Health Sector Publishes Guidance on Supply Chain Cybersecurity Risk Management
Post Summary
The HIC-SCRiM toolkit is a resource developed by the HSCC to help small to mid-sized healthcare organizations manage supply chain cybersecurity risks effectively, using a framework aligned with the NIST Cybersecurity Framework (CSF).
The second release completes the five NIST CSF supply chain requirements by addressing adherence to contractual terms and response and recovery testing for supplier cybersecurity incidents.
It is primarily targeted at small to mid-sized healthcare organizations but also encourages larger organizations, associations, and consultancies to promote its adoption across the healthcare sector.
Supply chain cybersecurity ensures that products and services introduced into healthcare systems are secure, protecting patient safety and critical operations.
The toolkit is available for download at HealthSectorCouncil.org/HIC-SCRiM-v2.
The Healthcare and Public Health Sector Coordinating Council (HSCC) today published the second release of its toolkit for small to mid-sized healthcare institutions to implement and sustain a supply chain cybersecurity risk management program...
Washington, DC – September 22, 2020 – The Healthcare and Public Health Sector Coordinating Council (HSCC) today published the second release of its toolkit for small to mid-sized healthcare institutions to implement and sustain a supply chain cybersecurity risk management program. Since its original release in October 2019, the “Health Industry Cybersecurity Supplier Risk Management (HIC-SCRiM)” guide has become one of the HSCC’s flag-ship products, accessed by more than 10,000 individuals. It provides actionable guidance and practical tools to help organizations of limited scale or resources to manage the cybersecurity risks they face through their dependencies within the health system supply chain.
“By enabling these organizations to ensure secure products and services from their suppliers, we will leverage market forces to raise the bar across the healthcare supply chain to the benefit of all,” said Greg Garcia, HSCC Executive Director of its Cyber Security Working Group.
The toolkit structure follows the Supply Chain requirements within the NIST Cyber Security Framework (CSF). The first release of HIC-SCRiM provided concrete guidance on three of the five NIST CSF Supply Chain requirements covering process as well as practical tools such as contractual language and risk assessment templates. This second release completes the five NIST CSF requirements by covering adherence to contractual terms and testing response and recovery in case of supplier cybersecurity incidents.
“Whether in the administrative offices or in the operating room, the technology and services we introduce into the circulatory system of clinical care must be deployed with patient safety at top of mind,” said Ed Gaudet, CEO of Censinet, who led the work on the new release. “To achieve that patient safety assurance, an enterprise supply chain risk management system must be structured, repeatable, and measurable. This publication provides the tools for that structure.”
While primarily written for small and medium sized organizations, the guide also makes a call to action for large healthcare organizations, associations and consultancies to raise awareness and encourage adoption across the sector.
Co-chaired by Chris van Schijndel of Johnson & Johnson and Vish Gadgil of Merck, the Supply Chain Security task group that developed the toolkit is made up of more than twenty supply chain and cybersecurity professionals from a broad spectrum of health sector organizations.
To access and download a copy of the HIC-SCRiM, go to https://HealthSectorCouncil.org/HIC-SCRiM-v2.
This is the 11th best practices guidance published by the HSCC since 2019. Other HSCC Joint
Cybersecurity Working Group resources published in 2019 and 2020 include:
- Health Industry Cybersecurity Return to Work Guidance – https://healthsectorcouncil.org/r2w/
- Health Industry Cybersecurity Tactical Crisis Response – https://healthsectorcouncil.org/hic-tcr/
- Health Industry Cybersecurity Protection of Innovation Capital – https://healthsectorcouncil.org/hic-pic/
- Information Sharing Best Practices: Health Industry Cybersecurity Information Sharing Best Practices (HIC-ISBP)
- Management Checklist for Teleworking Surge During COVID-19 Response: https://healthsectorcouncil.org/covid-checklist/
- Health Industry Cybersecurity Supply Chain Risk Management Guide v.1 (HICSCRiM): https://healthsectorcouncil.org/hic-scrim/
- Health Industry Cybersecurity Matrix of Information Sharing Organizations (HICMISO): https://healthsectorcouncil.org/hic-miso/
- Health Industry Cybersecurity Workforce Development Guide: https://healthsectorcouncil.org/workforce-guide/
- Health Industry Cybersecurity Practices (HICP): https://healthsectorcouncil.org/09-20-2020-health-sector-publishes-guidance-on-supply-chain-cybersecurity-risk-management/
- Medical Device Joint Security Plan: https://healthsectorcouncil.org/the-joint-security-plan/
About the Healthcare and Public Health Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group (JCWG). The HSCC is an industry-driven public private partnership of health companies and providers developing collaborative solutions to mitigate threats to critical healthcare infrastructure. It is one of 16 critical infrastructure sectors organized to partner with the government under Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience. The HSCC Joint Cybersecurity Working Group (JCWG) includes 300 medical device and health IT companies, direct patient care entities, plans and payers, labs, blood and pharmaceutical companies, and several government partners. The JCWG industry chair is Terence (Terry) Rice, Vice President, IT Risk Management and Chief Information Security Officer for Merck & Co.
For more information:
Greg Garcia, HSCC Cybersecurity Working Group Executive Director:
Greg.Garcia@HealthSectorCouncil.org
or visit us online at https://healthsectorcouncil.org
Original post: https://healthsectorcouncil.org/09-20-2020-health-sector-publishes-guidance-on-supply-chain-cybersecurity-risk-management/
##
Key Points:
What is the HIC-SCRiM toolkit, and why is it important?
- The HIC-SCRiM toolkit is a resource developed by the Healthcare and Public Health Sector Coordinating Council (HSCC) to help healthcare organizations manage supply chain cybersecurity risks.
- It provides actionable guidance and practical tools for small to mid-sized healthcare institutions to implement and sustain a cybersecurity risk management program.
- The toolkit aligns with the NIST Cybersecurity Framework (CSF), ensuring organizations follow industry best practices.
What is new in the second release of the HIC-SCRiM toolkit?
- The second release completes the five NIST CSF supply chain requirements by addressing:
- Adherence to contractual terms with suppliers.
- Testing response and recovery processes for supplier cybersecurity incidents.
- It builds on the first release, which provided guidance on processes, contractual language, and risk assessment templates.
Who is the HIC-SCRiM toolkit designed for?
- Primarily targeted at small to mid-sized healthcare organizations with limited resources.
- Also encourages large healthcare organizations, associations, and consultancies to raise awareness and promote adoption across the sector.
Why is supply chain cybersecurity critical in healthcare?
- Healthcare organizations rely on third-party suppliers for technology and services, which introduces cybersecurity risks into the system.
- Ensuring secure products and services from suppliers protects patient safety and critical healthcare operations.
- A structured, repeatable, and measurable supply chain risk management system is essential to mitigate these risks.
How does the HIC-SCRiM toolkit align with the NIST Cybersecurity Framework?
- The toolkit follows the Supply Chain requirements within the NIST CSF.
- It provides practical tools and guidance to help organizations meet these requirements, including:
- Risk assessment templates.
- Contractual language for supplier agreements.
- Response and recovery testing for cybersecurity incidents.
Who contributed to the development of the HIC-SCRiM toolkit?
- The toolkit was developed by the Supply Chain Security task group, co-chaired by Chris van Schijndel of Johnson & Johnson and Vish Gadgil of Merck.
- The task group includes over 20 supply chain and cybersecurity professionals from a broad spectrum of health sector organizations.
How can healthcare organizations access the HIC-SCRiM toolkit?
- The toolkit is available for download at HealthSectorCouncil.org/HIC-SCRiM-v2. LINK
What is the ultimate goal of the HIC-SCRiM toolkit?
- To raise the bar for supply chain cybersecurity across the healthcare sector.
- Equip healthcare organizations with the tools and guidance needed to manage supplier risks effectively.
- Ensure that technology and services introduced into healthcare systems are secure, protecting patient safety and operational integrity.
