Five Steps to Protect Health Care Records Against Supply Chain Attacks

July 17, 2023

With the increasing reliance on health care technology, cybersecurity is a growing concern. Health care providers deal with a range of cybersecurity challenges, including the protection of electronic information and assets from unauthorized access, use and disclosure.


These challenges have become significantly harder in recent years, thanks to the rapid adoption of Application Programming Interfaces (APIs), which are significantly increasing interoperability efforts for electronic health data exchange and patient data access. APIs are essential to a host of applications helping providers deliver better patient care. However, cybercriminals are increasingly targeting APIs as a route to access sensitive data.


Here are five steps health care providers should take to protect health care records against supply chain threats, malicious bots, attacks on applications, APIs and data.



1.Understand the Risks: Malware, Phishing and Bad Bots

The first step in any successful cybersecurity defense strategy is understanding the threats. Health care providers are targeted daily by everything from malware and phishing attacks to bad bots going after applications, APIs, and data. For instance, according to the 2023 Imperva Bad Bot report, bad bots make up 32% of all web traffic in the health care sector and 20% of all login attempts. Having a comprehensive understanding of these risks is the first step in developing a robust cybersecurity strategy.



2. Assess Supply Chain Vulnerabilities

One of the top vulnerabilities in health care is within the supply chain, which includes multiple layers of how workloads, transactions and services are processed — all while sharing data. Health care providers must assess their supply chain and identify potential weak points that could be exploited by attackers. This includes evaluating and strengthening the security measures implemented by manufacturers, third-party vendors, medical devices, electronic medical record systems and data sharing through APIs. It's crucial to identify potential gaps in security and address them to prevent cyber threats before they occur.



3. Address Talent Shortage and Invest in Training

The World Health Organization predicts the global health care workforce will be short approximately 10 million people by 2030. The growing talent shortage impacts health care information systems, operations centers and cybersecurity experts — making it difficult to keep up with other industries offering higher salaries. To overcome this challenge, health care providers should invest in training programs to develop the skills of their existing workforce. In addition, it is essential for organizations to lean on automated solutions that can be easily understood and managed by standard engineers, allowing them to focus on addressing security threats more effectively.



4. Monitor and Secure APIs and Data Sharing

APIs and Fast Health care Interoperability Resources (FHIR) are critical components in modern health care systems. To protect against supply chain attacks, health care providers should ensure that the APIs and FHIR integrations used within their systems are secure. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting data, requiring health care providers and their business associates to adhere to specific guidelines.


Accordingly, providers should implement strong authentication and access controls, regularly audit API activity and address any discovered vulnerabilities. In addition, it is crucial to identify and secure "shadow APIs" — those that may be present within the technology chain or part of a component but aren't officially documented or maintained. Additionally, they should monitor data sharing between different system components, applications, services and suppliers.



5. Safeguard Against Insider Threats

With 96% of organizations operating in a hybrid cloud environment, this complex mix of data centers and private and public clouds can create an environment for increased insider threat activity. One example: security risks originating from within the organization were insiders maliciously and intentionally abuses legitimate credentials, typically to steal information for financial or personal incentives.


Other scenarios are the result of employees and contractors with access to sensitive data accidentally or intentionally cause data breaches. Security and IT teams need to have full visibility into how the data is being accessed, used and moved around the organization. This can be done by monitoring data access and activities of privileged users to identify excessive, inappropriate and unused privileges.



Implement Automated Security Solutions

To protect patient data and health care records, providers must invest in automated security solutions that can identify, monitor and block attacks. These solutions should be able to detect and prevent potential data breaches, as well as support incident response and remediation efforts.


Automated security solutions can help reduce the labor-intensive tasks and vigilance required to identify vulnerabilities, including unidentified applications, unregistered devices, network misconfigurations, unpatched systems and unprotected data repositories. By leveraging automation, health care providers can ensure that their engineers understand and manage complex security tasks, reducing the need for highly specialized personnel.


In conclusion, protecting health care records from supply chain attacks requires a multi-layered approach. By understanding where there are business risks along the path to data, organizations can significantly reduce the likelihood of cyberattacks, safeguard their patients' sensitive data and maintain regulatory compliance.


To stay competitive, many of their executive leaders are getting off the sidelines and taking a more proactive approach to developing their workforces, leaning in on automation and partnering with solution providers to design and manage their security pathways.

Senior Vice President Of Data Security | IMPERVA
Terry Ray is senior vice president of data security and Imperva Fellow. He was Imperva’s first U.S.-based employee and previously served as Imperva’s chief technical officer, chief product strategist and vice president of security engineering. Ray has worked closely with customers on hundreds of application and data security projects to meet the security requirements and demands of regulators in every industry.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit