The Journal of Healthcare Contracting (JHC) asked Mark Campbell, vice president, supply chain for Tampa General Hospital, to weigh in on cyber threats, security and where the healthcare supply chain fits into the overall cybersecurity discussion.
JHC: Why is healthcare a big target for cyberattacks?
Campbell: There are so many suppliers in healthcare, each with their own IT architecture, it leads to many opportunities for an attack. Further, there is a lack of controls among the many suppliers and a lack of urgency to identify and correct weaknesses.
JHC: What are the most prevalent ways that a healthcare system’s data gets compromised?
Campbell: By far, email phishing is the most prevalent way malware enters the system. We receive so many emails every day, the opportunity to click on something that appears legit is constant.
JHC: What are some ways that organizations can better protect their data?
Campbell: Healthcare providers and suppliers must be proactive in assessing and testing their systems. We must continually remind team members of the ways we can be tricked and how to report suspicious email or messages they receive.
JHC: Where does staff education fit in?
Campbell: Team members are the first line of contact for scams and therefore the first line of defense. We send frequent reminders to everyone and will warn of a specific attack when we discover it has special appeal.
JHC: How have you improved cybersecurity within your own organization?
Campbell: We have dedicated team members in IT that conduct audits and tag information that could be at risk. We have implemented a formal security assessment as part of the contracting process and require suppliers to make changes when necessary before signing a contract for new equipment. We also send our own phishing tests to see how team members react. We then follow up with education, so the same mistake is not repeated. Even senior leaders fall for our phishing tests and they receive the same education. Everyone must be vigilant.
JHC: Where does the healthcare supply chain fit into the cybersecurity discussion? How can supply chain executives help?
Campbell: Supply chain works with IT to include the security assessment in the contracting process. We also look for any software-related items in a supply item or equipment in the value analysis teams to educate team members on potential risks and identify what IT should review as part of the evaluation process. We notify suppliers early in the evaluation process that IT security is important, and you must be prepared to pass the security assessment and make changes, or your product will not proceed.