The American Hospital Association and Health-ISAC have released a joint Threat Bulletin following a series of ransomware attacks by a Russian cybercrime ransomware group that have caused blood shortages in the US and UK and disrupted patient care.
These organizations are urging healthcare delivery organizations, hospitals and health systems to prepare for disruptions to the physical supply chain caused by cyberattacks on third-party vendors that could cause significant problems in the delivery of patient care.
This bulletin covers three recent ransomware attacks on blood suppliers. In July, Florida-based blood supplier OneBlood was targeted in a ransomware attack, forcing the company to manually label blood samples, causing major delays in the delivery of blood products in the region. This resulted in blood shortages that affected hospitals and patient care in the region. In June, pathology provider Synnovis was attacked by a ransomware gang, causing delays in treatment and scheduled surgeries at several London hospitals. In addition, thousands of units of blood were rendered unusable after the inability to access medical record systems meant patients' blood types could not be determined. In April, plasma provider Octapharma was attacked through a vulnerable VMWare system, resulting in the suspension of plasma donations in 35 states. In addition to disrupting patient care in the United States and the European Union, these cybercriminals were able to steal donor information and donor protected health information.
Health IT teams must consider how a supply chain outage could impact business operations and patient care and identify single points of failure. This attack highlights the need to incorporate mission-critical suppliers into enterprise risk management and emergency management plans. Organizations should also develop multidisciplinary third-party risk management governance committees and programs to identify mission-, business-, and life-critical parties in their supply chains and develop procedures for how to respond if any of these services are lost.
The Health-ISAC and AHA bulletin also recommends considering whether a third-party vendor is essential to the healthcare mission, whether the vendor's failure could have devastating consequences for the organization, and whether suitable alternatives exist.
