Reshaping health care supply chains: Strategic paths to resilience

As supply chains grow more complex for health care organizations, with deep relationship tiers involving contract manufacturers, distributors and specialized logistical vendors, the probability of disruption rises, too. Historically, this complexity leads to more frequent and longer‑tail interruptions, not fewer, especially as policy and geopolitical dynamics shift.

Supply chain strategy reimagined

To stay ahead of supply chain demands and complexity, health care providers should reimagine business continuity and recovery strategies—such as responses to weather-related disruptions—and move beyond static playbooks to analytics‑led resilience. The priority: Leverage supply chain intelligence to map dependencies, stress-test critical supplies and surface early warning signals for potential stockouts. By integrating demand sensing, vendor risk data and inventory segmentation, health care organizations can rebalance inventory before pinch points become crises. This helps ensure contingency sourcing is operationalized rather than theoretical.

The risk of shortages associated with critical medical supplies, devices and drugs will continue for many organizations. Tabletop business continuity exercises—discussion-based, scenario-driven sessions designed to test and evaluate an organization’s emergency response and business continuity plan—may provide some relief and could be facilitated through health care preparedness coalitions funded by the Administration for Strategic Preparedness and Response. This planning, which aims to bridge the gap between first responders and health care organizations, can enhance emergency preparedness and response capabilities.

While organizations look to address and implement resilience strategies, the potential for more risk lingers, as tariffs could drive up costs.

Tariffs fuel the case for proactive resilient measures

Rising tariffs on imported goods continue to drive up operating costs for many hospitals. The effective tariff rate with China on medical and surgical goods—the second highest input cost for a health care organization—stands at 30%, based on data from Bloomberg. Furthermore, about 75% of medical devices used in the U.S. are imported, with 13.6% sourced from China, according to GlobalData’s MedSource database.

With that exposure, tariffs will likely compress margins due to tariff rates on operating materials such as personal protective equipment, syringes, devices that track vitals and more. This, in turn, may trigger pricing renegotiations across group purchasing and supplier contracts for some organizations. Industry groups, including the American Hospital Association, have sought device‑specific tariff exemptions.

No measures have been granted at this time, however. Domestic alternatives remain limited in the near term given U.S. Food and Drug Administration certification timelines and capital intensity. For now, providers should plan for higher costs on some supplies and focus on controlling pass‑throughs.

What leading health care systems should consider

To address margin pressures from tariffs and other factors, some organizations should consider implementing the following:

• Map supplies to tariff classifications and current duty rates. This is especially challenging when procuring via distributors or when the importer of record is upstream.
• Negotiate and diversify, providing transparency on landed costs—which represent the total price of a product or piece of equipment after it arrives at the health care organization’s loading dock—to push back on supplier pass‑throughs, prioritizing lower‑tariff substitutes and dual sourcing where clinically acceptable.
• Embed strategy into business continuity and disaster recovery plans, treating tariff shifts as a recurring stressor alongside climate and logistics events—and building tariff scenarios into demand planning, cash‑flow forecasts and contracting calendars.
• Systematize the vendor base by standing up vendor management benchmarking and automated tracking to flag sudden price variances, minimum‑order changes or lead‑time creep.

Given the volatility in supply costs resulting from tariffs, organizations should work with suppliers to understand the risks of direct and indirect tariff costs being passed on; evaluate the source of their supplies; and leverage technology, such as tools for vendor management benchmarking and tracking, to proactively monitor their susceptibility to increased costs.

Cyber poses another risk for supply chains

While controlling costs and maximizing efficiencies is paramount for optimal supply chain management, cyber poses another risk for organizations. Health care’s digital backbone—including electronic health record systems, cloud providers, device makers and supply chain third parties—are all part of an organization’s vast supply chain network. This growing interdependence on vendor relationships has raised the threat of cyberattacks for many health care providers. Since 2015, cyber breaches in health care have more than doubled, per the Office for Civil Rights. 

As Lenny Levy, health care cybersecurity leader at RSM US LLP, notes, “Third-party relationships have been increasingly involved in health care cyber breaches, affecting more than half of all impacted individuals since 2015, based on OCR data. Given the increase in complexity in organizations and the sophistication in tools used by bad actors, we expect this trend to increase in the future."

And when third parties—like claims processors, manufacturers or other organizations throughout the supply chain—touch clinical systems, patient records or operational workflows, their security posture becomes a direct factor in patient safety. A single breach in 2024 from a third-party vendor affiliated with health care providers affected roughly one out of every two individuals in the U.S. and resulted in the vendor issuing $9 billion in emergency loans to keep providers afloat. This event triggered a crisis that compromised sensitive data, deferred care and eroded public trust.

Operational playbook

As cyber incidents continue to rise, health care leaders must navigate growing risk within supply chains and beyond. The following steps can help reduce exposure to cyber-related threats:

• Stratify third parties. Classify vendors by data sensitivity, service criticality and business impact; apply stricter controls to high‑risk tiers.
• Implement risk assessments with teeth. Validate HIPAA and relevant frameworks, review breach history, and scrutinize data handling and encryption practices.
• Harden business associate agreements. Specify cybersecurity obligations, notification windows, audit rights and scope of access with clear accountability.
• Limit access. Use access controls to enforce least-privilege principles and segment vendor integrations to contain potential breaches.
• Implement continuous monitoring. Deploy automated tools to track security posture and patching speeds; integrate these real-time signals into an enterprise-wide cyber dashboard.
• Include vendors in resilience activities. Evaluate vendor criticality holistically, define roles and escalation paths, and conduct joint tabletop exercises.
• Audit regularly. Mix questionnaires and third‑party attestations with site visits to verify controls in practice, not just on paper.

“Third‑party cyber risk is more than a technical issue; it’s a patient safety imperative,” says Amy Feldman, health care industry director at RSM. “Embedding security into business relationships that extend the walls of each health care organization will be foundational moving forward to help leaders reduce potential disrupters to providing care.”

The takeaway

Disruptions in health care supply chains are becoming a recurring reality. At the same time, margins remain under pressure as costs continue to rise, making it critical for organizations to optimize supplier networks and adopt digital inventory decisioning to stay competitive. In parallel, boards are demanding greater visibility, with governance tightening around supply risk, cyber risk exposure and the financial implications of single-source dependencies.

Resilience is no longer a contingency plan—it’s a core operating capability. Providers that combine transparent cost mapping, diversified sourcing and continuous third‑party cyber oversight will be best positioned to protect patients, stabilize operations and absorb the next shock.