The American Hospital Association and Health-ISAC have a joint threat bulletin after a series of ransomware attacks by Russian cybercriminal ransomware gangs caused blood shortages and disrupted patient care in the US and UK

The organizations urged healthcare delivery organizations (HDOs), hospitals and health systems to prepare for physical supply chain disruptions from cyberattacks on third-party suppliers that could cause significant disruptions to patient care delivery. The bulletin highlighted three recent ransomware attacks on blood suppliers.

In July, Florida-based blood supplier OneBlood was targeted in a ransomware attack that led to major delays in the shipment of blood products in the region because the company was forced to manually label blood samples. The result was a blood shortage that impacted area hospitals and patient care. In June, pathology supplier Synnovis was attacked by a ransomware gang, causing delays in care and elective surgeries at multiple hospitals in London, and leaving thousands of units of blood unused because patients’ blood types could not be looked up without access to the medical records system. And in April, blood plasma supplier Octapharma was attacked via a vulnerable VMWare system, halting blood plasma donations in 35 states. These cybercriminals were able to steal donor information and donor-protected health information, in addition to disrupting patient care in the U.S. and EU.

Healthcare IT teams must consider how supply chain outages will impact operations and patient care and identify individual points of failure. The attacks highlight the need to include mission-critical suppliers in enterprise risk management and emergency management plans. Organizations must also develop multidisciplinary Third-Party Risk Management (TRPM) governance committees and programs to identify mission-, business-, and life-critical parties in their supply chain and develop procedures for how they would handle the loss of any of these services.

The Health-ISAC and AHA bulletin also recommends considering whether third-party vendors are: essential to the health care mission, could have catastrophic consequences for the organization if the vendor goes out of business, and whether there are suitable alternatives.