Whether or not they realize it, all organizations today are threatened by every type of systemic risk. Exiger recently hosted a panel — featuring guest speaker Alla Valente, Senior Research Analyst at Forrester — that explored some of these risks and how to mitigate them, particularly in the healthcare sector.
Although many organizations anticipate there will be cyberthreats to their network, for example, they fail to understand how far-reaching risk can be and realize how truly interconnected risk is. Extreme flooding on the opposite side of the world, a breach of an unrelated company or rising geopolitical tensions in a far-away country can all have significant impacts to an organization without them even realizing it. That’s because many organizations today rely in some way on supply chains — and, therefore, third parties — for business operations, and any risk to a third party also becomes a risk to your organization.
Three Factors Make Healthcare Supply Chains More Susceptible
Perhaps no industry is more susceptible to these risks than healthcare. Three factors help explain why.
Dependencies on Other Industries
As one of the most interconnected industries, healthcare depends on a virtually endless list of other sectors such as pharmaceuticals, manufacturing, transportation, real estate, chemicals and technology, just to name a few. This means that healthcare institutions assume the risks associated with all of these different industries — not just their own.
And it’s not merely the variety of industries healthcare institutions depend on — it’s also the sheer volume. In fact, healthcare institutions typically source from more than 1,000 suppliers, adding significant risk to their organizations.
“We’re not doing ourselves any favor when we think of healthcare as a single sector,” said Munish Walther-Puri, VP of Cyber Risk at Exiger. “It’s tied to many sectors and is dependent on many sectors.”
Specific Security and Privacy Risks
Healthcare institutions are also uniquely at heightened risk for security and privacy threats. PHI (protected health information) is accessed and stored in numerous endpoints throughout a healthcare institution. A hospital might have thousands of medical devices that are connected to patient data and are a potential risk.
Further, PHI is one of the very few data types whose exposure is an immediate privacy and security issue, and since healthcare institutions store and handle this data on a daily basis, they are at increased risk for the potential financial and patient health consequences that might come with it.
“We’re starting to see early challenges and threat vectors around integrity of that data,” said Walther-Puri.
In fact, data integrity is the top systemic risk that enterprise risk decision-makers worry most about for 2023, according to a recent Forrester survey tracking the top 10 systemic risks for enterprise businesses.
“Whether we’re talking about the patient-facing side or about the supporting services that run on technology, cyber risk is a business risk,” said Valente.
The Very Real Possibility of Death
Another major consideration for healthcare institutions that organizations in other industries may not need to even consider is that unmanaged risk could quite literally result in death. For healthcare institutions, patient safety is of the utmost importance, but unfortunately, it is becoming increasingly difficult to safeguard patients against all potential risks.
Bad actors can alter patient data and prevent appropriate care from taking place if cybersecurity risks aren’t properly mitigated. Necessary medications may not be available if supply chain and concentration risks aren’t considered. Threats like these are very real possibilities that can ultimately lead to patient deaths.
How Healthcare Institutions Can Mitigate Risks
These are just some of the risks that healthcare institutions face daily, and with so many vendors and suppliers, the list is continually growing. Fortunately, there are some steps organizations can take to fortify themselves against these risks.
The RFP process can be used as a risk information-gathering exercise if organizations conduct their risk assessments in conjunction with contracting. Contracting is also an ideal spot to add necessary transparency and any requirements your organization needs to safeguard against third-party risks.
“Contracts are your risk management secret weapon,” said Valente. “The only time you actually have control over your third parties is during that contracting process — because if it’s in the contract, they are legally required to deliver.”
WATCH NOW: To learn more about these and other ways to fortify healthcare against interlinked supply chain threats, watch our webinar featuring Forrester.