Addressing cybersecurity risks in digital healthcare supply chains.
Healthcare sectors around the world grapple with increasing cybersecurity challenges risking patient data and trust, supply chains services and even the organizations themselves. A global study of healthcare IT professionals found 66% of organizations have been hit by ransomware attacks — an increase of 34% from the previous year[1]. A separate survey of U.S. hospital leaders found that 56% said their organizations had experienced one or more cyberattacks in the past 24 months involving IoMT or IoT devices, with the average number of attacks being 12.5[2].
Cybersecurity breaches in healthcare are on the rise with healthcare logistics and supply chains a lucrative target for cyber threats. In the U.S. in 2023, nearly 120 million patient records were exposed due to IT or hacking incidents, which represents approximately 1 in 3 patients. Ransomware attacks represent one of the fastest increasing types of incidents with the number of public incidents at nearly 50 and nearly $500M in ransoms paid in the first half of last year[3],[4]. The healthcare supply chain is a target for cybersecurity attacks because of legacy systems and software, connected devices, and vulnerabilities introduced by third-party vendors and partners[5].
Under Vision 2030’s digital transformation, The Kingdom of Saudi Arabia has increased its profile as an option for cybersecurity attacks and the financial fallout can be significant. To date, the average cost of a healthcare ransomware attack is now over $10 million[6] and in The Kingdom it is $8 million, which is a 15% increase over the last three years and a marked 155.9% increase over the last decade[7].
Top cybersecurity risks for the healthcare and supply chain industries
Healthcare organizations in Saudi Arabia have not experienced significant cybersecurity breaches seen in other parts of the world. In the US, healthcare is one of the most attacked industries because of highly valuable patient records, technical debt that is approximately 10 years behind other industries and limited expertise and budgets to address the vulnerability. The top types of attacks in the U.S. are phishing attacks, ransomware, data breaches, and third party breaches.
In the Middle East, phishing is the most common cause for data breaches representing 16% of breaches experienced in the region. Unknown vulnerabilities accounted for 15% of breaches while attacks through stolen or compromised credentials represented 13% of attacks[1]. Additionally, in the Middle East, 37% of attacks of any kind saw bad actors getting access to multiple environments without detection.
Specifically in The Kingdom, cybersecurity attacks have cost the healthcare industry in terms of lost business, increasing costs due to greater detection and escalation practices, and resources required to notify relevant stakeholders when breaches do occur[1]. The digitization of healthcare logistics under Vision 2030 has introduced multiple new cyber security risks. These fall into three broad categories for healthcare and supply chain organizations: vulnerabilities, connection interruptions and cloud dependency[2].
Vulnerabilities have been introduced with the rise of IoT devices, sensors, and other network-connected devices. Cyber attackers have more potential access points to try malware, and ransomware-style attacks. These attacks can compromise the security of patient data and sensitive supply chain information. In addition, IoT-enabled patient devices, such as monitors, insulin pumps, pacemakers and more, have also increased access points because of the connectivity, limited built-in security, software obsolescence, lack of training of the healthcare professionals who use them, as well as difficulties with software updates.
Connection interruptions happen when cybersecurity attacks interrupt networked machinery, fleets, or services. The data needed to manage a supply chain becomes difficult or impossible to access leading to delays and disruptions.
As the healthcare logistics industry has undergone its digital transformation, it has embraced cloud technology. This creates a cybersecurity risk because networked logistics for healthcare supply chains typically uses cloud computing to store and process large amounts of data quickly and efficiently. This leaves the supply chain vulnerable to security breaches and outages, which would cripple its functioning if breached.
For healthcare supply chains, the major and most difficult risk to address is third-party vendors and suppliers within the supply chain. These partners can inadvertently introduce vulnerabilities and attackers can exploit these to gain unauthorized access[3].
How Saudi Arabia became a global leader in cybersecurity
As part of Vision 2030, Saudi Arabia’s cybersecurity sector has prioritized both security and industry growth domestically and internationally to support the rapid and tremendous digital transformation of the country. Through these successful efforts Saudi Arabia is now the leader in global cybersecurity, according to the 2024 World Competitiveness Yearbook from the Swiss-based Institute for Management Development[1].
Saudi Arabia’s rapid ascent in cybersecurity is due, in part, to the establishment of the central cybersecurity authority known as The National Cybersecurity Authority (NCA) and it’s work to protect the Kingdom’s national security, critical infrastructure, priority sectors, and government services[2]. The NCA is backed by the technical expertise of the Saudi Information Technology Company (SITE) and covers regulatory and operational functions that provide support to protect the Kingdom’s networks, hardware and software, information technology systems, and operating systems. As part of its work, the NCA developed the Essential Cybersecurity Controls (ECC), which comprises of 114 main controls divided into five domains: Cybersecurity Governance; Cybersecurity Defense; Cybersecurity Resilience; Third-Party and Cloud Computing Cybersecurity; Industrial Control Systems Cybersecurity.
In addition to internal leadership on cybersecurity, the NCA is leading globally. It established the Global Cybersecurity Forum (GCF), which facilitates international dialogue on crucial cybersecurity issues with other countries. This includes regular and ongoing participation in cybersecurity exercises with over 40 countries.
Enhancing cybersecurity for healthcare supply chains in The Kingdom
Under Vision 2030, the Kingdom has created multiple cybersecurity frameworks to protect healthcare supply chains. These are built around both national and sector-specific regulations, focusing on protecting sensitive health data and ensuring the security of healthcare operations.
The NCA developed a comprehensive framework for cybersecurity across sectors, including healthcare. This framework consists of guidelines and regulations to secure supply chains, addressing issues like third-party risks, access controls, and monitoring[1]. For third-party risk management, it outlines requirements for suppliers and partners and ensures compliance with cybersecurity policies. The framework provides control measures to restrict access to sensitive health information based on roles and responsibilities within the supply chain. It also created an incident response and reporting process to identify and mitigate breaches in healthcare systems. The Health Information Exchange Policy outlines the exchange of healthcare data between entities, ensuring that healthcare providers and suppliers adhere to stringent security measures when managing patient data[1]. Bringing together the Ministry of Health, other government services and the private sector, the Health Information Exchange focuses on securing electronic medical records, safeguarding communication between health institutions, and regulating third-party data sharing.
The Saudi Food and Drug Authority (SFDA) enforces cybersecurity requirements for medical devices and healthcare supply chains[1]. It mandates that manufacturers and suppliers of medical devices implement robust security measures, including patch management and vulnerability monitoring, to prevent cyber-attacks on devices connected to healthcare networks.
The Personal Data Protection Law introduced in 2021 ensures the security of personal health data across healthcare supply chains[2]. It requires that healthcare providers and their suppliers implement measures to protect patient information, so data privacy is maintained throughout the supply chain. This includes requirements that data encryption for all personal health data exchanged between healthcare providers and suppliers as well as strict guidelines for obtaining consent before sharing personal health data with third parties. The Kingdom’s proactive leadership on these cybersecurity frameworks and other initiatives both domestically and internationally are helping to secure the healthcare industry, including supply chains. By enforcing strict controls over data management, medical device security, and third-party compliance, The Kingdom is protecting patient data, healthcare organizations and demonstrating to the world a new standard of cybersecurity excellence.
References
1– https://www.keepersecurity.com/blog/2023/04/21/cyberattacks-soar-across-the-european-healthcare-sector/
4– https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
5– https://blog.hettshow.co.uk/navigating-the-digital-battlefield-top-cybersecurity-risks-in-healthcare
8– ibid
9– ibid
11– https://blog.hettshow.co.uk/navigating-the-digital-battlefield-top-cybersecurity-risks-in-healthcare
13- https://sdaia.gov.sa/en/Sectors/Ncai/Pages/default.aspx
15- https://www.vision2030.gov.sa/media/0wop2tds/hstp_eng.pdf
17- ibid
