PILOT 2 SUPPLY CHAIN OF PUBLIC HEALTHCARE SYSTEM
NODALPOINT SYSTEMS, CYPRUS
BRIEF PROFILE
Nodalpoint Systems (NPS) is the principal organization tasked with designing, executing and maintaining essential technical operations for the General Healthcare System of Cyprus (GHS). The latter manages a comprehensive range of public healthcare services, encompassing the coordination of inpatient and outpatient appointments, physician referrals, pharmaceutical and commercial product prescriptions, laboratory and diagnostic test requests, management of personal health records, and the processing of financial claims linked to healthcare services for the entire population of the Republic of Cyprus.
Digital Security Authority (DSA) is the competent authority for the transposition and the implementation of the NIS Directive (2016/1148) and the Single Point of Contact in relation to it. In addition, part of the organizational structure of the DSA is the National CSIRT-CY which is the technical department of DSA. The DSA collaborates with other relevant bodies at European level for information sharing and coordination in the field of Cybersecurity, such as the CSIRT Network and the ENISA. Its responsibilities include the incident handling of Critical Information Infrastructures as well as the assessment of the technical and organizational measures that are set from relevant secondary legislation issued by the Authority which the Operators of Essential Services (OES) must comply with.
SCOPE
Supply chain attacks on third-party suppliers and vendors have far-reaching implications on healthcare organizations as a result of the interconnected digital world. Malicious actors can insert malicious code into a vendor’s code, libraries used and software updates, which in turn can enter the healthcare ICT system providing malicious actors with access to the latter. Given the criticality of the sector, the effect of supply chain attacks in healthcare can be of enormous consequences; from exposing personal information of citizens and healthcare experts, posing hence significant risks for their privacy and safety, to delaying healthcare services provision with limited or life-threatening implications.
Going a step further, supply chain attacks in the strongly and complexly interlinked healthcare ecosystem can damage the operations and reputation of healthcare institutions as well as the business viability of the companies being part of the supply chain. Thus, important aspects that require particular attention are third-party risk management, effective mechanisms for prompt incidence response and impact mitigation and well-informed reporting processes.
This pilot focuses on supply chain attacks targeting the delivery pipeline of NPS, as a critical technology & service provider in the supply chain of Public Healthcare System in Cyprus. Such attacks, for example unauthorized modification of the GHS source code or hijacking of the deployment process, can impact the availability of the healthcare system and disrupt the provision of healthcare services of the entire country.