Healthcare Supply Chain Security: Updated GuidanceVishwas Gadgil of Merck and Ed Gaudet of Censinet Discuss Key Issues, Risk Mitigation
With the escalation of cyberattacks in the healthcare sector during the COVID-19 pandemic, supply chain partners need to strengthen their security controls and defenses, say Vishwas Gadgil of the pharmaceutical firm Merck and Ed Gaudet of the consultancy Censinet.
Three disturbing interrelated trends are emerging, notes Gadgil, Merck's director of IT risk management and security, in an interview with Information Security Media Group.
"Threat actors are laser-focused on stealing the intellectual property of COVID-19 research," he says. "The suppliers of the big companies that are into COVID-19 research are not always capable of handling cybersecurity threats the way the large organizations can."
Meanwhile, threat actors are also intent on causing havoc at healthcare facilities dealing with COVID-19 cases, and typically these facilities are not well equipped to handle these targeted attacks, he adds.
"The combination of these three trends is very concerning because it has a direct public health impact," Gadgil says.
To assist healthcare industry supply chain partners in bolstering their security practices, the Healthcare and Public Health Sector Coordinating Council recently released updated supply chain cybersecurity guidance, says Gaudet, co-chair of the HSCC task force that prepared the new document.
The updated Health Industry Cybersecurity Supply Chain Risk Management Guide is based on the National Institute of Standards and Technology's Cybersecurity Framework, Gaudet notes.
Included in the updated guidance are critical supply chain cybersecurity requirements and policy templates "using contractual language to manage and remediate risks," he says.
The guidance points out that, once an organization puts into place security requirements for supply chain partners to follow, it's important to test that the suppliers are actually implementing the controls, Gaudet says.
Also included in the guidance is incident response advice. Incident response, Gaudet says, is "a very complex and complicated problem when you start thinking about entities and suppliers of suppliers."
In the interview (see audio link below photo), Gadgil and Gaudet also discuss:
- The significance of recent government warnings about ransomware and other cyberattacks disrupting the U.S. healthcare sector;
- Areas of supply chain security weakness in the healthcare sector that need more attention;
- Emerging supply chain security risk issues facing the healthcare sector in the year ahead.
Gadgil is director at Merck's IT risk management and security organization. He's worked at Merck for 16 years and is responsible for protecting the IT systems that support its global research and development function. He's also responsible for Merck's strategy for supplier cybersecurity risk management and representing IT security on Merck's global M&A activities. Prior to joining Merck, Gadgil worked at consulting companies.
Gaudet is CEO and founder of the consulting firm Censinet. With more than 30 years of software experience, he has spent the last 10 years helping healthcare providers modernize and automate their cyber risk and security infrastructure. He is a member of the Department of Health and Human Services' healthcare sector cybersecurity working group and various Health Sector Coordinating Council task groups, including for cybersecurity, supply chain risk management and emerging technology.