The American Hospital Association and the Health-ISAC issued a joint threat bulletin after a series of ransomware attacks by Russian cybercrime ransomware gangs created blood shortages and disrupted patient care in the U.S. and U.K.
The organizations urged healthcare delivery organizations (HDOs), hospitals and health systems to prepare for physical supply chain disruptions caused by cyberattacks on third-party vendors that could create significant problems to patient care delivery. The bulletin highlighted three recent ransomware attacks against blood suppliers.
In July, Florida-based blood supplier OneBlood was the target of a ransomware attack that created major shipping delays of blood products in the region as the company was forced to manually label blood samples. The result was a blood shortage that impacted area hospitals and patient care. In June, pathology provider Synnovis was attacked by a ransomware gang, creating delays in care and planned surgeries across multiple London hospitals, and which left thousands of units of blood unable to be used because patient blood types couldn’t be looked up without access to the health record system. And in April, blood plasma provider Octapharma was attacked through a vulnerable VMWare system, closing blood plasma donations in 35 states. Those cybercriminals were able to steal donor information and donor-protected health information, in addition to disrupting patient care in the U.S. and E.U.
Healthcare IT teams to consider how supply-chain outages will impact business operations and patient care, and identify single points of failure. The attacks highlight the need to incorporate mission-critical suppliers into enterprise risk management and emergency management plans. Organizations also need to develop multi-disciplinary Third-Party Risk Management (TRPM) governance committees and programs to identify mission-, business-, and life-critical parties in their supply chain, and develop procedures on how they would handle the loss of any of these services.
The Health-ISAC and AHA bulletin also recommends considering whether third party vendors are: essential to the healthcare mission, could result in catastrophic consequences for the organization if the vendor fails, and whether there are suitable alternatives.
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc56d3c2aac619e2c/663e454c18e60a2a0e68c51d/healthcar_cyber_JJ_Gouin_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop