The American Hospital Association and the Health-ISAC recently came together to address a growing concern in the healthcare industry – the threat of ransomware attacks by Russian cybercrime gangs. These attacks have not only disrupted patient care in the U.S. and U.K., but they have also led to blood shortages, further complicating the situation for healthcare organizations.
In response to these alarming developments, the organizations issued a joint threat bulletin, urging healthcare delivery organizations, hospitals, and health systems to be vigilant and prepared for potential physical supply chain disruptions caused by cyberattacks on third-party vendors. These disruptions have the potential to cause significant problems in the delivery of patient care, which is why it is crucial for healthcare organizations to be proactive in their approach to cybersecurity.
The bulletin highlighted three recent ransomware attacks against blood suppliers, shedding light on the impact such attacks can have on the healthcare industry. In July, OneBlood, a Florida-based blood supplier, fell victim to a ransomware attack that resulted in major shipping delays of blood products in the region. This forced the company to manually label blood samples, leading to a blood shortage that affected area hospitals and patient care.
Similarly, in June, Synnovis, a pathology provider in London, was attacked by a ransomware gang, causing delays in care and planned surgeries across multiple hospitals. Thousands of units of blood were rendered unusable because patient blood types could not be accessed without the health record system. In April, Octapharma, a blood plasma provider, experienced a cyberattack that not only disrupted blood plasma donations in 35 states but also resulted in the theft of donor information and protected health information.
These incidents underscore the need for healthcare IT teams to closely consider how supply-chain outages could impact their operations and patient care. It is essential for organizations to identify single points of failure and incorporate mission-critical suppliers into their risk management and emergency plans. Developing multi-disciplinary Third-Party Risk Management (TRPM) governance committees and programs is vital to ensuring that mission-, business-, and life-critical parties in the supply chain are identified and that procedures are in place to address the loss of any of these services.
The joint bulletin also emphasizes the importance of assessing whether third-party vendors are essential to the healthcare mission, could potentially lead to catastrophic consequences if they fail, and if there are suitable alternatives available. By considering these factors and taking proactive measures to enhance cybersecurity measures, healthcare organizations can better protect themselves from future cyber threats and ensure the continuity of patient care.