Cybersecurity Toolkit to Help Health Sector Manage Third-Party Services 

The Cybersecurity Working Group (CWG) of the Health Sector Coordinating Council (HSCC) is providing healthcare organizations with templates and a methodology to visualize, identify and measure systemic risk posed by third-party technology and services.

The HSCC is a government-recognized critical-infrastructure industry advisory council of more than 480 healthcare organizations.

The Health Industry Cybersecurity Sector Mapping and Risk Toolkit (SMART) culminates 16 months of cross-sector collaboration among 80 organizations in patient care; health insurance; labs, pharmaceutical and blood services; medical technology, public health and health IT.

 “A cybersecurity event affecting a single supplier or third-party support for critical functions across healthcare workflows poses one-to-many impact,” said Samantha Jacques, vice chair of the HSCC CWG and co-lead of the SMART Task Group, in a statement. “A disruption to one payment clearinghouse, for example, can shut down a significant portion of the nation’s healthcare delivery,” she added. Jacques is vice president of clinical engineering for McLaren Health in Michigan.
 
The SMART Toolkit is intended for cybersecurity, supply chain, risk, operational and administrative executives across health industry organizations, including providers, insurance plans and manufacturers.  Its recommended practices directly address imperatives for third-party risk management in the Health Industry Cybersecurity Strategic Plan 2024-2029 released by the CWG last year.
 
“The impact of a cyber disruption on critical functions can include loss of patient data and payment information, theft of intellectual property, or exploitation of medical device vulnerabilities that lead to disruption of functionality or patient harm,” added Premera BlueCross Chief Information Security Officer Adrian Mayers, Dr.B.A., a co-lead of the SMART Task Group, in a statement. “The growth of ransomware,” he warned, “threatens the availability of critical functions and systems, leaving organizations unable to provide services or products relied upon by patients and health professionals.”
 
HSCC noted that while larger organizations have dedicated resources to improve the resiliency of their critical functions, many small to medium-sized organizations lack that scale and need support with tools appropriate to their size, capability and resource constraints. The SMART Toolkit is designed to provide them actionable guidance and methods for managing systemic risks related to their critical functions and dependencies within the health system. It empowers these organizations to demand secure products and high-availability of services from their suppliers, thereby driving improved standards for critical functions across the entire healthcare ecosystem.  In situations where customer leverage is insufficient to influence third-party security, the SMART tool can help organizations anticipate potential incidents and develop backup and resiliency plans.