Topics:
When all is said and done, the 2024 ransomware attack against Change Healthcare may be the most impactful cybersecurity event ever in the healthcare industry. Not only did the attack demonstrate how fragile certain chokepoints of information and services are within the industry, but it also has spawned a newfound awareness of the potential impact of incidents on patient care and availability.
To address this, certain initiatives have sprung up, with the most recent being the publication of the Health Sector Coordinating Council Cybersecurity Working Group’s Sector Mapping and Risk Toolkit (SMART). The toolkit contains a set of 17 templates that enable healthcare organizations to map and visualize workflows, identify areas of risk, and where mitigations are most desperately needed.
“We started with eight or 10, but then it started to expand and we landed on 17 workflows— blood supply and distribution, claims and payments, dialysis, pharmaceutical and medical supplies, manufacturing, and so on—all of these core functions and workflows that happen day to day in the healthcare care system,” HSCC Executive Director Greg Garcia said on the most recent Nexus Podcast.
“Let's look at each one of those discreetly, and bring into the process those companies, those health providers, those individuals that are involved in claims and payments workflow, or the laboratories or radiology. Who works in those workflows? And let's map it out. So that was the process,” Garcia said.
Published Oct.7, the SMART toolkit is adaptable per organization, and for now, the HSCC is hoping to hit some critical mass in terms of adoption and collate feedback as users implement these templates and visualize their workflows, and potential trouble spots.
“The task is to use it,” Garcia said. “And we don't have all the answers, of course. We are asking the users to put it to work and give us the feedback. Critique it. Did this map on dialysis hit the mark? What critical function did we miss? How did you implement it? What were the steps that you used? What were the lessons learned?”
The toolkits focus on a number of critical areas, including the identification of systemic risk, and the potential risks of third-party service dependencies in healthcare workflows.
“Health providers are often beholden to their third parties,” Garcia said, be it actual cybersecurity incidents or outages where services and patient care is impacted. And third parties across critical infrastructure sectors beyond healthcare are often not regulated.
“I tread carefully when I suggest regulation, but part of the issue is if there isn't an incentive for third parties to build strong security products, strong security into products or into services, and there's no [market] leverage upon them to do so, then likely they're not going to,” Garcia said. “Until such time that third party providers are held to a higher standard of cybersecurity because they are supporting the nation's critical infrastructure. … If you are supporting critical infrastructure, you ought to be held to a higher standard.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
