japan, and Singapore overwhelmingly believe software supply chain attacks have the potential to become one of the biggest cyber threats[2]. Carbon Black estimates that nearly half of today’s cyber-attacks leverage island hopping, in which a hacker targets the weakest link in an organization’s supply chain as a means of infiltration[3]. Be aware that hackers don’t just want to get in via this mechanism to prove they can, they intend to setup residence and see what else they monetize by way of the breach.

Although the supply chain has been a prime attack surface for years, much like other aspects of organizational vulnerability, COVID-19 has shed a new light on it. So, take the lead, be vigilant, socialize and escalate supply chain cybersecurity risk management throughout your healthcare organization.  Supply chain has a critical role to play in maintaining the security of data and information across all forms of technology.

As always, we welcome your comments and suggestions.

[1] https://www.gibson-consultants.com/2020/09/22/the-next-epidemic-data-breaches-and-hipaa-violations

[2] https://chainstoreage.com/operations/cyber-attacks-on-the-rise-in-supply-chains

[3] https://www.carbonblack.com/resources/the-ominous-rise-of-island-hopping-counter-incident-response-continues/

© Strategic Marketplace Initiative  |  PO Box 1318  |  Westborough, MA 01581  |  United States  |  508 - 732 - 0059  | [email protected]
Follow SMI on Twitter Connect with SMI on LinkedIn View Webinars and other SMI Videos