As healthcare increasingly relies on technology, and with patient care and practice administration being paramount, many practices rely on the resources provided by software vendors to support everything from RCM and communications to healthcare workflows. With those reliances likely to increase, practices need to understand supply chain attacks and how to reduce their risk.
Quick Links:
A supply chain attack is a cyberattack that targets an organization's external vendors or service providers, exploiting security vulnerabilities within the supply chain to gain unauthorized access to the main network.
Rather than attacking a healthcare practice directly, cybercriminals focus on third-party vendors such as software providers, medical device manufacturers, or cloud service platforms, which may have weaker security controls. Once compromised, these trusted partners can serve as a gateway for attackers to infiltrate sensitive systems. Essentially, it can become like a chain of dominoes, toppling one system after another.
As an example, the Change Healthcare attack highlighted the widespread and devastating impact of an attack on a supply chain. In that case, the consequences have been long-lasting and may continue for years to come. The direct and immediate impact meant that not only could healthcare providers not access records or process payments, but patients were also unable to get necessary prescriptions.
For healthcare practices, supply chain attacks pose a significant threat, not only to workflows but also to patient data and HIPAA compliance. And, as we saw with the Change Healthcare attack, assaults on the supply chain can even prevent practices from conducting business, processing payments, and ensuring the financial security of their practice or organization. In short, these attacks may not only lock down systems, but they can also expose EHRs, billing systems, and other critical data to malicious actors and, in some cases, the dark web or other hackers.
Given the complexity of healthcare supply chains and the volume of external services used, the risk of attack is heightened, making it crucial to ensure that all partners maintain rigorous security and compliance standards and that practices utilize Business Associate Agreements (BAA).
Understanding that a risk exists isn’t the same as understanding how an attack occurs. To better protect your organization, it’s important to understand how supply chain attacks happen before we look at a few examples.
One of the most common ways supply chain attacks happen is through software updates. Vendors often push automatic updates to their products, and cybercriminals can compromise these updates to inject malicious code into healthcare systems. If a healthcare provider relies on an affected software platform, the malware gets installed without detection, opening up pathways for data theft, ransomware, or system disruption. This is what occurred in the 3CX attack, where a compromised software update allowed attackers to access healthcare communications networks.
Similarly, vulnerabilities in cloud services and medical devices also create entry points for attackers. Many healthcare organizations rely on third-party cloud platforms for storing and managing patient data, and if these platforms have weak security protocols, they become prime targets for cybercriminals.
In the same way, connected medical devices that run on third-party software are vulnerable if they lack adequate encryption, authentication, or regular patching. The Philips Healthcare Devices breach in 2023 highlighted this risk, as attackers exploited vulnerabilities in medical device software to access healthcare networks.
Other vulnerabilities include weak vendor cybersecurity policies, lack of regular security assessments, and insufficient monitoring of third-party access. If a vendor does not adhere to strict security practices, it can expose the healthcare provider to risks like phishing, ransomware, or data breaches.
Supply chain attacks have emerged as a significant cybersecurity risk, particularly in healthcare, where the protection of sensitive patient information and maintaining compliance with regulations including HIPAA are paramount. With the increasing reliance on interconnected software platforms, medical devices, and cloud-based services, healthcare practices face greater vulnerability to such attacks.
One of the primary concerns in healthcare is the potential exposure of ePHI due to supply chain vulnerabilities. A compromised vendor can give cybercriminals access to the entire healthcare network, jeopardizing data such as patient records, billing information, and even clinical workflow systems. This not only puts the practice at risk of violating HIPAA regulations, which mandate strict data protection standards, but can also lead to hefty fines, legal liabilities, and a loss of patient trust.
As supply chain attacks grow more sophisticated, it’s essential for healthcare organizations to be proactive in managing their third-party relationships, ensuring every vendor adheres to stringent cybersecurity protocols, this is why BAAs are essential, though also not a security guarantee. With healthcare already a high-value target for attackers, protecting the extended supply chain is crucial for maintaining both security and compliance.
While supply chain attacks are on the rise and an increasing cybersecurity threat, they’re not a new phenomenon. And, sadly, Change Healthcare isn’t the only example.
1. MOVEit (2023)
MOVEit is a managed file encryption and transfer software used by many organizations, including those in healthcare. Cybercriminals exploited a vulnerability in the software to access and steal sensitive data from affected systems. Healthcare organizations relying on MOVEit for secure file transfers were compromised, leading to the exposure of protected health information (PHI) and other confidential data.
2. United Healthcare (2023)
The United Healthcare supply chain attack refers to a 2023 incident where hackers targeted a third-party vendor, IBM’s Aspera, which was used by United Healthcare for secure file transfers. Exploiting a vulnerability in Aspera's software, cybercriminals gained access to sensitive data, including personal health information (PHI) of United Healthcare members.
3. NextGen (2023)
The NextGen Healthcare supply chain attack involved a ransomware attack on a third-party vendor that provided services to NextGen, a healthcare technology provider. This breach led to the exposure of sensitive patient data, including protected health information (PHI), potentially impacting HIPAA compliance.
4. Philips Healthcare Devices (2023)
The Philips Healthcare Devices supply chain attack involved the exploitation of vulnerabilities in software integrated with Philips medical devices. These vulnerabilities allowed attackers to potentially access sensitive healthcare data and disrupt device functionality. As Philips devices are widely used in healthcare settings, the attack raised concerns about the security of IoT medical technologies and emphasized the risks posed by third-party software.
5. Brightline (2023)
The Brightline supply chain attack occurred when a vulnerability in a third-party vendor’s platform was exploited, leading to the exposure of sensitive patient data. Brightline, a telehealth provider specializing in behavioral healthcare, relied on this vendor for critical services, and the breach compromised the protected health information (PHI) of numerous patients.
6. 3CX (2023)
The 3CX supply chain attack targeted a popular communications software company, through a compromised software update. Hackers were able to infiltrate the company's update mechanism, injecting malicious code into the system. Healthcare organizations using 3CX for communication services were affected, as the malware provided attackers with access to sensitive information, including potentially patient data.
As these examples make clear, it’s not just one piece of software, one type of application, or one vendor that’s at risk. What we can glean from this is that vetting providers, updating and patching applications, and conducting risk assessments are an important part of any healthcare organization's security posture.
Protecting your practice from healthcare supply chain attack risks requires a multi-layered approach, addressing both technical safeguards and vendor management practices. There are, thankfully, some critical strategies to minimize the risk of supply chain attacks.
These strategies can help healthcare practices significantly reduce the risk of supply chain attacks while maintaining compliance with HIPAA and safeguarding patient data.
Additionally, working with software and platform providers who have healthcare expertise can be beneficial. For example, two of the examples noted above refer to file transfer or exchange applications. With iCoreExchange, you can email other providers and send encrypted files, of any size, and know your files (and inbox) are safe.
Similarly, a HIPAA risk assessment from iCoreHIPAA can help you identify potential vulnerabilities and develop a solid security plan and framework to ensure you’re decreasing any potential attack surface at your practice.
Whether you need secure HIPAA compliant software solutions or more support and expertise tailored to your practice and your needs, the iCoreConnect team is here and ready to show you how we can help!