Monthly Archives: March 2023

The state of supply chain risk in healthcare

Ponemon Institute in collaboration with the Healthcare Sector Coordinating Council conducted a study on the cybersecurity challenges facing the healthcare sector. More than 400 IT and IT security practitioners were surveyed who are involved in their organizations’ supply chain risk management program (SCRM) and familiar with their cybersecurity plans or programs.

 A key takeaway is that risks to patients caused by new suppliers are not being evaluated by many healthcare organizations. Only half (50 percent) of respondents say their organizations evaluate the risks impacting patient care outcomes created by new suppliers’ products. Sixty percent of respondents say new suppliers are evaluated to understand if there would be adverse patient outcomes created by these organizations. According to the research, pre-existing and legacy suppliers are more likely to be included in the organizational SCRM.

(The Healthcare and Public Sector Coordinating Council (HSCC) is a coalition of private-sector, critical healthcare infrastructure entities organized under Presidential Policy Directive 21 and the National Infrastructure Protection Plan to partner with government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public.)

The following findings reveal why the supply chain is vulnerable to a cyberattack.

Most organizations are in the dark about potential risks created by suppliers. Only 19 percent of respondents say their organizations have a complete inventory of their suppliers of physical goods, business-critical services and/or third-party information technology.

Business-critical suppliers are not regularly evaluated for their security practices. Forty-four percent of respondents say security evaluations are conducted of those suppliers who are business-critical on an ad-hoc basis (24 percent) or only when a security incident occurs (20 percent).

Most organizations are not assessing suppliers’ software and technology. Only 43 percent of respondents say their SCRM program assesses the integrity/provenance of suppliers’ software and technology. Forty-three percent of respondents say their organizations will accept certifications such as PCI-DSS, ISO-27001 in lieu of the usual assessment/attestation process for suppliers.

Pre-existing suppliers and not new suppliers are more likely to be included in the scope of an organization’s SCRM. Fifty-four percent of respondents say pre-existing suppliers that have been on-boarded before the establishment of the program are primarily included in the SCRM process. Only 46 percent of respondents say new suppliers are included.

Rarely are suppliers categorized based on their connectivity or network access to the healthcare organization. Only about half (53 percent of respondents) say their organizations categorize suppliers as part of the SCRM program. Of these, 43 percent of respondents say categorization is based on the nature of the products or services and 40 percent of respondents say it is based on the data shared with these suppliers. Only 10 percent of respondents say it is based on connectivity or network access.

There is a lack of integration between procurement and/or contracting departments and the SCRM process that could affect the ability of contracts to ensure the security of the supply chain. Only 41 percent of respondents say the procurement and/or contracting departments are integrated with their organization’s SCRM process. Only 25 percent of respondents say their organizations always add supplier remediations into their contracts if needed.

The lack of standardized language in security contracts and supply chain issues is a deterrent to an effective SCRM program. In addition to the lack of standardized security contractual language in contracts (59 percent of respondents), healthcare SCRM programs are affected by problems with the supply chain. These problems include challenges identifying critical suppliers as the supplier relationship evolves over time (49 percent of respondents), lack of risk tiering of suppliers (49 percent of respondents) and lack of supplier incident or vulnerability notification (45 percent of respondents)

Healthcare organizations face the challenge of having the in-house expertise and senior leadership support needed to have a successful SCRM program. Respondents were asked to select the reasons for not having an effective SCRM program. Fifty-nine percent of respondents say it is the lack of in-house expertise and 55 percent of respondents say it is a lack of senior leadership support.

A lack of cooperation from suppliers and employees is the primary people-related impediment to a successful SCRM program. Fifty-four percent of respondents say the lack of cooperation from suppliers and 43 percent of respondents say it is the lack of inter-departmental cooperation that stands in the way of having an effective program.

Controlling the sprawl of software usage is the number one technology-related impediment to achieving an effective SCRM program. A barrier to an effective SCRM program is managing the sprawl of software usage (i.e., applications, components and cloud services), according to 55 percent of respondents. This is followed by the prompt delivery of software patches from third parties for required upgrades (45 percent of respondents) and the lack of visibility into the cloud environment used by third parties (44 percent of respondents).

To address the supply chain risks discussed above, healthcare organizations are making the following activities a priority.

Improvement of supply chain management is a priority. Sixty-seven percent of respondents say their organizations’ top priority is implementing tools for supplier inventory management. This is followed by 63 percent of respondents who say their organizations will be implementing tools for assessment automation and 45 percent of respondents say their organizations will hire consultants for program and process definition.

Business goals for SCRM are the cost, product quality and the supply chain. Respondents were asked to identify the business goals driving the SCRM program. Fifty-nine percent of respondents say their organizations are prioritizing the impact to cost, performance, timing and availability of goods followed by 56 percent of respondents who say it is to minimize the impact of product quality. Almost half (48 percent of respondents) say it is to understand and improve cyber-resiliency of their supply chain.

Organizations are focused on tracking direct suppliers and products/services electronically (43 percent of respondents). Other top priorities are to have redundancy across critical suppliers and increase reassessments of suppliers, 36 percent and 32 percent of respondents respectively.

To read the rest of this study, please visit this link at HealthSectorCouncil.org 

Is Alexa getting between you and your partner?

Bob Sullivan

Filling your home with smart gadgets comes with plenty of risks —  your TV might watch you, an angry partner or roommate might spy on you, or they might rob you of mental acuity, for example. These are big, scary threats that you probably think about, then forget about, every time you bring a new WiFi-enabled crock pot into your home.

But tech has smaller, more “everyday” impacts on us, too. If you are constantly asking Alexa for the temperature, does that mean you are losing a chance to chat with a family member? What if one partner loves to geek out, but the other doesn’t want to talk to the lights and the garage door — does that set up a subtle power imbalance that could contribute to domestic strife at some point?  Maybe Amazon Dots make it easy to tell the children it’s dinner time — easier than yelling up the stairs — but is going the Star Trek “comm” route really healthy for families?

Duke University professor Pardis Emami-Naemi has been thinking about these things for a while, and I was glad (and a bit amused) to read this paper she co-authored recently.  It’s cleverly titled You, Me, and IoT.    I interviewed her for an upcoming “Debugger in 10” podcast (more on that soon) but couldn’t help chatting with her about these small, often overlooked, unintended consequences of technology. (Disclosure: I work at Duke, too)

I know I have a bad habit of looking for broken things; don’t worry, Emami-Naemi takes a highly academic approach in the paper and her team found plenty of relational benefits to smart homes.  Here’s a fascinating list of the good gadgets can do, with some comments cribbed from study participants:

Bonding over tech
“Smart devices make it easier to share music with my siblings, like smart speakers for example. Instead of having to pass someone’s phone or rely on one person connected, we can just tell it to play a song and boom.”
Inter-generational kindness
“We’ve got an Apple TV and my father almost cried because he said he was really curious about [the device] and streaming television, but he felt too out of the loop and overwhelmed to try another giant leap in technology. And he was overjoyed…to have my boyfriend help out with setting it up.”
Enabling communication
*My mother was sick…and before she passed away, it was tougher and tougher for her to use the phone…So what I did was I got an Alexa and I installed it in the house, and then I could just call her and rather than her having to figure out how to answer the phone, she could just hear my voice in the ether.”
Encouraging playfulness
“The main joy that I get from Alexa is overhearing my boyfriend ask her ridiculous things just to see like if she’ll respond, how she’ll respond.”
Easing Household task tension

*With the smart thermostat, we don’t argue about the temp of the house because it’s automatically set…With the doorbells, we don’t have to argue or wonder if it was locked. We can just look on the app…
*We don’t have to nag each other to get up and do something. We can ask the device to do it for us.”
*My partner and I use Amazon Echo to set reminders for each other, which helps with making sure we are both on the same page with groceries and chores.
Enabling independence
“My wife can now just ask the Google Home for the weather instead of assuming I know what the weather is.”

That last one there caught my attention. I once had a therapist explain to me that small, seemingly annoying requests like, “Can you bring me the newspaper?” can actually be a love language. Hear that question as, “Do you care about me enough to get me the paper?” or even just, “I want to connect in a small way right now” and you hear something very different. So: Do we really want Google Home to sweep away all these small chances to reach out?

Which brings me to the other side of the smart gadget relationship impact discussion: Tech-amplified tensions, which the authors tend to call “multi-user tensions.”  Afte all, we are used to using gadgets as solitary experiences.  Many smart gadgets are social, so that leads to group dynamics, which can lead to tensions. They fit three categories, the authors say: device selection and installation, regular device usage, and when things go wrong. Some examples:

When tech fails us
*”My husband is not as tech savvy as me and gets irritated with me when I can get a device to do something he can’t.”
*”My parents sometimes want things fixed that are beyond my control. We sometimes disagree about what products to purchase and how they would perform on our network.”

Who’s in charge?
*Our young children “fight” over talking to Alexa. They use Alexa to play songs and will cancel the other one’s music, or ask her to repeat them and use her to insult one another.”

Not everyone is an early adopter
“My husband added smart bulbs and taped over all the light switches and switched us over to using Alexa to turn on and off the lights. I don’t like it because there are times when my young children fall asleep and I want to turn off the lights silently instead of using my voice. My children don’t like it because their pronunciation is not clear and Alexa cannot understand them sometimes when they want the lights on or off. We have argued about it a couple of times but it has been made clear that his excitement for a smart home outweighs the desires of me and our two kids, so now I just deal with it and try to help my kids as much as possible.

Weaponizing gadgets
*Any time that we try to have a conversation about not using our phones or anything like that, the biggest thing is that mostly my fiance, he turns on Alexa and asks her to play a song and at a really high volume so he can’t hear me talk anymore.

Obviously, I think a therapist would have a lot to say about those last two comments. Blaming those issues on tech is probably – misplaced.  And to be fair, I’ve omitted some of the more high-stakes and beautiful ways that smart tech helps families.  Like this:

“My youngest son is actually autistic, but he’s very inquisitive in nature and asks me the most intelligent but random questions that we can never really answer. So it’s always like “Go ask Alexa”…It’s almost like having a teacher or an encyclopedia like right on hand at all times, and for his way of living that’s just really helpful for him.”

Still, while we are rightly focused on the high-stakes ways that tech can endanger us – by enabling stalkers and violence — we should not overlook the small ways gadgets change our lives. I think it’s incredibly important to notice and discuss, and I hope to read more for Pardis & Co. on this.

Do any of you care to share the small ways tech has hurt — or helped — your sense of domestic tranquillity?