- The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on supply chain cybersecurity risk management.
- It provides tools and recommends policies for small and medium healthcare organizations to enhance the security of products and services obtained.
The guidance is written primarily for non-IT professionals and enterprise leaders who are responsible for supply chain relationships in healthcare organizations.
What is the matter?
To help healthcare providers deal with security issues, the Healthcare and Public Health Sector Coordinating Council (HSCC) has shared guidance.
- The guidance aims at managing cybersecurity risks in the supply chain. The health industry’s supply chain is a complex network involving patient care, payment management systems, pharmaceutical research, information management systems, and others.
- HSCC’s guidance includes actionable guidance for small to mid-size healthcare organizations that do not have dedicated resources to deal with the cybersecurity risks and issues.
- It covers the components of risk management, the process of implementation, and guidance and tools for contract management processes.
- It aligns with the supply chain requirements in the 2018 update to the NIST Cyber Security Framework.
“Supply chain risk management is an ongoing process. This document provides guidance for health providers and companies on establishing a supplier risk management program involving new and existing suppliers, and how to sustain those activities operationally,” reads the guide.
What does it say?
The guidance recommends organizations to start by identifying potential risks.
- These risks must be prioritized based on factors such as the mission of the organization and supplier relationships
- An executive sponsor must be assigned to manage the entire cyber risk management program.
- It recommends policies and procedures that align with the organization taking into account different components.
- The guide also provides information on requirements that can be included in the agreements with suppliers and third-party partners.
- An exhaustive glossary of terms used in the document is also listed.