Protecting Your Practice from Supply Chain Attacks

6 min read

Protecting Your Practice from Supply Chain Attacks

We all know cyber threats are constantly evolving with attackers seeking new ways to access systems and networks. However, we're also aware that our security is only as strong as our weakest link. In fact, healthcare supply chain attacks rely on that and, further, rely on vendor software being a blind spot.

As healthcare increasingly relies on technology, and with patient care and practice administration being paramount, many practices rely on the resources provided by software vendors to support everything from RCM and communications to healthcare workflows. With those reliances likely to increase, practices need to understand supply chain attacks and how to reduce their risk.

Quick Links:

• What is a Healthcare Supply Chain Attack?
• How Do Healthcare Supply Chain Attacks Happen?
• The Impact of Healthcare Supply Chain Attacks
• Top Strategies to Decrease Your Healthcare Supply Chain Attack Risk

What is a Healthcare Supply Chain Attack?

A supply chain attack is a cyberattack that targets an organization's external vendors or service providers, exploiting security vulnerabilitieswithin the supply chain to gain unauthorized access to the main network.

Rather than attacking a healthcare practice directly, cybercriminals focus on third-party vendors such as software providers, medical device manufacturers, or cloud service platforms, which may have weaker security controls. Once compromised, these trusted partners can serve as a gateway for attackers to infiltrate sensitive systems. Essentially, it can become like a chain of dominoes, toppling one system after another.

As an example, the Change Healthcare attackhighlighted the widespread and devastating impact of an attack on a supply chain. In that case, the consequences have been long-lasting and may continue for years to come. The direct and immediate impact meant that not only could healthcare providers not access records or process payments, but patients were also unable to get necessary prescriptions.

For healthcare practices, supply chain attacks pose a significant threat, not only to workflows but also to patient data and HIPAA compliance. And, as we saw with the Change Healthcare attack, assaults on the supply chain can even prevent practices from conducting business, processing payments, and ensuring the financial security of their practice or organization. In short, these attacks may not only lock down systems, but they can also expose EHRs, billing systems, and other critical data to malicious actors and, in some cases, the dark web or other hackers.

Given the complexity of healthcare supply chains and the volume of external services used, the risk of attack is heightened, making it crucial to ensure that all partners maintain rigorous security and compliance standards and that practices utilize Business Associate Agreements(BAA).

How Do Healthcare Supply Chain Attacks Happen?

Understanding that a risk exists isn't the same as understanding how an attack occurs. To better protect your organization, it's important to understand how supply chain attacks happen before we look at a few examples.

One of the most common ways supply chain attacks happen is through software updates. Vendors often push automatic updates to their products, and cybercriminals can compromise these updates to inject malicious code into healthcare systems. If a healthcare provider relies on an affected software platform, the malware gets installed without detection, opening up pathways for data theft, ransomware, or system disruption. This is what occurred in the 3CX attack, where a compromised software update allowed attackers to access healthcare communications networks.

Similarly, vulnerabilities in cloud services and medical devices also create entry points for attackers. Many healthcare organizations rely on third-party cloud platforms for storing and managing patient data, and if these platforms have weak security protocols, they become prime targets for cybercriminals.

In the same way, connected medical devices that run on third-party software are vulnerable if they lack adequate encryption, authentication, or regular patching. The Philips Healthcare Devicesbreach in 2023 highlighted this risk, as attackers exploited vulnerabilities in medical device software to access healthcare networks.

Other vulnerabilities include weak vendor cybersecurity policies, lack of regular security assessments, and insufficient monitoring of third-party access. If a vendor does not adhere to strict security practices, it can expose the healthcare provider to risks like phishing, ransomware, or data breaches.

The Impact of Healthcare Supply Chain Attacks

Supply chain attacks have emerged as a significant cybersecurity risk, particularly in healthcare, where the protection of sensitive patient information and maintaining compliance with regulations including HIPAA are paramount. With the increasing reliance on interconnected software platforms, medical devices, and cloud-based services, healthcare practices face greater vulnerability to such attacks.

One of the primary concerns in healthcare is the potential exposure of ePHI due to supply chain vulnerabilities. A compromised vendor can give cybercriminals access to the entire healthcare network, jeopardizing data such as patient records, billing information, and even clinical workflow systems. This not only puts the practice at risk of violating HIPAA regulations, which mandate strict data protection standards, but can also lead to hefty fines, legal liabilities, and a loss of patient trust.

As supply chain attacks grow more sophisticated, it's essential for healthcare organizations to be proactive in managing their third-party relationships, ensuring every vendor adheres to stringent cybersecurity protocols, this is why BAAs are essential, though also not a security guarantee. With healthcare already a high-value target for attackers, protecting the extended supply chain is crucial for maintaining both security and compliance.

While supply chain attacks are on the riseand an increasing cybersecurity threat, they're not a new phenomenon. And, sadly, Change Healthcare isn't the only example.

1. MOVEit (2023)

MOVEit is a managed file encryption and transfer software used by many organizations, including those in healthcare. Cybercriminals exploited a vulnerability in the software to access and steal sensitive data from affected systems. Healthcare organizations relying on MOVEit for secure file transfers were compromised, leading to the exposure of protected health information (PHI) and other confidential data.

2. United Healthcare (2023)

The United Healthcare supply chain attack refers to a 2023 incident where hackers targeted a third-party vendor, IBM's Aspera, which was used by United Healthcare for secure file transfers. Exploiting a vulnerability in Aspera's software, cybercriminals gained access to sensitive data, including personal health information (PHI) of United Healthcare members.

3. NextGen (2023)

The NextGen Healthcare supply chain attack involved a ransomware attack on a third-party vendor that provided services to NextGen, a healthcare technology provider. This breach led to the exposure of sensitive patient data, including protected health information (PHI), potentially impacting HIPAA compliance.

4. Philips Healthcare Devices (2023)

The Philips Healthcare Devices supply chain attack involved the exploitation of vulnerabilities in software integrated with Philips medical devices. These vulnerabilities allowed attackers to potentially access sensitive healthcare data and disrupt device functionality. As Philips devices are widely used in healthcare settings, the attack raised concerns about the security of IoT medical technologies and emphasized the risks posed by third-party software.

5. Brightline (2023)

The Brightline supply chain attack occurred when a vulnerability in a third-party vendor's platform was exploited, leading to the exposure of sensitive patient data. Brightline, a telehealth provider specializing in behavioral healthcare, relied on this vendor for critical services, and the breach compromised the protected health information (PHI) of numerous patients.

6. 3CX (2023)

The 3CX supply chain attack targeted a popular communications software company, through a compromised software update. Hackers were able to infiltrate the company's update mechanism, injecting malicious code into the system. Healthcare organizations using 3CX for communication services were affected, as the malware provided attackers with access to sensitive information, including potentially patient data.

As these examples make clear, it's not just one piece of software, one type of application, or one vendor that's at risk. What we can glean from this is that vetting providers, updating and patching applications, and conducting risk assessments are an important part of any healthcare organization's security posture.

Top Strategies to Decrease Your Healthcare Supply Chain Attack Risk

Protecting your practice from healthcare supply chain attack risks requires a multi-layered approach, addressing both technical safeguards and vendor management practices. There are, thankfully, some critical strategies to minimize the risk of supply chain attacks.

1. Conduct Thorough Vendor Assessments

• Ensure vendors have up-to-date security certifications (e.g., SOC 2, HITRUST)
• Review third-party vendors' security policies to ensure HIPAA compliance
• Evaluate the vendor's incident response procedures and their ability to handle breaches
• Require vendors to share their history of security breaches and corrective actions taken
• Develop comprehensive Business Associate Agreements to help protect ePHI and data

2. Establish Strong Contracts with Security Clauses

• Include clauses in vendor contracts that require adherence to your security policies
• Mandate timely notification in the event of any data breaches or security incidents
• Specify penalties for non-compliance with HIPAA and other data protection regulations

3. Implement Zero-Trust Architecture

• Limit vendor access to your systems based on the principle of least privilege
• Use network segmentation to minimize the spread of any potential breaches from vendor systems
• Regularly audit user access and permissions granted to third-party vendors.

4. Enforce Regular Software Updates and Patching

• Require vendors to provide regular updates and security patches
• Establish a policy for timely internal patch management and system updates
• Verify that medical devices and other vendor-supplied technology are regularly patched against the latest vulnerabilities.

5. Enhance Encryption and Data Protection Standards

• Use end-to-end encryption for all data transfers between your practice and vendors
• Require third-party systems to meet advanced encryption standards for sensitive data, especially patient health information

6. Implement Multi Factor Authentication (MFA)

• Enforce MFA for any system access involving external vendors, especially those accessing sensitive patient data
• Regularly review MFA logs and activity for any unusual or suspicious login attempts

7. Conduct Ongoing Vendor Monitoring

• Continuously monitor vendor behavior for signs of malicious activity or unusual patterns
• Conduct periodic security audits and assessments of your vendors' networks
• Leverage threat intelligence feeds to stay informed about vendor-specific risks

8. Develop a Vendor-Specific Incident Response Plan

• Create incident response workflows that include steps for addressing vendor-related security incidents
• Ensure vendors are aware of their role in your practice's incident response plan
• Regularly test your plan to ensure it's effective and all parties know their responsibilities

These strategies can help healthcare practices significantly reduce the risk of supply chain attacks while maintaining compliance with HIPAA and safeguarding patient data.

Additionally, working with software and platform providers who have healthcare expertise can be beneficial. For example, two of the examples noted above refer to file transfer or exchange applications. With iCoreExchange, you can email other providers and send encrypted files, of any size, and know your files (and inbox) are safe.

Similarly, a HIPAA risk assessment from iCoreHIPAAcan help you identify potential vulnerabilities and develop a solid security plan and framework to ensure you're decreasing any potential attack surface at your practice.

Whether you need secure HIPAA compliant software solutionsor more support and expertise tailored to your practice and your needs, theiCoreConnectteam is here and ready to show youhow we can help!