Uniting Supply Chain Resilience and Cyber Preparedness

AHA and Exiger

Podcast

April 22, 2026

John

Riggi

National Advisor for Cybersecurity and Risk

John Riggi

Brendan J.

Galla

Chief Product Officer

Brendan J. Galla

As cyberattacks increase against supply chain and third party providers, the downstream effect on healthcare providers, hospitals, and health systems continue with significant impact. In fact, recently, Exiger CEO Brandon Daniels testified before the US Senate Special Committee on Aging about risk to the medical and medicine supply chain. We’ll explore this critical topic today on how a unified view of supply chain and cyber risk can empower healthcare leaders to make smarter, faster decisions, ultimately protecting patient safety and ensuring timely access to treatments.

Loading Audio...

From Tariffs to Ventilators: The Hidden Fragility of Healthcare Supply Chains

John Riggi

As cyberattacks increase against supply chain and third party providers, the downstream effect on healthcare providers, hospitals, and health systems continue with significant impact. In fact, recently, Exiger, CEO, Brandon Daniels testified before the US Senate Special Committee on Aging about risk to the medical and medicine supply chain. We’ll explore critical topic today on how a unified view of supply chain and cyber risk can empower healthcare leaders to make faster, smarter decisions, ultimately protecting patient safety and ensuring timely access to treatments. Today I’m joined by Brendan Galla, Chief Product Officer at Exiger. Exiger is recognized as an American Hospital Association preferred cybersecurity and risk provider.

Let’s start with the big picture: with global trade policies in flux, supply chains under pressure, and tariffs — how can hospitals and healthcare providers proactively insulate themselves from these uncertainties, especially when both physical and digital supply chains are at risk?

Brendan Galla

I think the short answer is by knowing the direct and indirect supply chain risks they’re exposed to, and most importantly, how to think about their exposure to those risks. That may sound obvious but putting it into practice is extremely challenging. Let me clarify what we mean when we talk about risks and exposure. Hospitals and healthcare providers, they’re exposed to all sorts of supply chain risks, from financial and operational issues of a supplier of medical devices to the cybersecurity or the firmware that’s installed on those devices.

Typically as you move up a supply chain, the direct suppliers may be well known established brands where a financial risk could almost seem absurd. But I remember during the COVID-19 response where we were working with the government, we found that nearly all production of a small part of ventilators was traced back to a tiny little company in Italy that got completely shut down for an extended period, at a point when ventilators were highly sought after.

All of a sudden, product capacity halted. While it may seem unlikely that GE HealthCare could experience an operational issue, the key is recognizing that GE HealthCare doesn’t manufacture 100% of the parts that go into the ventilator.

To draw a comparison to another industry, the B2 bombers’ wings were made by Boeing, its cockpit was made by Northrop, its bomb bays were made by LTV. That’s not to mention the 4,000 other manufacturers that created other parts and components. So, all that to say, it’s often these downstream dependencies of these sub-tier players that can be the source of those critical disruption risks. But now how do you know who those players are? Or even if you don’t have a direct relationship with them, how do you understand that they’re going to impact you?

It’s often these downstream dependencies of these sub-tier players that can be the source of those critical disruption risks.

— Brendan Galla

Brendan Galla

The second is to realize that the same risk issue on the same supplier could have completely different impacts on one hospital versus another depending on their relationship. If you look at a supplier of syringes to a hospital that might be local to them in the US that experiences a production disruption — if for one hospital that’s their only supplier and inventory levels are sort of low, it’s a major issue. They’ve got a huge shortage they need to react to quickly. While for another, it could be one of three suppliers, plenty of alternative options. It’s really important to understand your relationship to those things.

So, what are hospitals to do? Fortunately, the technology advancements of today have made both problems — the visibility problem and the risk understanding problem — things that are actually feasible to navigate for hospitals and healthcare providers. When I think about arming them with critical intelligence, they’re much better situated to understand the impact of an event and the options they have to remediate that issue — which might be:

Can we find an alternative supplier?
Can we go to the supplier and confirm this is a real issue?
Can we remediate that issue directly with them?

Being in that proactive posture puts organizations in control of their own destiny versus playing from their heels. Once you get good at this, then you can start to gameplay out different scenarios. What happens if this supplier goes away? What could I do? That’s how we think about helping these organizations to really insulate themselves.

To summarize, I think once you’ve got transparency and visibility into the relationships that you can’t see, and real time monitoring of the issues that potentially impact those relationships, you can combine that with your data: What’s my relationship? My inventory levels? The criticality of that supplier?

The Risk You Don’t See: How Fourth- and Fifth-Party Dependencies Expose Healthcare

John Riggi

In terms of the interdependencies, we often talk about in healthcare how it’s third-party risk that provides one of the most significant sources of risk facing hospitals, both cyber and supply chain, of course; cyberattacks affecting supply chain, but it’s fourth- and fifth-party risk. Most organizations do not have the capability to map that out and understand.

A big and most obvious example for us — the Change Healthcare attack last year. The largest healthcare cyberattack in history, Change ran in the background, touched almost every hospital in the country. They had an unpatched vulnerability and a third-party software they were using and result? Every hospital in the country lost access to revenue cycle. Again, directly or indirectly. Prescriptions were delayed; surgeries were cancelled. All because of an unpatched vulnerability and third-party technology in a third-party provider.

Brendan, historically traditional supply chains and software or cyber supply chains have been managed by separate departments. Why do you think that’s been the case and what risk does this siloed approach pose to healthcare organizations today?

Every hospital in the country lost access to revenue cycle. Again, directly or indirectly. Prescriptions were delayed; surgeries were cancelled. All because of an unpatched vulnerability and third-party technology in a third-party provider.

— John Riggi

Brendan Galla

The primary reason is probably expertise. Most non-technical people equate cyber to a hooded sweatshirt-wearing misfit in a dark room that speaks a totally different language. It’s intimidating; it’s confusing; it’s unrelatable. If you were to ask ten procurement or supply chain professionals how they assess cyber hygiene of a supplier that they may be working with, I bet nine out of ten would sort of shrug their shoulders. The good news is times are changing and now they have tools in their repertoire that give them a fighting chance to make that initial assessment.

That’s more akin to what we see in risk assessments in other industries. Think about walking into Nordstrom’s and buying a suit; they’ll ask do you want to use THEIR credit card to get you a 10% discount. The person at the register is not a financial expert, but they can quickly run your credit check and understand if there’s any delinquency risk. It’s turning into a more standardized approach, giving them an understanding like what you see in the credit rating market that will allow people to have a tool in this fight.

The other reason is just tenure in the markets. If you ask most people: do they think of supply chain when they think about cyber or software risk, most of them don’t. But the reality is 90% of all the world’s software is leveraging open-source software (OSS). That’s a huge exposure. When you consider that software is really a collection of these parts coming together to form one bigger product, it’s just a digital representation of the same issue we face on the physical side of the house.

Under the hood, it looks the same, and I don’t think the markets have really caught up in terms of the cyber side of the house. The risks are really that the software and firmware is in almost everything we use today. I use the Ray-Ban sunglasses and there’s firmware running on those. The world of physical goods and digital goods are intertwined more than we’ve ever seen before, and it’s only getting more intertwined.

Separating these worlds means that you can get conflicting information. The group handling the cyber side may say, “Hey, we’re good.” The group handling the other side may say “No”, or vice versa, or worse. You get a synergy between the two that you lose out on when you keep them separate. Our belief is that a centralized view to both worlds puts an organization on the most solid footing to protect themselves.

90% of all the world’s software is leveraging open-source software. The world of physical goods and digital goods are intertwined more than we’ve ever seen before.

— Brendan Galla

Brendan Galla

What are practical things you could do? Some of the things we’ve seen in our own work:

Build software vulnerability management requirements into your contracts.
Require an SBOM. Make sure you’re monitoring across both of those worlds and bringing the experts in where some of those signals arise.
Make your primary suppliers and distributors part of the solution, not part of the problem. Let them know you need their support on transparency into these relationships, on access to certain data that allows you to do a proper understanding of risk, and on remediating an issue if you find it.

Too often, we hear the refrain of, well, we don’t want to bother them, but if the industry starts holding each other accountable, I really think we can lift all boats.

How Software Vulnerabilities Disrupt Care in the Real World

John Riggi

Frankly, I was amazed to hear you say 90% of software is open source. Even Microsoft obviously uses open source and they build upon that. I don’t know if you remember a couple of years back to highlight the vulnerability and widely used open-source software — Log4j. This was a vulnerability in almost every device, every software that has logging capabilities: a major vulnerability and cause right around Christmas a couple years ago. All CISOs around the country and every industry was scrambling to root out, “where’s Log4j?” in their networks and patch it quickly.

Great point too about working with your suppliers. Nobody knows their products better than them. They have insights you will not gain from a questionnaire sent to it as part of your third-party risk management program.

And then ultimately, great point about ensuring your organizational structure — third-party supply chain folks, third-party risk supply chain and cyber — is designed in a way that mirrors the actual environment, the world. We shouldn’t be operating in silos. Third parties use open-source software. There’s that collaboration and communication. Internally we need the same structure in our organizations. Can you share some real-world examples of vulnerabilities and some others in software components, whether in IT systems or embedded technologies and the kind of disruptions or patient safety concerns they can lead to?

Brendan Galla

First, just so people are clear, most organizations today use software that contains open source. So, what does that actually mean? At Exiger, we write an application — that’s our code. But the way code is compiled today, it’s got a bunch of different open-source components that get built in. Other people write that open-source component, and it gets shared as a community. Usually, you won’t write that code from scratch because it’s already been tried, true, tested; you just grab it and pull it in, and it becomes a piece of your software.

Thus, the stuff we’re using in our everyday lives often has some connection to code that is owned and maintained — perhaps by a single person, or importantly, a group that has no idea how it’s being used downstream. Just think about the applications of a great PDF that could be used in critical infrastructure systems to an app on your phone. There’s not a good understanding of how all these things trace back together and it can take just one poor contribution, whether innocent or intentional, that gets merged into a production environment and can cause a whole host of these downstream problems.

In this day and age, that’s further complicated by compatibility between new and old dependencies. And when we think about cloud, it gets quite complex to trace. Piggybacking on your Log4j comment, it was an open-source library that opened access wherever it was installed to nefarious actors who could gain access to these servers remotely and take control of a system. They could steal your data or introduce malware. Most organizations had no idea whether they were running Log4j as part of it. And I remember, it was this massive scramble. We helped organizations understand where this sits in software that you might be using.

It can take just one poor contribution, whether innocent or intentional, that gets merged into a production environment and can cause a whole host of downstream problems.

— Brendan Galla

Brendan Galla

Then there’s also cases where on firmware, it effectively allows hackers to control that device remotely. If you think about something like a pacemaker or an insulin pump, there’s been cases where you can gain access to their settings. You could change the dosage amounts, you could change the pacing. These can present real dangers to patients. And more recently this year, we had the warning from CISA and FDA around Contec patient monitors that could be controlled remotely to provide misinformation to practitioners.

I would say while some of these threats seem like they’re unlikely or even embellished, we find ourselves in interesting times. You mentioned it in your opening remarks, but this week our CEO testified in front of the Senate about how the US can be controlled by China due to our incredible dependencies on them for prescription drugs. Given the rhetoric between nations, I don’t think many people would think it’s a far-off risk that they could cut off those supply lines. Well, it’s the same thing with cyber. This is just another threat vector that could be exposed. While it may have at one point seemed like nobody’s ever going to do that, these things are possible now and we must make sure we’re taking it seriously.

One Pane of Glass in a Fractured World: How AI Is Redefining Supply Chain and Cyber Resilience

John Riggi

Our dependency on China for a variety of economic products and services has created risk. The reality is China’s an adversary nation and they want to be the dominant superpower — it’s in their hundred-year plan by 2049. Not necessarily militarily, but certainly economically. And to your comments about medical devices, yes, it’s definitely a risk. We haven’t seen a case where bad actors got in and manipulated the function of a medical device to cause harm. However, what we have seen is that bad guys get in and deny the availability of a medical device, which causes delay and disruption of healthcare delivery, ultimately posing the same risk to patient safety but on a broad scale.

Your example about the Contec CMS 8000 patient monitor — it came with a special feature that nobody was aware of — backdoor transmitting data to Shanghai, China. And it was a particular university as I recall, again, leading that pathway. Why are we so concerned about it? You touched on it, Brendan. China has been publicly called out by the US government for planting not only malware for espionage purpose, but for destructive purposes on our critical infrastructure, telecommunications, energy, water, and wastewater. If in fact, when or if they invade Taiwan to blunt a US response — that’s from the US government, not from John Riggi. It is a reality.

Looking ahead, what are the strategic advantages of bringing supply chain transparency, both physical and digital under one roof, and how can AI and advanced analytics help streamline how all supply chains are measured, monitored, and managed?

Brendan Galla

I can’t understate enough the importance and benefits of a single pane of glass:

It provides a consolidated view across functions and risk owners that are most likely undistributed teams. Today, that information is often housed in a number of different systems, so you find people swivel-chairing into different systems.
There might be data inconsistencies between those systems.
It creates a lot of inefficiencies.
It opens the door to human error and really poor decision making.
If we’re viewing these different concepts through different user experiences, it can lead to different opinions.

If you’ve got one common set of diagnostic tools for assessing risk, you actually increase the number of eyes and therefore the chance that you’re going to catch something that might be an issue, even if it’s somebody who doesn’t understand that issue, right? If it’s a red, yellow, green scale and I’m looking at that, doesn’t matter if I’m not a trained CISO; I can see that red’s something I should do something about. Leveraging that consistent user experience and centralizing that view, makes it much more robust in terms of an operational process.

If it’s a red, yellow, green scale and I’m looking at that, doesn’t matter if I’m not a trained CISO; I can see that red’s something I should do something about.

— Brendan Galla

Brendan Galla

I also believe that we can take advantage of the network effects. By that I mean, industries too often get hung up on competing on what I think are the wrong things. If instead they work together on some of the staples, it would allow them to focus on features that differentiate them and make them more valuable and intriguing to a customer.

The network benefit here is if we pull in an organization, a hospital, and they’re putting in information on digital and physical supply chains, we’re illuminating that for them or even risk assessing that for them. When the next hospital comes in and they do the same, and the next one comes in and they do the same. All of a sudden you start to build this huge pool of data… and then you bring in the suppliers and distributors to that world as well. Now you’re getting this massively rich data set that is highly accurate and highly usable for these organizations. That virtuous relationship we could create out of that ultimately benefits the American people.

From an AI perspective, the biggest advantages are quality of data and scale. The things we’re able to do now with little input or in some cases expertise is fascinating. Prior to recent advancements in AI, I would need an in-house expert to explain to me the end-to-end process and all the component parts that go into the production of a medical device or a vaccine. If I was fortunate enough to have them on staff, it would still take me months and months to produce this and then keep it maintained from a documentation process.

Now, we can start with as little as a product name or a part number and models can go out and create a pretty representative supply chain in minutes. I’m not saying it’s perfect yet, but the pace of innovation and the art of possible that we’re seeing is so encouraging. And this is just one use case. You apply those AI technologies to comprehensive and broad risk detection, to data creation, to automation of workflows. I really feel like we’re going to look back in five years and feel like we’ve seen 50 years of innovation. It’s very exciting times with what we can do.

The Cost of Waiting Is Too High: Why Proactive Risk Management Is the Only Option

John Riggi

Brendan, before we wrap up, what’s one key takeaway you’d offer healthcare executives looking to strengthen their organization’s resilience across both supply chain and the cyber domains?

Brendan Galla

Be proactive. I learned a long time ago, it’s better to floss every day than to try to brush like crazy the night before a dentist visit. Take advantage of the tooling that’s available on the market. It doesn’t just help in a time of crisis. It helps optimize and sustain a healthy business during good times as well. Don’t wait for that crisis.

For healthcare providers and hospitals, the cost of complacency, in my view, is too high and it’s not worth the risk. So be proactive, prioritize the investment, and I think you’ll sleep better at night knowing you’ve put the people that depend on you inside and outside of your organization in a safer place.

Be proactive. The cost of complacency, in my view, is too high and it’s not worth the risk.

— Brendan Galla