Frequently Asked Questions

The HIC-SCRiM toolkit is a resource designed to help healthcare organizations: Implement and sustain a supply chain cybersecurity risk management program. Align with the NIST Cybersecurity Framework (CSF) to follow industry best practices. Manage cybersecurity risks introduced by third-party suppliers and vendors.

The second release of the toolkit builds on the first version by: Completing the five NIST CSF supply chain requirements. Adding guidance on adherence to contractual terms with suppliers. Introducing tools for response and recovery testing in case of supplier cybersecurity incidents.

Primarily targeted at small to mid-sized healthcare organizations with limited resources.Encourages large healthcare organizations, associations, and consultancies to promote adoption across the sector.

Healthcare organizations rely on third-party suppliers for technology and services, introducing cybersecurity risks into the system. Ensuring secure supplier practices protects patient safety and critical healthcare operations. A structured, repeatable, and measurable supply chain risk management system is essential to mitigate these risks.

The toolkit follows the Supply Chain requirements within the NIST CSF and provides: Risk assessment templates to evaluate supplier risks. Contractual language for supplier agreements to ensure compliance. Tools for response and recovery testing to prepare for cybersecurity incidents.

The toolkit was developed by the Supply Chain Security task group, co-chaired by Chris van Schijndel of Johnson & Johnson and Vish Gadgil of Merck. The task group includes over 20 supply chain and cybersecurity professionals from a broad spectrum of health sector organizations.