The new resource by the sector for the sector guides healthcare organizations to track and manage critical third-party services that support essential workflows.
The Cybersecurity Working Group (CWG) of the Health Sector Coordinating Council (HSCC) is providing healthcare organizations with templates and a methodology to visualize, identify, and measure systemic risk posed by third-party technology, software, and communications services essential to clinical, administrative, and manufacturing workflows.
The Health Industry Cybersecurity Sector Mapping and Risk Toolkit (SMART) culminates 16 months of cross-sector collaboration among 80 organizations in patient care; health insurance; labs, pharmaceutical and blood services; medical technology, public health and health IT.
“Critical functions in the health sector form a complex ecosystem of interdependent organizations of all sizes, including patient care, payment and data management systems, pharmaceutical, manufacturing, technology research, and public health administration,” says Samantha Jacques, vice chair of the HSCC CWG and co-lead of the SMART Task Group and vice president of clinical engineering for McLaren Health, in a release. “A cybersecurity event affecting a single supplier or third-party support for critical functions across healthcare workflows poses one-to-many impact. A disruption to one payment clearinghouse, for example, can shut down a significant portion of the nation’s healthcare delivery.”
The SMART Toolkit is intended for cybersecurity, supply chain, risk, operational, and administrative executives across health
industry organizations of all sizes and subsectors, including healthcare providers, insurance, plans, and manufacturers. Its
recommended practices address imperatives for third-party risk management in the Health Industry Cybersecurity
Strategic Plan 2024-2029 released by the CWG last year.
“The impact of a cyber disruption on critical functions can include loss of patient data and payment information, theft of intellectual property, or exploitation of medical device vulnerabilities that lead to disruption of functionality or patient harm,” says Premera BlueCross chief information security officer Dr Adrian Mayers, a co-lead of the SMART Task Group. “The growth of ransomware threatens the availability of critical functions and systems, leaving organizations unable to provide services or products relied upon by patients and health professionals.”
Larger organizations have dedicated resources to improve the resiliency of their critical functions, but many small- to medium-sized organizations lack similar scale and need support with tools appropriate to their size, capability, and resource constraints. The SMART Toolkit provides them guidance and methods for managing systemic risks related to their critical functions and dependencies within the health system.
It aims to empower these organizations to demand secure products and high-availability of services from their suppliers, thereby driving improved standards for critical functions across the entire healthcare ecosystem. In situations where customer leverage is insufficient to influence third-party security, the SMART tool can help organizations anticipate potential incidents and develop backup and resiliency plans.
ID 8885782 © Marek Uliasz | Dreamstime.com
