Health care sector faces critical challenges with supply chain risk management

Budget and capability constraints are contributing to persisting supply chain risk management challenges across the health care sector, a new survey conducted by Ponemon Institute on behalf of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group revealed. 

More than 400 IT and IT security practitioners took part in the survey, all of whom are actively involved in their organization’s supply chain risk management program. The results revealed ongoing critical challenges across the sector as organizations struggle to maintain basic supply chain risk management practices. 

Only 19% of survey respondents reported having a complete inventory of their organization’s suppliers. Smaller organizations were three times more likely to have no inventory whatsoever. 

In addition, 20% of respondents said that they only conduct security evaluations of business-critical suppliers when a security incident occurs, while 24% said that they conduct these assessments on an ad-hoc basis. 

The survey also highlighted a lack of standardized language in security contracts, a lack of integration between procurement and contracting departments and the supply chain risk management program, and a lack of cooperation from suppliers. 

When asked to identify their organization’s barriers to having a successful supply chain risk management program, 59% of respondents cited a lack of in-house expertise. Respondents also pointed to a lack of support from senior leadership and the need for a formal budget dedicated to supply chain risk management. 

“This survey shows that health care organizations of all sizes still face an uphill battle to effectively manage cyber risk across the supply chain function, with smaller organizations still facing critical gaps in the resources and budget available to them,” Greg Garcia, HSCC executive director, explained in an accompanying press release. 

In fact, 57% of smaller organizations reported having annual supply chain risk management budgets of $500,00 or less, while 51% of larger organizations reported having budgets between $1 million and $5 million. 

Budget is not the only challenge that is exacerbated among smaller health care organizations. More than a third of surveyed organizations said that they did not evaluate risks through the lens of how new suppliers will impact patient care outcomes, and smaller organizations were more than twice as likely to report this gap compared to larger organizations. 

The survey highlighted several areas of improvement for supply chain risk management teams to focus on in the immediate future. Integrating procurement and contracting teams, maintaining a reliable inventory, and considering potential patient care outcomes when evaluating vendors can help organizations better manage supply chain risk and further prioritize patient safety.