Even providers with robust cybersecurity programs are struggling to secure their supply chain systems

Supply chain management is lagging well behind other areas of cybersecurity across the healthcare sector.

According to a recent industry report, less than a quarter of hospitals, accountable care organizations (ACOs) and other healthcare providers demonstrated acceptable conformance with established framework standards.

These grades were consistently low even among organizations that otherwise were well aligned with other components of the National Institute of Standards and Cybersecurity Framework (NIST CSF), healthcare cybersecurity firm CynergisTek wrote in its 2021 annual assessment of the healthcare industry’s security and privacy preparedness.

Provider organizations’ primary shortcoming in this area was their ability to validate whether their third-party suppliers and other partners are in line with their contractual security obligations, the firm wrote.

“Given the events of 2019 and 2020 with the attacks on critical third parties and suppliers, from Solar Winds to the Colonial Pipeline, it is clear that response and recovery planning and testing scored low and is a critical area to focus on going forward,” the firm wrote in the report.

RELATED: Relentless cyber attacks are putting financial pressure on hospitals: Fitch Ratings

CynergisTek’s review assessed nearly 100 provider organizations spanning the continuum of care on their NIST CSF conformity. The group categorized those surpassing 80% conformance as high performers and took note of which organizations had increased or decreased their preparedness over the course of the pandemic year.

Overall, 64% of those included in a 70-organization sample fell below the 80% passing grade, according to the report.

About a quarter saw their conformance scores decline over the previous year, and much of the remaining 75% that improved only did so to a minor extent, the firm wrote.

The trend is particularly concerning during a year when cyberattacks, particularly those involving ransomware or targeting critical healthcare infrastructure, were on the rise, it wrote. In fact, according to a recent survey, 34% of healthcare organizations were hit with ransomware last year, and of those hit cybercriminals succeeded in encrypting data in 65% of attacks.

“It is the responsibility now—of stakeholders, C-suite, IT managers and anyone involved in protecting our healthcare system—to ensure that patient care remains resilient even in an environment with growing cyberattacks,” Caleb Barlow, CEO and president of CynergisTek, said in a statement. “The report demonstrates there is work to be done, but there are also immediate opportunities to shore up risk management practices.”

RELATED: Irish government says it will not pay ransom over 'significant' cyberattack on health system

Alongside supply chain risk management, the firm highlighted data security, information protection processes and procedures and detection system analysis as other sore spots for high- and low-performing providers.

Governance, on the other hand, was relatively well established across the sample, although CynergisTek noted that the organizations could still stand to better understand legal and regulatory requirements and implement risk management processes.

“It's clear that this is not the right time to cut back on cybersecurity, and that smart spending will be necessary to secure organizations against a rising tide of ransomware threats against critical infrastructure generally, and healthcare specifically,” David Finn, executive vice president at the cybersecurity firm, said in a statement.

Other recent reports have highlighted the increased incidence—and costs—of cyber-crime within the healthcare industry.

The last few months have also come with a few high-profile examples of the damage cyberattacks can bring. Scripps Health’s May 1 attack, for instance, took down its computer network and medical records system for weeks and opened the door to class-action lawsuits from the nearly 150,000 patients whose health and personal financial information were compromised.