Securing the lifeline: understanding healthcare supply chain cyber risk

The healthcare industry stands as a vital pillar responsible for the well-being of millions. However, it faces a unique set of challenges in today’s increasingly digital and interconnected world, particularly in terms of cyber security. Just over two weeks ago the NHS (National Health Service) in the UK suffered a major cyber-attack leading to the cancellation of emergency and life-saving operations, delays to test results and cancelled hospital appointments – all of which has once again underscored the critical nature of supply chain cyber risk, shedding light on hidden vulnerabilities that can have far-reaching implications.

In this blog, we delve into why third party cyber risk has become a pressing concern for the healthcare sector and share actionable steps for healthcare organisations on how to help minimise the risk of a healthcare supply chain exploitation in the future.

The rapidly expanding cyber threat landscape

Healthcare has undergone significant digital transformation over the past decade. Electronic health records, the proliferation of the Internet of Medical Things (IoMT), adoption of cloud and mobile technology, and advanced medical devices have truly revolutionised patient care. However, this seemingly beneficial digital evolution has also expanded the attack surface for cybercriminals.

From product shortages to logistical challenges, healthcare organisations must navigate a complex and multifaceted web of suppliers and service providers, including pharmaceutical companies, medical device manufacturers, logistics providers, and IT service providers among many others, to ensure the seamless delivery of healthcare services. As supply chains have become digitised, they have also become more vulnerable to a range of cyber threats. The growing interconnectedness of the global economy and the increasing number and sophistication of cyber risks make it essential for organisations to assess and manage the risks posed by their supply chain partners. If not protected adequately, a single weak link can compromise the entire supply chain serving as an entry point, leading to widespread disruptions. It's therefore no wonder that third-party vendors partnering with healthcare organisations have quickly become a prime target for cyber adversaries seeking financial gain, disruption, or espionage.

The NHS cyber-attack: a wakeup call for the industry

On Monday 3 June, 2024, the NHS faced a significant cyber-attack that disrupted healthcare services across South East London. The attack, suspected to have been carried out by a ransomware group called Qilin, targeted pathology service provider Synnovis, a partnership between the private firm Synlab and the Guy’s and St Thomas’ and King’s College trusts. The hackers entered NHS systems by inserting a piece of software into Synnovis’ IT system which locks up the systems until a payment is received to restore access and ransomware removal. It has been reported that in exchange for not releasing stolen data the cyber crime group asked for £40m ransom, which appears not to have been paid.

The attack crippled several NHS trusts, leading to the cancellation of over 200 emergency and life-saving operations, and more than 3,000 non-surgical appointments and hundreds of patients who have been referred for urgent cancer diagnosis. One of the main concerns was for blood transfusion, as following the cyber attack the hospital was limited in cross checking patients' blood types. As a result, the NHS has issued a plea for patients with O-positive and O-negative blood types – used for surgeries and emergencies requiring blood to take place – to donate blood amid fears over the current national shortage in supplies of this type.

With estimations that the impact on NHS services could last for months, and the most urgent and priority services potentially expected to be restored within weeks, the consequences of cyberattacks against healthcare have long surpassed merely compromising sensitive data. As evidenced by this dire incident, these attacks can now also jeopardise patient safety by disrupting critical medical services and delaying treatments, while potentially undermining public trust in the healthcare system's ability to protect patient information and ensure continuous, reliable care.

Implementing proactive cyber risk management into healthcare supply chain

As the NHS continues to grapple with the consequences of the devastating cyber-attack, it is abundantly clear that no silver bullet will completely prevent these attacks from happening. Instead, a multi-pronged strategy is essential to withstand diverse digital threats. Fortunately, healthcare organisations, along with their respective vendors, can implement a combination of proactive measures to help safeguard the industry against similar cyber incidents and ensure the resilience of critical operations.

1. Conducting due diligence and risk assessments

One of the primary lessons learned from the NHS attack is the need for comprehensive risk assessments encompassing the entire supply chain. Healthcare organisations must evaluate the cyber risk posture of their suppliers, vendors, and partners. This involves understanding the security measures in place, assessing potential vulnerabilities, and implementing robust risk mitigation strategies. Regular audits and cyber risk assessments can help identify weak links and ensure continuous improvement in cyber defences to prevent the worst from happening. During the contractor selection phase, utilising instant and easy-to-use third party risk evaluation reports for target companies, such as KYND START, can help streamline the process and support the decision-making process.

2. Enhancing third-party cyber risk management

Third-party risk management is crucial in mitigating supply chain cyber risks. Healthcare organisations should establish stringent criteria for selecting and onboarding suppliers. Contracts should include specific cybersecurity requirements, such as adherence to industry standards (e.g. NIST CSF and ISO 27001), regular security audits, tested backup and recovery processes, and incident response protocols. Continuous monitoring of third-party activities and real-time exposure intelligence, such as KYND’s, can further enhance the security posture of the entire supply chain by identifying vulnerabilities and weaknesses in systems proactively.

3. Limiting suppliers’ access to critical assets

Healthcare organisations can enhance supply chain cyber risk management by implementing the principle of least privilege and adopting a zero-trust approach. By limiting suppliers’ access rights to the minimum necessary, they can reduce the attack surface and mitigate potential damage from compromised accounts. Implementing zero trust involves continuously verifying the identity and integrity of users and devices, regardless of their location within the network. This ensures that only authenticated and authorised users can access critical systems and data.

4. Investing in cyber resilience

Cyber resilience goes beyond prevention; it encompasses the ability to respond to and recover from cyber incidents. The NHS attack demonstrated the need for healthcare organisations to invest in robust incident response and disaster recovery plans. These plans should be regularly tested and updated to ensure their effectiveness. Additionally, organisations should implement redundancy measures, such as backup systems and alternative core network services, to minimise disruptions during cyber incidents.

5. Fostering a cybersecurity culture in the organisation

Creating a cybersecurity-aware culture within healthcare organisations is essential. This involves training staff on recognising phishing attempts, reporting suspicious activities, and following best practices for data protection. A well-informed workforce can act as the first line of defence against cyber threats. Leadership should also prioritise cybersecurity, allocating necessary resources and fostering a culture of continuous improvement and vigilance.

6. Collaborating for collective defence

In an era of digital interconnectivity, cyber threats are a shared challenge, requiring collective defence efforts. Healthcare organisations should actively participate in information-sharing initiatives and collaborate with industry peers, government agencies, and cyber risk management experts. Collaborative efforts can lead to the early identification of emerging threats, the development of industry-wide best practices, and coordinated responses to cyber incidents.

Building a resilient future, together

The recent NHS attack serves as a stark reminder of the critical importance of effective supply chain cyber risk management in the healthcare industry to avoid catastrophic repercussions. In a world where digital perils are ever-evolving, proactive risk management, collaboration, and a commitment to continuous improvement will be the pillars that uphold the integrity and security of the healthcare sector. The journey towards a secure and resilient healthcare ecosystem begins with recognising the significance of supply chain cyber risk and taking decisive action to mitigate its impact.

At KYND, we understand like no other the importance of seeing, understanding and managing cyber risks. This is why KYND developed a powerful third-party risk management solution that empowers healthcare organisations to efficiently identify and address the cyber risks facing their vast third-party ecosystems. By leveraging its industry-leading advanced cyber risk analytics, KYND equips healthcare organisations with instant, actionable insights into their organisation's third-party exposure. Armed with this visibility, they can effectively assess the potential risks posed by their vendors and take better-informed risk management decisions for their organisation in a timely manner. By being proactive in their risk management, they can ensure comprehensive security and minimise the likelihood of cyber incidents occurring.

If you'd like to find out more about how KYND's technology can help you or your portfolio organisations stay ahead of cyber risk in the supply chain, please reach out to our team experts who will provide you with comprehensive information about our industry-leading cyber risk management services. Click here to get in touch with us today.

Managing supply chain cyber risk doesn’t have to be overwhelming. Download our helpful checklist by completing the form below to help your, or your portfolio organisations, optimise third-party risk management programmes and prevent third party breaches.

The checklist