Why supply chain cyber defence is an urgent priority for healthcare in APAC

The healthcare sector in the Asia Pacific is experiencing growing cyber threats as the move towards patient-centred care and the increased use of clinical data broaden the potential for attacks.

However, the most significant challenge may be the ever-growing size and complexity of the industry’s supply chain ecosystems, the vendors, partners, suppliers, and other third parties they rely on for business continuity.

Staggering frequency of healthcare attacks despite increase in cybersecurity spend

Healthcare and pharmaceutical companies work with myriad third-party organisations, with business functions spread across different geographies, territories, and jurisdictions. With more stakeholders, third-party providers, suppliers and affiliates comes an increasing reliance upon digital technologies, processes, and behaviours.

These factors are not only intensifying existing cyber threats facing the healthcare organisations, but introducing new attack vectors. The sector faces added vulnerability to threat actors who are seeking to exploit valuable, classified patient information and clinical data.

In Singapore, healthcare organisations will be required to address cyber and data security standards of third parties as set forth in the Health Information Bill, detailed within the Cyber and Data Security Guidelines.

The guidelines emphasise the need for clarity of the roles and responsibilities between healthcare providers and third-party vendors, and the measures established for third-party products or services to protect the provider’s systems from potential threats.

According to BlueVoyant research, 96% of respondents from APAC healthcare and pharmaceutical companies say they have been negatively impacted by a cyber security event originating from third parties. This is despite more money seemingly being allocated towards preventing such attacks. Nearly all (99%) respondents have reported increased budgets for third-party cyber risk management over the last 12 months.

Decision-makers therefore need to be looking at how they can strengthen cybersecurity, especially in their supply chains – and question why budget increases have not led to a reduction in cybersecurity incidents.

Supply chain visibility lacking

Strengthening third-party cybersecurity posture first depends on identifying the source of cybersecurity weaknesses within their supply chain ecosystems. With 71% of APAC healthcare and pharmaceutical respondents stating they maintain supply chains with anything from 501 to 50,000 suppliers, visibility is key.

More than a third (31%) of APAC healthcare and pharmaceutical companies state they have no way of knowing when a cyber issue arises within one of their third parties, one of the highest sectors surveyed within the research. This may be due to 29% of decision makers within the sector claiming that third-party cybersecurity risk is not a business priority for their organisation.

Despite the magnitude of the problem, a worrying 47% of the sector state they either currently rely on their third parties to ensure adequate internal security; or currently appraise their suppliers of any problems and hope they fix it. Decision makers should treat supply chain cyber defence management as an urgent strategic priority and take proactive steps to mitigate risks throughout the entire supply chain.

Many organisations are not fully aware of the breadth, depth, and sophistication of these threats, and are not therefore sufficiently prepared to detect and respond to them. The prioritisation of strong cybersecurity within third-party supply chains will only increase with heightened awareness of the impact of successful cybersecurity incidents.

Senior management has a significant role to play in making proactive supply chain cybersecurity a top priority. Currently, a dismal 6% of those surveyed currently brief their senior management teams on the cybersecurity statuses of their suppliers weekly or more.

Driving a secure future in healthcare

APAC respondents struggle with a multitude of issues when it comes to addressing supply chain cybersecurity. They need to better understand how to penalise suppliers when they don’t respond to, or fail to remediate, vulnerabilities and issues.

Another challenge is identifying blind spots where they do not currently have the resources and visibility to spot emerging risks. The research also reveals that APAC healthcare organisations lack an internal understanding across the business that third-party suppliers are part of the organisation’s overall security posture.

Healthcare organisations urgently need to refine their strategic focus and cohesion when it comes to supply chain cybersecurity. This means increasing the strength, breadth, depth, frequency, and thoroughness of risk assessments, monitoring, and reporting throughout their supply chains. Going forward, this will be critical for organisations to who wish to proactively and sufficiently protect data and operational integrity.

This involves a comprehensive evaluation of current resilience capabilities to pinpoint areas needing urgent enhancement. Doing so enables organisations to identify specific vulnerabilities and determine the most effective ways to strengthen them.

Guidelines such as those published by the Singapore government, paired with international standards like ISO27001 and NIST 2.0 will also help in enhancing the security postures of both the companies’ own business and those within their supply chain ecosystem, providing guidance for structured cyber security assessment, management, and compliance.

Prioritising supply chain cyber defence is critical for healthcare in APAC, not just for the sector’s core security, but also for its long-term reputation and sustainability.