CYBERSECURITY
Cybersecurity and the Healthcare Supply Chain JHC: How have you improved cybersecurity within your own organization? Campbell: We have dedicated team members in IT that conduct audits and tag information that could be at risk. We have implemented a formal security assessment as part of the contracting process and require suppliers to make changes when necessary before signing a contract for new equipment. We also send our own phishing tests to see how team members react. We then follow up with education, so the same mistake is The Journal of Healthcare Contracting (JHC) asked Mark Campbell, vice presi-
not repeated. Even senior leaders fall
dent, supply chain for Tampa General Hospital, to weigh in on cyber threats, security
for our phishing tests and they receive
and where the healthcare supply chain fits into the overall cybersecurity discussion.
the same education. Everyone must be vigilant.
JHC: Why is healthcare a big target
JHC: What are some ways that
JHC: Where does the healthcare
for cyberattacks?
organizations can better protect
supply chain fit into the cyberse-
Campbell: There are so many suppliers
their data?
curity discussion? How can supply
in healthcare, each with their own IT
Campbell: Healthcare providers and
chain executives help?
architecture, it leads to many opportuni-
suppliers must be proactive in assess-
Campbell: Supply chain works with IT
ties for an attack. Further, there is a lack
ing and testing their systems. We must
to include the security assessment in the
of controls among the many suppliers
continually remind team members of the
contracting process. We also look for
and a lack of urgency to identify and
ways we can be tricked and how to report
any software-related items in a supply
correct weaknesses.
suspicious email or messages they receive.
item or equipment in the value analysis teams to educate team members on
14
JHC: What are the most prevalent
JHC: Where does staff education
potential risks and identify what IT
ways that a healthcare system’s data
fit in?
should review as part of the evaluation
gets compromised?
Campbell: Team members are the first
process. We notify suppliers early in
Campbell: By far, email phishing is the
line of contact for scams and therefore
the evaluation process that IT security
most prevalent way malware enters the
the first line of defense. We send frequent
is important, and you must be prepared
system. We receive so many emails every
reminders to everyone and will warn of
to pass the security assessment and
day, the opportunity to click on some-
a specific attack when we discover it has
make changes, or your product will
thing that appears legit is constant.
special appeal.
not proceed.
April 2020 | The Journal of Healthcare Contracting
