A supply chain attack, also known as a value-chain or third-party attack, involves the infiltration of computer systems through outside parties, service providers, or applications with access to the systems and data. Over the years, the amount of sensitive data that third-party suppliers and service providers interact with has dramatically increased. The frequency of interaction with sensitive data has also dramatically shifted, and in most cases, these suppliers and service providers play an integral part in protecting this data.
Key Supply Chain Risks
Unfortunately, with suppliers and service providers playing a vital role in most organizations’ IT infrastructure and dealing with sensitive data on a daily basis, cybercriminals have come up with new ways to compromise the systems they handle, including:-
- Compromising individual third-party service providers and vendors: Anyone with physical or virtual access to sensitive data has become a target of cybercriminals. They are able to target them mostly using social engineering and phishing techniques. We’ve seen multiple IT service providers that have been the point of attack to gain access to hundreds of hospitals.
- Compromised Software: Another way supply chain attacks are launched by using compromised software. One of the most popular supply chain attacks of the past few years, the SolarWinds supply chain attack, turned compromised software (Orion) into a weapon that gave cybercriminals access to several government systems and thousands of private systems around the world. This means we need to be careful with the software that we install and connect into our Practice Management Systems. They have a direct link to our data that could become targeted.
- Counterfeit hardware or hardware embedded with malware: There is also a high likelihood that some of the hardware installed by third-parties are not genuine. This leaves the door open for your veterinary practice to get compromised. In some cases, the hardware may be genuine, but it is embedded with malware code that starts to spread on your network immediately after the hardware is integrated.
- Third-party data storage compromise: There is a high likelihood that, as a practice owner, some of your veterinary practice’s data is stored by third parties. Unfortunately, when these suppliers’ and service providers’ systems are compromised, you also fall victim to the cyberattack.
Supply Chain Best Practices
As we have established above, any company that produces software or hardware for other organizations is a potential target for cybercriminals. Therefore, practice owners must do due diligence when selecting their IT infrastructure service providers. Below are some tips on how to secure software or hardware that is not likely to get compromised.
- Ensure security requirements are precise and included in a request for proposal (RFP) and contract: This will help avoid removing vendors and suppliers that do not emphasize on the security of their systems.
- Enquire about the level of malware protection from the vendors: Your vendors and suppliers need to provide assurances that they are not susceptible to malware attacks. They also need to provide evidence that they can provide malware protection and detection for their IT services.
- Cooperation with the vendors: Once a vendor is accepted in the formal supply chain, they need to show a willingness to work with your veterinary practice to address your cybersecurity concerns. In case vulnerabilities and security gaps are found in some of their products, they should be able to work with your team to address these risks.
- Tightly controlled component purchases: As a practice owner, you will need to ensure that your vendors are purchasing quality components for your practice. They will need to prove that purchases are made from approved providers and that proper cybersecurity measures are in place to ensure that the products provided are not vulnerable to cyberattacks.
- Implement zero-trust architecture: reliance on your vendors will not always work. Therefore, it is also important to have a cybersecurity policy that emphasizes on verifying and authenticating every user attempting to gain access to your systems. With this method, you will be able to prevent cybercriminals from gaining unauthorized access to your system even when they have compromised your vendors and suppliers.
- Tight access control: Ensure that you have tight access control for your system. Very sensitive data should only be accessed by a small group of people in your veterinary practice to prevent the entire system from getting compromised in case of a supply-chain attack.
- Detect your vendors’ data leaks: In most cases, your vendors are unaware that some of their systems leak sensitive information. Therefore, it is important to have also test products provided by these third-party vendors. Unfortunately, most veterinary practices do not have the resources to audit the systems they purchase, which puts them at great risk.
Need help navigating the software solutions you use in your veterinary hospital?
Schedule a FREE consultation call today to see how Lucca can help you keep your hospital safe. SCHEDULE HERE.