The year 2020 may, in certain information security circles, be defined by two words: massive and devastating. But was it actually? That may be a topic to explore later, but software application developers or software as a service (SaaS) providers being compromised is not novel. Healthcare has seen its share of supply chain security disruptions in the past, yet healthcare lags behind most other industries in protecting itself and its own supply chain. Let us look at recent and past history examples and derive some lessons learned.
Discovered in December 2020 and labeled the most damaging cyber-supply chain attack ever (dubbed Sunburst by Microsoft and FireEye), was the compromise of SolarWinds Orion software.
In short, by infiltrating the development environment of the software, attackers observed how to compromise the vendor’s development and operations activities. Ultimately, hackers were able to plant a sophisticated trojan. Routine updates containing the software were used to potentially compromise thousands of customers. The attackers were able to leverage the tainted software to exfiltrate sensitive information from within SolarWinds Orion customer’s network.
Blast from the Past
Nuances Communication, the Medical Transcription Services Vendor, tangling with the NotPetya malware hit closer to home for healthcare, causing severe hospital disruption starting in June 2017 lasting until August. This 2019 Slate article details not only how NotPetya globally caused $10 billion in damage to many companies (and cost Nuance $98 million alone) but also had direct consequences to the delivery of healthcare in the U.S.
Supply chain attacks are not new. The National Institute of Standards and Technology (NIST) has been focused on driving awareness in this space since 2008.
How to Improve Supply Chain Security
Both the NotPetya and the recent Sunburst hack demonstrate the impact that vendors have on our organizations when disrupted.
COVID-19 response has severely strained budgets within the healthcare space that already faces many security-related challenges. What can healthcare organizations do to protect and raise awareness of the ever-increasing threat to supply chain components?
Consider this: If organizations must (and should) make every effort to promote and communicate even the most basic security techniques to the C-suite, use the tools that promote risk-informed decisions to leadership.
- Conduct a Cyber Resiliency Review to gauge the potential weaknesses in your organization’s processes and infrastructure.
- Move from a controls-catalog style risk assessment to an Information Security Program Assessment methodology using the NIST Cyber Security Framework (CSF). The CSF v1.1 includes Supply Chain Risk Management objectives, as well.
- And more pointedly, begin to develop the governance and policy, procedures, and minimum-security standards you are willing to direct to your vendors and create a process where vendors are evaluated and monitored for security in your environment. In short, develop your own Vendor Risk Management Plan.
Ultimately, the organization’s stakeholders and board of directors are responsible for the acceptance or mitigation of risk and the establishment of security protocols and other protection policies and processes – both internal to the organization and to the vendors who interact with the organization.
It is imperative for even the smallest enterprises to ensure that they protect their data and systems, their portion of the supply chain, and the vendors with whom they relationships.
Our security team at Impact Advisors has deep expertise in helping hospitals and health systems identify and mitigate risks along the supply chain. Contact us to begin evaluating your security needs to improve safety now and protections for the future.