Cybersecurity in the healthcare supply chain

6 min. read

Cybersecurity in the healthcare supply chain must be the foundation of the industry’s digital transformation. Without it, cyberattacks will continue to put patients and organizational data at risk.

Introduction

With digital transformation well underway across the healthcare supply chain, cybersecurity has taken a central role alongside it. This is because cyberattacks are only becoming more common as healthcare organizations go digital.   

In the third article of our series on Getting Comfortable with the Uncomfortable, we highlight the need for a strong foundation in cybersecurity to bolster the industry’s digital transformation. Read on to learn the why and how of healthcare supply chain cybersecurity.  

Why focus on cybersecurity in the healthcare supply chain

Healthcare is more digital than ever before. As a result, cyberattacks are now more frequent and often more severe. To illustrate, over 106 million people were affected by healthcare cyberattacks in 2023. This is nearly 2.5x the number of people affected just one year prior in 2022.  

Cyberattacks not only threaten patient’s data, but often the patient themselves. Cyberattacks can disrupt care and even be a threat to life when they force hospitals to shut down.  

For example, a 2021 ransomware attack on Scripps Health impacted care not just within the health system but for adjacent hospitals as well. While the health system underwent a monthslong internal disruption, patient numbers, ambulance arrivals, waiting room times, and length of stay increased at nearby hospitals. In fact, the level of disruption in the area was so significant that researchers considered it a regional disaster. 

Cybersecurity breaches can also be very costly, particularly in healthcare. The average cost of a healthcare data breach is the highest of any industry at $10.93 million. 

The surge in supply chain cyberattacks

The increased interconnectivity of healthcare technology systems creates vulnerabilities that impact every corner of the industry. The supply chain is no exception to the recent surge in cyberattacks. 

In fact, supply chain activities are a particularly valuable targets for cyber criminals. This is because they are at the top of the funnel of the rest of the healthcare industry. Breaches in healthcare supply chain technologies therefore impact all the downstream customers within the supply chain. 

According to a cybersecurity survey of industry professionals, two-thirds reported that their organization suffered a supply chain attack in the past two years. 77 percent of this group said that the attack disrupted patient care. The same survey also found the average cost of these attacks was nearly $5 million. $1.3 million of this cost was directly associated with disruptions to supply chain operations.  

One of the most severe and costly cybersecurity attacks on the healthcare supply chain involved UnitedHealth Group just months ago. United Healthcare faced a ransomware breach and likely paid $22 million in Bitcoin to a hacker group to recover their data.

The effects of this attack, which shut down the largest healthcare payment system in the U.S., rippled throughout the industry. With insurance approvals and reimbursements on indefinite hold, providers and suppliers were paralyzed without the cash to pay or be paid for everything from distributing critical supplies to performing life-saving surgeries.  

In the wake of the United cyberattack, healthcare stakeholders are beginning to recognize the urgency of cybersecurity threats. A 2023 survey found that nearly two-thirds of executives, including those in healthcare, cited cybersecurity as a top concern. The survey respondents are also giving particular attention to cybersecurity education and literacy.

How to prioritize cybersecurity in the healthcare supply chain

Digital transformation is a critical next step for growth in the healthcare supply chain. To be successful, however, the healthcare supply chain must pair it with cybersecurity measures to protect patient and organizational data. 

While we often envision cyberattacker’s methods to be highly technical, the reality is much less complex yet equally sinister. The most common and most successful method that cyber attackers employ is email phishing. Phishing is the fraudulent practice of sending emails under false pretenses in attempts to trick people to reveal sensitive information. 

Keeping employees aware and informed of cybersecurity threats like these can help organizations stay vigilant against cyberattack attempts. Defenses can include a range of strategies—including technical, physical, and administrative safeguards—that all synergize to protect against cybersecurity threats.  

Phishing defenses are important not just to protect against a breach, but to maintain HIPAA compliance as well. The HIPAA Journal offers detailed best practices to prevent healthcare phishing attacks.   

Another one of the most common scenarios in which cyberattacks occur is when healthcare organizations store data across multiple environments. According to IBM’s 2023 Cost of Data Breach Report, the highest percent of breaches occurred under circumstances where data was stored in disparate environments. These breaches were also the costliest and required an average of 291 days to detect and contain.  

As such, consolidating your organizational data into a single storage method can significantly reduce the risk of a data breach. This strategy can also help IT teams find and react against data breaches more quickly to lessen the severity of disruption and contain costs. 

Our commitment to cybersecurity

When it comes to consolidating data storage and protecting against cybersecurity threats, choosing technology vendors that can integrate with your existing systems is key. VPL Rx, for example, offers custom shipping integrations with Epic Willow, PioneerRx, Asembia-1, and ScriptPro to transfer patient information safely and seamlessly. 

At the organizational level, we’re committed to cybersecurity through our system and organization controls (SOC) Type 2 certification. This is an independent audit of our internal cybersecurity and data stewardship policies. 

Our internal cybersecurity measures follow ISO 27001 information security standards and include policies on acceptable use, HIPAA compliance, access control, asset management, encryption, backup and restore, operational management, proper data disposal, incident management, supplier security, and secure SDLC. All VPL employees complete annual security trainings on these policies and cybersecurity best practices. 

Conclusion

Given the inevitability of the industry’s digital transformation, cybersecurity in the healthcare supply chain is inevitable as well. The urgency for cybersecurity measures is more apparent than ever as cyberattacks against healthcare organizations become more frequent and costlier.  

Fortunately, there are several strategies healthcare organizations can employ to shield against cyberattacks. Employee education, data consolidation, and partnering with trusted technology vendors are all worthwhile endeavors to safeguard patient data. 

This blog is the third in our series on Getting Comfortable with the Uncomfortable: The top trends powering the future of the healthcare supply chain.” Learn more from our partners at LLR in their blog. 

About VPL

We modernize clinical supply chains to support healthier patients. Our technology-driven solutions and consultative customer experience empower health systems and outpatient pharmacies to build smarter, more resilient supply chains. With over 700 hospitals and a 97% customer retention rate, we’re trusted to deliver transparency, cost savings, and peace of mind.