The Healthcare and Public Health Sector Coordinating Council (HSCC) released on Oct. 15 a toolkit aimed at helping small to mid-sized healthcare institutions shore up the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program.
In a press release, HSCC said that the toolkit is “intended to provide actionable guidance and practical tools to help organizations of limited scale or resources to manage the cybersecurity risks they face through their dependencies within the health system supply chain.”
HSCC also noted that its guidance is aligned to the new supply chain requirements within the 2018 update to the NIST Cybersecurity Framework, as well as HSCC Joint Cybersecurity Working Group’s Health Industry Cybersecurity Practices (HICP) resource. The toolkit also “provides concrete guidance on process and governance, as well as practical tools such as contractual language for different supplier relationship types, risk assessment and supplier inventory templates and policy examples.”
The guidance is broken into three primary areas:
- “The ‘what’ or components of supplier risk management program; e.g., policies and procedures, roles and responsibilities, and establishing overall governance.
- The ‘how’ or process of establishing and sustaining the supplier risk management program, including inventory of suppliers, risk assessment and risk treatment guidance.
- Specific guidance and tools supporting the contract management process.”
More than 20 supply chain and cybersecurity professionals, from a wide range of healthcare sector organizations, collaborated on the new guidance. HSCC said that while the toolkit is intended and designed for small to mid-sized healthcare institutions, it also “makes a call to action for large healthcare organizations, associations, and consultancies to raise awareness and encourage adoption across the sector.”