FDA Urges Blood Establishments to Improve Their Security Posture Following Spate of Ransomware Attacks
The Food and Drug Administration (FDA) has issued an alert advising blood suppliers and transfusion services about a spate of ransomware attacks that disrupted healthcare systems and blood establishment operations. All blood establishments have been urged to take steps to strengthen their cybersecurity practices and test and improve their incident response and contingency plans.
Computer systems are used at all stages of the manufacturing, processing, labeling, and distribution of blood and blood products. Cyberattacks such as ransomware incidents that disrupt those highly interconnected computer systems can affect the safety and availability of the blood supply. The disruption caused by these attacks can last several days to several months, severely affecting the manufacturing and distribution of blood, blood products, and source plasma.
In June 2024, a ransomware attack on Synnovis, a pathology service provider to the UK’s National Health Service, disrupted testing services and blood matching, initially causing a shortage of type-O blood supplies in London and then nationwide. The ransomware attack resulted in the cancelation of thousands of appointments and procedures and took months for Synnovis to recover. An attack on the Swiss pharmaceutical firm Octapharma Plasma in April forced the company to temporarily close 190 US plasma collection centers and disrupted the collection and processing of plasma for weeks. The Florida blood center, OneBlood, suffered a ransomware attack in August that disrupted blood supplies to Florida hospitals, forcing them to take steps to conserve blood supplies.
The attacks, conducted by Russian-speaking ransomware groups, prompted a warning from Health-ISAC and the American Hospital Association (AHA) that these attacks should serve as a wake-up call for the healthcare industry. H-ISAC and the AHA urged all healthcare delivery organizations to take immediate action to improve supply chain security and resilience and to review their contingency plans for potential disruption to the blood supply chain and other mission-critical and life-critical medical supplies.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FDA said the ransomware attacks have revealed cybersecurity gaps and vulnerabilities in computer systems used to ensure the safety and availability of the blood supply. Given these and potential future threats, blood establishments and transfusion services should assess their incident response and disaster plans to identify shortcomings and strengthen cybersecurity measures to improve resiliency, protect sensitive data, and ensure business continuity.
The FDA recommends blood establishments and transfusion services implement the HHS’ Cybersecurity Performance Goals (CPGs), which consist of cybersecurity measures that are likely to have the greatest impact on improving resiliency to cyberattacks and develop procedures to ensure continued operations in the event of an attack that causes long term disruption to computer systems.
