Health Sector Publishes Guidance on Supply Chain Cybersecurity Risk Management

The Healthcare and Public Health Sector Coordinating Council (HSCC) today published the second release of its toolkit for small to mid-sized healthcare institutions to implement and sustain a supply chain cybersecurity risk management program...

Washington, DC – September 22, 2020 – The Healthcare and Public Health Sector Coordinating Council (HSCC) today published the second release of its toolkit for small to mid-sized healthcare institutions to implement and sustain a supply chain cybersecurity risk management program. Since its original release in October 2019, the “Health Industry Cybersecurity Supplier Risk Management (HIC-SCRiM)” guide has become one of the HSCC’s flag-ship products, accessed by more than 10,000 individuals. It provides actionable guidance and practical tools to help organizations of limited scale or resources to manage the cybersecurity risks they face through their dependencies within the health system supply chain.

“By enabling these organizations to ensure secure products and services from their suppliers, we will leverage market forces to raise the bar across the healthcare supply chain to the benefit of all,” said Greg Garcia, HSCC Executive Director of its Cyber Security Working Group.

The toolkit structure follows the Supply Chain requirements within the NIST Cyber Security Framework (CSF). The first release of HIC-SCRiM provided concrete guidance on three of the five NIST CSF Supply Chain requirements covering process as well as practical tools such as contractual language and risk assessment templates. This second release completes the five NIST CSF requirements by covering adherence to contractual terms and testing response and recovery in case of supplier cybersecurity incidents.

“Whether in the administrative offices or in the operating room, the technology and services we introduce into the circulatory system of clinical care must be deployed with patient safety at top of mind,” said Ed Gaudet, CEO of Censinet, who led the work on the new release. “To achieve that patient safety assurance, an enterprise supply chain risk management system must be structured, repeatable, and measurable. This publication provides the tools for that structure.”

While primarily written for small and medium sized organizations, the guide also makes a call to action for large healthcare organizations, associations and consultancies to raise awareness and encourage adoption across the sector.

Co-chaired by Chris van Schijndel of Johnson & Johnson and Vish Gadgil of Merck, the Supply Chain Security task group that developed the toolkit is made up of more than twenty supply chain and cybersecurity professionals from a broad spectrum of health sector organizations.

To access and download a copy of the HIC-SCRiM, go to https://HealthSectorCouncil.org/HIC-SCRiM-v2.
This is the 11th best practices guidance published by the HSCC since 2019. Other HSCC Joint
Cybersecurity Working Group resources published in 2019 and 2020 include:

1. Health Industry Cybersecurity Return to Work Guidance – https://healthsectorcouncil.org/r2w/
2. Health Industry Cybersecurity Tactical Crisis Response – https://healthsectorcouncil.org/hic-tcr/
3. Health Industry Cybersecurity Protection of Innovation Capital – https://healthsectorcouncil.org/hic-pic/
4. Information Sharing Best Practices: Health Industry Cybersecurity Information Sharing Best Practices (HIC-ISBP)
5. Management Checklist for Teleworking Surge During COVID-19 Response: https://healthsectorcouncil.org/covid-checklist/
6. Health Industry Cybersecurity Supply Chain Risk Management Guide v.1 (HICSCRiM): https://healthsectorcouncil.org/hic-scrim/
7. Health Industry Cybersecurity Matrix of Information Sharing Organizations (HICMISO): https://healthsectorcouncil.org/hic-miso/
8. Health Industry Cybersecurity Workforce Development Guide: https://healthsectorcouncil.org/workforce-guide/
9. Health Industry Cybersecurity Practices (HICP): https://healthsectorcouncil.org/09-20-2020-health-sector-publishes-guidance-on-supply-chain-cybersecurity-risk-management/
10. Medical Device Joint Security Plan: https://healthsectorcouncil.org/the-joint-security-plan/

About the Healthcare and Public Health Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group (JCWG). The HSCC is an industry-driven public private partnership of health companies and providers developing collaborative solutions to mitigate threats to critical healthcare infrastructure. It is one of 16 critical infrastructure sectors organized to partner with the government under Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience. The HSCC Joint Cybersecurity Working Group (JCWG) includes 300 medical device and health IT companies, direct patient care entities, plans and payers, labs, blood and pharmaceutical companies, and several government partners. The JCWG industry chair is Terence (Terry) Rice, Vice President, IT Risk Management and Chief Information Security Officer for Merck & Co.

For more information:

Greg Garcia, HSCC Cybersecurity Working Group Executive Director:
Greg.Garcia@HealthSectorCouncil.org

or visit us online at https://healthsectorcouncil.org
Original post: https://healthsectorcouncil.org/09-20-2020-health-sector-publishes-guidance-on-supply-chain-cybersecurity-risk-management/

##