Health system procurement teams, rather than solely IT, hold the keys to solving healthcare cybersecurity.
I recently met a tenacious leader. She walked into a room and said hello to her team and guests; she radiated no-nonsense, hard-lined efficacy. It was clear this woman would take no prisoners, but also probably doesn't step on other people's turf. She went on a mini-rant about medical device availability and costs, signaling that she'd talk to anyone to get what her clinicians needed to continue delivering patient care. (And getting "talked to" by this woman would be enough to move mountains.) She is the chief of procurement at a relatively large health system. I instantly realized she could solve healthcare cybersecurity, personally, if she so desired.
Let me explain this audacious claim. First, I'll repeat a favorite quote, often heard in healthcare cybersecurity: "Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has." (Margaret Mead, and I Am the Cavalry)
Procurement can be that small group. They have a powerful function but do not have skin in the cybersecurity game, which frees them from the over-thinking that kills action. Here are critical traits of Procurement:
Procurement performs diligence on suppliers.
Procurement is responsible for contract review.
Procurement is responsible for monitoring third-party supplier risks.
Procurement does not perform clinical operations.
Procurement does not manage the IT once it is in-house.
Procurement does not (typically) have cybersecurity expertise.
Before Software Bills of Material (SBOM) existed, there was no cost-reasonable way for procurement to check the security posture of a product. Now, at least for medical devices regulated by FDA, SBOMs must exist. With the SBOM mandate, procurement teams can request an SBOM and wield it to their advantage. If you read medtech cybersecurity news or LinkedIn posts, you'll find skepticism about SBOM efficacy. I'll set that aside for a moment because it's not Procurement's problem. And that's the key. Procurement doesn't need to care about whether an SBOM is accurate, they just need to doggedly hold suppliers accountable for the SBOMs the suppliers provide.
Here's a simple three-step formula for Procurement to solve cybersecurity problems:
Identify contract elements that can be easily verified and audited by procurement (i.e., do not require an IT or cyber professional).
Systematically audit the key contract elements, including the SBOM and associated vulnerabilities.
Hold suppliers accountable to their contract terms. (This is a great opportunity for effective automation.)
This formula was useless before SBOMs, routine patching, and supplier diligence automation. But now it's doable. Taking HSCC's Model Contract Language for medical devices and hospital systems, I can identify at least five contract elements (starting on page 17) that can effectively be monitored by procurement, which consequently can be used to exert pressure on suppliers to increase their security quality.
If you doubt this post's thesis, let's chat. I'd love to prove this theoretical solution with real data.
~Shannon, the Optimistic Optimizer
* Checking for risks in SBOMs is non-trivial. The current industry standard is to check for known vulnerabilities, which are one manifestation of software risk. Many software platforms check SBOMs for vulnerabilities. Which one is used is not necessarily critical for this post.