CISA releases new tool to shore up third-party cybersecurity risks

The federal government’s cybersecurity agency on Monday released a new digital tool designed to help hospitals and other healthcare organizations protect themselves from the kind of devastating cyberattacks that have crippled medical facilities across the country. 

The Cybersecurity and Infrastructure Security Agency unveiled its Software Acquisition Guide: Supplier Response Web Tool, a free online resource that walks organizations through a series of questions to assess the cybersecurity risks of software they are considering purchasing. 

Healthcare organizations have become prime targets for cybercriminals, in part because of their reliance on interconnected software systems and their willingness to pay ransoms to restore critical patient care services. Last year alone, 276.7 million healthcare records were breached, affecting more than 80 percent of Americans. 

The Change Healthcare attack, which cost parent company UnitedHealth Group $2.457 billion, exemplified how a single vulnerability can cascade through the healthcare system. The breach paralyzed insurance claims processing and forced many medical practices to delay patient care or exhaust their own funds to stay operational. 

“This tool demonstrates CISA’s commitment to offering practical, free solutions for smarter, more secure software procurement,” said Marci McCarthy, the agency’s director of public affairs, in a statement. The tool transforms an earlier government guide into an interactive format that can generate customized reports for hospital executives and technology officers. 

The software supply chain challenge

Healthcare organizations increasingly depend on software from multiple vendors, often without full visibility into the components and potential vulnerabilities within those systems. The new CISA tool addresses this blind spot by helping organizations ask the right questions about their software suppliers’ security practices. 

The tool builds on existing federal cybersecurity frameworks and aligns with growing regulatory requirements. Medical device manufacturers, for instance, must now provide the Food and Drug Administration with detailed inventories of all software components in their products — documents known as Software Bills of Materials, or SBOMs. 

Practical implementation

Unlike dense government guidance documents, the new tool presents users with tailored questions based on their specific needs and generates exportable summaries that can be shared with senior leadership. Since its release, the underlying Software Acquisition Guide has reached over 10,000 users across federal, state and local governments, as well as private organizations. 

The tool is particularly relevant as healthcare organizations increasingly adopt artificial intelligence systems for diagnostics, patient monitoring and administrative tasks. These AI applications often rely on complex software components and third-party libraries, creating new potential entry points for cybercriminals.