Healthcare Providers Must Plan for Ransomware Attacks on Third-Party Suppliers

The American Hospital Association and Health-ISAC issued a joint threat bulletin after a series of ransomware attacks by Russian cybercrime ransomware gangs created blood shortages and disrupted patient care in the US and UK. 

The organizations urge healthcare delivery organizations, hospitals, and health systems to prepare for physical supply chain disruptions caused by cyberattacks on third-party vendors that could create significant problems to patient care delivery.

The bulletin highlights three recent ransomware attacks against blood suppliers. In July, Florida-based blood supplier OneBlood was the target of a ransomware attack that created major shipping delays of blood products in the region because the company was forced to manually label blood samples. The result was a blood shortage that impacted area hospitals and patient care. In June, pathology provider Synnovis was attacked by a ransomware gang, creating delays in care and planned surgeries across multiple London hospitals. In addition, thousands of units of blood couldn't be used because without access to the health record system, patient blood types couldn't be looked up. And in April, blood plasma provider Octapharma was attacked through a vulnerable VMWare system, closing blood plasma donations in 35 states. Those cybercriminals were able to steal donor information and donor-protected health information, in addition to disrupting patient care in the US and European Union.

Healthcare IT teams need to consider how supply chain outages will impact business operations and patient care and identify single points of failure. The attacks highlight the need to incorporate mission-critical suppliers into enterprise risk management and emergency management plans. Organizations also need to develop multidisciplinary third-party risk management governance committees and programs to identify mission-, business-, and life-critical parties in their supply chains, as well as develop procedures on how they would handle the loss of any of these services.

The Health-ISAC and AHA bulletin also recommends considering whether third-party vendors are essential to the healthcare mission, could result in catastrophic consequences for the organization if the vendor fails, and whether suitable alternatives are available.