The American Hospital Association and Health-ISAC have issued a joint threat bulletin about recent ransomware attacks that have caused disruptions in patient care.
In the past several months, ransomware attacks on OneBlood, Synnovis, and Octapharma have “significantly impacted healthcare delivery,” and the two organizations are stressing that “organizations should prioritize applying risk management assessment principles to their critical suppliers and partners.”
The ransomware attacks have had many significant effects on healthcare delivery. OneBlood has been forced to “resort to manual labeling of blood samples,” which is causing major shipping delays, and the “resulting blood shortage is so severe that the Florida Hospital Association (FHA) has recommended that affected hospitals begin to activate critical blood shortage protocols.” Additionally, the attack against Synnovis led to more than 800 planned operations being delayed, as well as “thousands of O-negative and O-positive blood donations to be destroyed because of a lack of connectivity to electronic health records.”
The three attacks mentioned in the bulletin “appear to be unrelated.” The two organizations stress that healthcare delivery organizations [HDOs], hospitals, and health systems should “review contingency plans for possible disruption to the blood supply chain and other mission and life-critical medical supplies.” Attacks on different suppliers at the same time could hypothetically lead to compounding impacts that are “exponentially greater” than suppliers being attacked at separate times.
Health-ISAC and the AHA recommend that “special consideration” be afforded to “critical supply chain entities.” They specifically mention that healthcare organizations should “develop and implement a multi-disciplinary Third-Party Risk Management (TPRM) governance committee,” “develop continuity procedures for each to sustain a loss of…critical services and supplies for 30 days or longer,” “thoroughly document, test, and update continuity plans and downtime procedures for each,” and “risk prioritize and stratify identified entities on an enterprise level.”
