Healthcare Cybersecurity: Supply Chain & Patient-Facing Tech

Updated November 15, 2024

Securing ePHI In The Age Of Digital Health Tools is a three-part blog series on healthcare cybersecurity that explores how healthcare providers can protect PHI and mitigate healthcare data security risks associated with patient engagement technologies by implementing the right security protocols. Read parts two and three now.

In healthcare cybersecurity, supply chain attacks stand out as a formidable and growing threat. As in other sectors, a healthcare supply chain involves a complex network of interconnected organizations and providers that deliver healthcare products and services to patients. A typical component of this supply chain would be the manufacturers of medicines or medical equipment. However, patient engagement vendors are also vital to the healthcare supply chain, and their public-facing role involves unique risks. In this article, we’ll explore how to safeguard your organization against supply chain attacks by securing and streamlining your patient-facing tools.

Jump to:

• What Are Healthcare Supply Chain Attacks?
• Healthcare Cybersecurity Costs And Liabilities
• How Are Healthcare Organizations Exposed To Supply Chain Attacks?
• Why Combining Multiple Third-Party Apps Is A Crucial Healthcare Cybersecurity Challenge
• How To Future-Proof Healthcare Cybersecurity With The Right Patient Engagement Vendor

What Are Healthcare Supply Chain Attacks?

In a supply chain attack, cybercriminals attempt to access data by exploiting security flaws in any one of the third-party apps and other patient-facing technologies that connect with a healthcare organization’s source systems further down the supply chain.

By finding a weak link in the supply chain, commonly a third-party vendor, hackers can access source systems, such as electronic health record (EHR) systems, and potentially gain access to huge swathes of data, including, but not limited to:

• Personal information of patients and employees.
• Intellectual property.
• Medication histories.
• Lab results.
• Corporate data (e.g., earnings and client lists).

This valuable information can be stolen and sold on the black market or encrypted and held for ransom in a ransomware attack.

Healthcare Cybersecurity Costs And Liabilities

A data breach caused by a supply chain attack can incur serious costs. A 2023 report by IBM shed some light on the financial impact of data breaches across various industries, including healthcare (1):

• The average cost of a healthcare data breach is $10.93 million (highest among all industries).
• In contrast, the average cost of a data breach across all industries is $4.45 million.
• Healthcare breach costs have increased by 53.3% over the past three years.
• Phishing is the leading initial attack vector, responsible for 16% of breaches.
• Malicious attacks are the most common root cause of healthcare data breaches (56%), followed by IT failure (24%) and human error (20%).
• Breaches involving data stored across multiple environments were the costliest and took the longest (average 291 days) to resolve.

A healthcare data breach can also have serious regulatory repercussions. Healthcare data is governed by HIPAA, which mandates administrative, technical, and physical safeguards for electronic health data and timely breach notifications tailored to stakeholder types.

Penalties for HIPAA violations include:

• Up to $50,000 per affected record.
• Annual limits of $1,919,173 per penalty tier.
• Potential civil monetary penalties to affected individuals.

The financial costs are just one side of the story. Even more concerning is the disruption of essential healthcare services and supplies associated with supply chain attacks, e.g., postponed surgeries and or missed medical examinations, which leads to a deterioration in patient outcomes.

According to a 2024 report by Cyber Magazine,

• 92% of US healthcare organizations experienced cyberattacks in the past year, with supply chain breaches being the most damaging.
• 82% of victims reported severe disruptions to patient services, up from 77% the previous year.
• 28% of healthcare entities observed increased patient fatalities due to cyberattacks, a 5% rise over the prior year (2).

As the digital healthcare supply chain grows in response to the increasing patient demand for digitization, healthcare cyber threats will also increase. Preventing such attacks is one of the major healthcare cybersecurity challenges today, and the challenge begins before a healthcare provider has even selected a third-party vendor.

How Are Healthcare Organizations Exposed to Supply Chain Attacks?

Nowadays, more third-party apps are integrating with source systems, such as EHRs and revenue cycle management (RCM) systems. With the growing patient demand for self-service digital tools to manage their health autonomously, providers have been rushing to accumulate third-party technologies to meet these needs. In this landscape, it’s not uncommon to find many third-party apps for services such as bill pay, appointment scheduling, intake, and prescriptions, all plugging into healthcare organizations’ source systems.

These third-party patient-facing technologies are all part of the supply chain, and cobbling together multiple third-party apps can make an organization highly vulnerable to supply chain attacks.

In one high-profile demonstration of the risks associated with patient-facing technologies, hacker and cybersecurity analyst Alissa Knight found no exploitable weaknesses when testing application programming interfaces (API) built by healthcare organizations themselves. However, it was a different story regarding the APIs built by data aggregators and other third-party apps that integrated with the healthcare providers’ source systems. Knight could access more than four million patient records using entry-level hacking techniques within minutes (3).

Knight’s findings have been backed up by real-world trends, with cyber attackers increasingly targeting the third-party business associates of HIPAA-covered entities. In 2023, over 93 million healthcare records were exposed or stolen in data breaches at business associates. In contrast, only 34.9 million records were compromised via direct attacks on or negligence by healthcare providers (4).

Combining Multiple Third-Party Apps Is A Crucial Healthcare Cybersecurity Challenge

The proliferation of third-party, patient-facing technologies multiplies the number of potential vulnerabilities in any given system. When a single organization has multiple apps or technologies integrated into its systems, any of these technologies could be the weak link and act as a point of entry.

Rather than having to crack each safe individually, healthcare supply chain attacks are like giving cybercriminals a skeleton key that offers access to millions of patient files through a single breach (5).

To make matters worse, supply chain attacks can be hard to detect since software supply chains tend to be vast and involve increasingly complex relationships and integrations. In healthcare, in particular, the sheer breadth of third-party apps that often connect with sources of patient data can make it incredibly hard to trace the source of the attacks or repair the damage.

For healthcare organizations, the challenge is clear: How do you maintain complete oversight over multiple vendors when IT departments are increasingly stretched and capable cybersecurity experts are hard to find?

From the perspective of cybercriminals, healthcare is a desirable target—not least because of the extent of ePHI shared throughout the ecosystem and the potential for weaknesses in that same system.

How To Future-Proof Healthcare Cybersecurity With The Right Patient Engagement Vendor

It’s important to understand where the dangers lie when discussing risk mitigation in healthcare supply chains. In today’s digital-first age, working with third-party software vendors is practically inevitable—healthcare organizations can hardly be expected to develop competitive bespoke digital solutions in-house on top of their primary duties and services. Partnering with software vendors is often the most cost-effective and time-efficient way to integrate essential digital services that drive business efficiency and patient engagement. However, vetting these vendors is fundamental to mitigating cybersecurity risks.

To better protect their organizations from cyber threats, healthcare organizations should ask themselves whether potential third-party vendors are reputable and if they implement the right cybersecurity tools and practices.

Check Cybersecurity Processes/Policies And Certifications

To ensure proper risk management, partner with a company or vendor with a vetted cybersecurity process or policy you can rely on. Organizations should conduct a strict due diligence process to assess what information and access these third-party vendors will be given and whether that level of access is justified.

BridgeInteract CEO John Deutsch believes this due diligence process is often neglected as providers rush to implement more third-party applications and patient-facing tools. “What we see in the sales process is a lot of outdated vendor due diligence and onboarding processes. This is a major concern, especially as healthcare organizations are looking at vendors who have only been around a few years or are using antiquated technology,” he explains.

The objective is not simply for the vendor to tick a standard vendor onboarding box but to have a dynamic vendor due diligence process that reflects the risk of that particular technology.

This includes ensuring that a prospective vendor has:

• Relevant certifications (e.g., SOC 2, HITRUST, ONC, etc.)
• Cybersecurity policies that align with those of the healthcare organization.
• Existing business relationships with respected healthcare organizations.
• High-quality encryption.
• A plan for data and disaster recovery, including regular backups of valuable data.

As intermediaries between patients and healthcare organizations, vendors should be able to demonstrate high-quality development practices, HIPAA compliance, good authentication practices, and a deep understanding of cybersecurity. For a more in-depth exploration of this topic, please see our article on the best practices for securing patient engagement technology.

Of course, the above should be accompanied by regular pen tests and strategic cyber threat intelligence. Vulnerabilities appear daily, and keeping up to date with trusted sources is essential for every security team. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) regularly publish advisories and alerts on the latest attacks or vulnerabilities that may affect US companies.

Third-party company pen-testing also plays a significant role in helping to detect whether healthcare vendors’ systems are exposed to cyberattacks in advance and should not be the vendor’s sole responsibility. Assessments should cover technical capabilities as well as your team’s preparedness against social engineering attacks or phishing campaigns.

Simplify Healthcare Supply Chains To Mitigate Risk

Another powerful way to mitigate the risk of supply chain attacks is for a healthcare organization to simplify its supply chain—the more third-party organizations involved, the higher the risk.

Ideally, the most secure solution would be to partner with a single third-party vendor that offers a comprehensive solution, like BridgeInteract—a complete patient engagement platform offering a wide range of patient-facing features and tools under a single unified system.

BridgeInteract is modular, with tools covering everything from a patient portal to bill pay, telehealth, HIPAA-compliant messaging, and more. Partners can customize BridgeInteract to meet their specific needs while having peace of mind that their patient-facing tools are protected by the latest cybersecurity protocols.

BridgeInteract is SOC 2 certified, underscoring its commitment to robust data security practices. The platform employs advanced measures such as strong encryption, cutting-edge firewalls, and HIPAA-compliant cloud solutions to ensure the protection of client data and the security of patient information.

Furthermore, BridgeInteract meets the ONC Certification Criteria for Health IT and has received certification from an ONC-Authorized Certification Body (ONC-ACB) in alignment with the standards set by the Secretary of Health and Human Services. To learn more, visit https://www.bridgeinteract.io/certifications/.

Systems like BridgeInteract can help lower the number of entry points for hackers, mitigate risk for healthcare organizations, and significantly reduce costs by negating the need for multiple patient-facing apps that each provide a single service.

In the following article in this series, we go beyond the issues associated with using multiple third-party vendors to look at how healthcare organizations can manage risk internally when integrating and using these technologies. We explore healthcare organizations’ common security mistakes and the most effective ways to avoid them.

Read more on healthcare cybersecurity:

• Part 2: Healthcare Application Security: How To Protect Patient Data
• Part 3: Securing Patient Data: Patient Engagement Cybersecurity Tips
• 8 Security Features You Need In A Patient Portal

Sources:

1. Security Intelligence. (2023). Cost of a Data Breach 2023: Healthcare Industry Impacts. Available at: Link. Accessed November 15, 2024.
2. Cyber Magazine. (2024). Cyber attacks threaten healthcare supply chains. Available at: Link. Accessed November 15, 2024.
3. Jercich, K. (2021). ‘Playing with FHIR? Don’t get burned, white-hat hacker cautions’. Healthcare IT News. Available at: Link. Accessed: 16 November 2024.
4. Alder, S. (2024). ‘Healthcare Data Breach Statistics’. HIPAA Journal. Available at: Link. Accessed: 16 November 2024.
5. Alder, S. (2024). ‘Change Healthcare Cyberattack Affected 100 Million Individuals’. HIPAA Journal. Available at: Link. Accessed 16 November 2024.