HSCC publishes guidance on supply chain cybersecurity risk management

Sept. 23, 2020

The Healthcare and Public Health Sector Coordinating Council (HSCC) announced the publication of the second release of its toolkit for small- to mid-sized healthcare institutions to implement and sustain a supply chain cybersecurity risk management program.  

Since its original release in October 2019, the “Health Industry Cybersecurity Supplier Risk Management (HIC-SCRiM)” guide has become one of the HSCC’s flag-ship products, accessed by more than 10,000 individuals. It provides actionable guidance and practical tools to help organizations of limited scale or resources to manage the cybersecurity risks they face through their dependencies within the health system supply chain.  

“By enabling these organizations to ensure secure products and services from their suppliers, we will leverage market forces to raise the bar across the healthcare supply chain to the benefit of all,” said Greg Garcia, HSCC Executive Director of its Cyber Security Working Group. 

The toolkit structure follows the Supply Chain requirements within the NIST Cyber Security Framework (CSF). The first release of HIC-SCRiM provided concrete guidance on three of the five NIST CSF Supply Chain requirements covering process as well as practical tools such as contractual language and risk assessment templates. This second release completes the five NIST CSF requirements by covering adherence to contractual terms and testing response and recovery in case of supplier cybersecurity incidents.  

“Whether in the administrative offices or in the operating room, the technology and services we introduce into the circulatory system of clinical care must be deployed with patient safety at top of mind,” said Ed Gaudet, CEO of Censinet, who led the work on the new release. “To achieve that patient safety assurance, an enterprise supply chain risk management system must be structured, repeatable, and measurable. This publication provides the tools for that structure.” 

While primarily written for small and medium sized organizations, the guide also makes a call to action for large healthcare organizations, associations and consultancies to raise awareness and encourage adoption across the sector. 

Co-chaired by Chris van Schijndel of Johnson & Johnson and Vish Gadgil of Merck, the Supply Chain Security task group that developed the toolkit is made up of more than twenty supply chain and cybersecurity professionals from a broad spectrum of health sector organizations.  

Access and download a copy of the HIC-SCRiM at https://HealthSectorCouncil.org/HIC-SCRiM-v2

HSCC has the release