Source: www.govinfosecurity.com – Author:
3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management
Bulletin Comes in Wake of Recent Attacks Disrupting Blood Collection, Supplies Marianne Kolbasuk McGee (HealthInfoSec) • December 9, 2024
The Food and Drug Administration is urging blood suppliers to bolster their cybersecurity practices to prevent and mitigate cyber incidents that could affect the supply and safety of critical blood and blood components used for transfusions and other patient care.
See Also: The Role of the Data Storage Platform in Providing Data Resiliency
The FDA bulletin issued Thursday comes in the wake of several recent high-profile cyber incidents affecting blood suppliers and related establishments in the U.S. and elsewhere.
That includes a June ransomware attack on Synnovis, a British pathology laboratory services provider that disrupted patient care and testing services at a number of London-based National Health System hospitals and other care facilities for several weeks. The incident ultimately caused the postponement and cancellation of thousands of procedures and appointments, and triggered a nationwide shortage of type-O blood supplies in the United Kingdom.
In the U.S., an August ransomware attack on a Florida-based blood center OneBlood and an April attack on Octapharma Plasma, the U.S. operations of a Swiss pharmaceutical maker, also each disrupted blood collection and processing operations for several weeks.
Russian-speaking ransomware gangs were suspected to be behind each of those attacks.
During the summer, the Health Information Sharing and Analysis Center and the American Hospital Association issued joint threat alerts to the healthcare sector about attackers targeting blood supply entities (see: Attacks on Blood Suppliers Trigger Supply Chain Warning).
“The trio of ransomware attacks starting in April 2024 on OneBlood, Synnovis, and Octapharma Plasma by Russian cybercrime ransomware gangs caused disruption to blood and plasma supplies in regions across the U.S. and U.K., ultimately causing major impacts to patient care,” said Errol Weiss, chief security officer at Health-ISAC.
As Health-ISAC and AHA warned in August, the attacks on those three critical third-party suppliers significantly affected healthcare delivery, Weiss said. “It should serve as a wake-up call across the industry to address supply chain resilience. It’s not just about ensuring IT systems are secure, but also making sure critical hospital operations can continue to function in the face of widespread IT system outages,” Weiss said.
The AHA also urges action by blood suppliers and the organizations that depend on those products and services. “We continue to strongly encourage hospitals and blood suppliers to ensure they have robust cyber defenses, but also robust response, resiliency and recovery plans in place for clinical continuity, should mission critical and life critical supply chain be disrupted by a ransomware attack or any other reason,” said John Riggi, national cyber adviser at the American Hospital Association.
FDA’s Guidance
The recent cybersecurity incidents involving blood establishments have revealed gaps in cybersecurity measures and exposed vulnerabilities in the highly interconnected computer systems and networks used to ensure the safety and availability of the blood supply, the FDA bulletin said.
“Recovery from cybersecurity incidents may take several days to months, during which time the manufacturing functions of blood establishments and the ability to distribute blood and blood components or source plasma could be disrupted,” the FDA said.
“In light of these current and potential cybersecurity threats, we encourage blood establishments and transfusion services to identify possible shortcomings of their current disaster plans and implement and strengthen measures for cybersecurity resiliency to protect their data, ensure continuity of operations and maintain a safe and adequate blood supply for patients.”
These measures include:
- Mitigating known vulnerabilities of organizational networks;
- Ensuring email security;
- Using multifactor authentication, utilizing unique credentials, separating user and privileged accounts, and revoking credentials for departing staff;
- Implementing strong encryption;
- Performing incident planning and preparedness;
- Maintaining vendor and supplier cybersecurity requirements.
“Blood establishments must maintain and follow standard operating procedures for performing manufacturing steps when their computer systems are not available,” the FDA said. Blood organizations’ downtime procedures must comply with all FDA regulations including donor eligibility and donation suitability.
Because recovery from a cyber incident could take several weeks or months, blood establishments may consider developing procedures that ensure the continued operations over an extended period of time, the FDA said.
“Blood establishments may wish to consider using blood establishment computer software devices and versions that are currently supported by the manufacturer of the device. This helps ensure that the BECS receives routine updates and patches to prevent cybersecurity incidents.”
Additionally, blood establishments should conduct routine staff training exercises to ensure that the workforce are aware of general cybersecurity practices and are familiar with processes that may be necessary in a cybersecurity incident, the FDA said.
Furthermore, blood establishments must report to FDA when there is an interruption in manufacturing likely to result in a significant disruption in supply, the bulletin adds.
“Given the significant consequence of cybersecurity incidents in blood manufacturing settings, licensed blood establishments should notify FDA if their blood manufacturing operation is interrupted by a cybersecurity incident,” the agency said.
“FDA also encourages registered-only blood establishments to notify FDA because of the interconnectedness of healthcare and blood establishment computer networks.
“In the event of a cybersecurity incident, blood establishments must continue to maintain records for the performance of each significant step in the collection, processing, compatibility testing, storage and distribution of each unit of blood and blood components so that all steps can be clearly traced,” the FDA said.
Health-ISAC’s Weiss said that for healthcare organizations, including blood suppliers, it comes down to cybersecurity hygiene. “My top recommendations include staying up-to-date on software patches, backing up systems and data, and using multifactor authentication for all remote access and privileged user accounts,” he said. “Also, participating in an information-sharing community helps organizations stay on top of today’s current threats while also offering a trusted network of peers who can help each other before a crisis occurs.”
Riggi of the AHA said he has no doubt that when any groups attack the blood supply, they understand they are threatening the lives of patients that depend on the blood supply for life-saving treatment.
“In no way can these type of attacks be considered anything other than threat-to-life crimes,” he said. “We as a sector and nation must, with a sense of urgency, prepare to defend against them, and we hope the government will continue with the same sense of urgency to disrupt the attackers.”
Original Post URL: https://www.govinfosecurity.com/fda-urges-blood-suppliers-to-beef-up-cyber-a-27004
Category & Tags: –
Views: 0