Recent ransomware attacks on OneBlood, Synnovis, and Octapharma by Russian cybercrime ransomware gangs have resulted in a massive disruption to patient care. On April 15, the BlackSuit ransomware group attacked blood plasma provider Octapharma through a vulnerable VMware system, resulting in the closure of over 190 plasma donation centers in 35 US states. On June 3, the pathology provider Synnovis was attacked by the QiLin ransomware group, leading to the disruption of healthcare services in multiple London hospitals. On August 7, IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation. The cyberattacks caused many hospitals to reschedule appointments and postpone operations, prompting hospitals to initiate critical blood shortage protocols.

These recent cyberattacks highlight potential catastrophic failures in healthcare delivery when critical suppliers are affected, underscoring the need to include third-party suppliers in risk management to ensure the healthcare system’s resiliency. The Health Information Sharing and Analysis Center (Health-ISAC) and the American Hospital Association (AHA) issued a Joint Threat Bulletin to notify consumers about the potential widespread repercussions of cyberattacks targeting healthcare suppliers.

Recommendations

• Establish a diverse Third-Party Risk Management (TPRM) governance committee and program. Each function represented should identify ongoing critical third parties and supply chains for their respective areas.
• Evaluate strategic and technical risks.
• Develop plans to sustain business operations for at least 30 days if critical services and supplies are lost. Document, test, and update these plans annually.
• Establish a comprehensive data backup plan that includes offline backups and incorporates incident response and continuity of operations plans in emergency operation planning.
• Increase employee awareness education and reporting to reduce the risk of compromise from cyber threats.
• Consider reducing the attack surface by eliminating external-facing systems and limiting unnecessary systems.