Alert Issued for Healthcare Supply Chain Cybersecurity

Healthcare supply chain organizations and their partners have been issued a cybersecurity alert after a string of Russian ransomware attacks caused major patient care disruptions. Health-ISAC (Information Sharing and Analysis Center) and the American Hospital Association (AHA) released a joint bulletin warning about the need to increase supply chain security and the potential impact of attacks. The bulletin emphasized the need to apply risk management principles to suppliers.

The Supply Chain Ransomware Attacks

OneBlood

In July 2024, OneBlood, a blood provider in the southeastern US, was a ransomware victim. The attack knocked OneBlood systems offline and disrupted the distribution of blood to more than 250 hospitals. The following blood shortage was significant enough that the Florida Hospital Association recommended affected hospitals begin activating their critical blood shortage protocols. A hospital in Tallahassee postponed two surgeries to preserve blood supply.

Synnovis

In July 2024, Synnovis, a pathology provider in the UK that supplies blood tests and other services to hospitals, was taken down by a cyber-attack. The United Kingdom’s National Health Service (NHS) reported that 1,608 elective procedures and 8,349 acute outpatient appointments had to be postponed at London hospitals because of the ransomware’s impact on Synnovis’s IT systems.

Octapharma Plasma

In April 2024, a cyber-attack forced Swiss pharmaceutical company Octapharma Plasma to temporarily close 190 plasma donation centers in 35 US states. Octapharma ships the plasma it collects in the US to Europe for medical therapies. The BlackSuit ransomware group was responsible for the attack and stole sensitive donor information, including protected health information.

These attacks on healthcare suppliers demonstrate how devastating the ripple effect can be throughout the industry. The downstream consequences interrupted hospital services, compromising patient care and potentially putting lives at risk.

The attacks also highlight the growing threat of geopolitical ransomware and the efforts of foreign groups to disrupt the infrastructure of healthcare, governments, and other sectors.

Managing the Risk

Healthcare organizations must account for supply-chain disruptions in their risk management programs to minimize the potential impact on patient care. Develop a plan to eliminate single points of failure by having secondary suppliers lined up if an incident renders a primary supplier inoperable.

Other actions healthcare organizations can take to mitigate the impact of a supplier or vendor being the victim of a cyber-attack include:

• Develop and implement a Third-Party Risk Management governance committee and program that identifies the third parties and supply chains that are life-critical, mission-critical, and business-critical for each function. Assess strategic and technical risks for each.
• Develop a continuity plan for each supplier to account for a loss of those critical services and supplies for 30 days or longer while sustaining business operations and continuing safe and quality care.
• Thoroughly document, test, and update all continuity plans and downtime at least annually.
• Identify and categorize the level of risk each supplier or vendor creates based on criteria such as:
  • Storage or access to sensitive data
  • Network access – privileged access
  • Foreign operations and subcontractor risk
  • Technical cybersecurity posture currently and ongoing monitoring
  • Consider aggregate risk from the third parties for multiple services provided
  • Breach notification and responsibility requirements

All risk-based requirements should be contractual and included in business associate agreements and third-party contracts.

Learn more about managing third-party risk by reading the Is My Vendor Really HIPAA-compliant? blog post. Also, listen to our Effective Vendor Security Evaluations podcast episode.

CompliancePoint specializes in helping healthcare organizations improve their cybersecurity posture. We have helped organizations of all sizes achieve HIPAA compliance and secure HITRUST certification. Reach out to us at connect@compliancepoint.com to learn more about our services.