Hospitals & Facilities

Ransomware’s newest target? Blood banks

As cyberattacks on blood banks rise, experts worry the US healthcare system isn’t ready for a future breach.
article cover

Picture Alliance/Getty Images

5 min read

When hackers set their sights on a blood bank, the stakes aren’t just high, they’re life or death.

The nation saw that firsthand after a ransomware attack on July 29 against Florida-based blood bank OneBlood disrupted patient care, delayed elective procedures, and prompted the bank to tell more than 250 southeast hospitals to temporarily activate critical blood shortage protocols.

The hack knocked some of OneBlood’s systems offline, forcing staff to manually perform normally automated steps like blood labeling, according to a press release, which significantly slowed down deliveries to hospitals. In response, blood banks nationwide scrambled to send supplemental blood and platelets, an effort that the Association for the Advancement of Blood and Biotherapies (AABB) coordinated.As of August 8, business was back to normal and those supplemental shipments were no longer needed, the press release said. But the industry isn’t out of the woods yet.

Rewinding. The hack is one of three recent major worldwide attacks on life-sustaining supply chains, like blood banks, a joint threat bulletin by the American Hospital Association and the nonprofit Health Information Sharing and Analysis Center stated.

In April, the BlackSuit ransomware gang claimed it had hacked blood plasma provider Octapharma, which took its systems offline and closed 176 US plasma donation centers from April 17 to April 25, the company shared on its website.

As of August 1, June cyberattack on UK pathology provider Synnovis had postponed at least 9,423 acute outpatient appointments and 1,660 elective procedures—and counting, according to a release from the National Health Service. The system was still not fully back online. NHS is partnering with Synnovis to ensure people get the urgent care they need.

All these hacks were committed by seemingly unconnected Russian ransomware groups, according to the bulletin, though OneBlood spokesperson Susan Forbes declined to comment on whether a Russian group was involved in OneBlood’s hack.

“There appears to be a shift in pattern here, or a trend emerging, where Russian ransomware groups may be targeting life-critical and mission-critical supply chain[s], including blood supply,” John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, told Healthcare Brew.

Third-party supply chains tempt hackers because, instead of impacting one system like might happen in a targeted cyberattack, they can “cause maximum disruption to the healthcare sector,” Riggi said. What’s more, though experts typically “strongly discourage” paying ransoms, companies may pay if patients’ lives are in danger.

“It’s the equivalent of a life-threatening extortion,” he said.

Looking forward. And industry experts are worried the US isn’t doing enough to combat hackers.

Navigate the healthcare industry

Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.

“Clearly, the US government, collectively, as a policy, needs to do more to increase risk and consequence,” Riggi said. “Bottom line: These attacks are not only still occurring—they’re occurring at an increased pace.”

Riggi recommends health systems create backup plans that allow them to operate with a lack of access to critical supplies—like blood—from third-party vendors for 30 days or longer.

But Florida Hospital Association President and CEO Mary Mayhew said it’s difficult to have a backup plan in place due to how blood suppliers operate, especially in Florida, which gets over 80% of its blood from OneBlood. During the outage, Florida hospitals postponed transplant surgeries, and some pediatric patients lost access to life support extracorporeal membrane oxygenation (ECMO) machines because platelets weren’t available, Mayhew said.

Though hospitals got supplemental shipments, “they weren’t getting anywhere near enough,” she said—perhaps 20%–30% of their platelet supply, “if any.”

The issue was compounded because Florida hospitals weren’t allowed to have contracts with backup blood vendors; “OneBlood demanded that the contracts be exclusive,” Mayhew added.

“It wasn’t that hospitals wanted the exclusivity; OneBlood required the exclusivity in their contracts with hospitals,” Mayhew said.

This meant the hospitals had to spend extra time during the time-sensitive crisis identifying other blood centers, establishing relationships, and securing the blood.

Forbes told Healthcare Brew that “OneBlood does not have exclusive contracts with hospitals. The contracts state that OneBlood will be the hospital’s blood provider.” Hospitals “may obtain blood products from other suppliers to the extent the products are not available from OneBlood in a timely manner,” she said. “During the ransomware event, at no time did OneBlood request or prohibit any hospital it serves from obtaining blood products from other suppliers.”

Hospitals were also hampered by limited data about the national blood supply, Mayhew said. Leaders were left in the dark about how much blood they were going to get day to day and how much time shipments would have before their expiration dates, which made it difficult to make clinical decisions about what procedures and transfusions could be safely done.

“There is very little data transparency around that blood supply that would have better informed the predictability for hospitals of what they could anticipate receiving,” she said. “For nearly a week, they did not know what they were going to receive from OneBlood, and what they were receiving—if they received any—was substantially less than what they needed.”

Navigate the healthcare industry

Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.

H
B