Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks

Written by

The healthcare sector is under siege. In recent months, an alarming wave of cyber-attacks has laid bare critical weaknesses within the healthcare supply chain.

Russian ransomware gangs, known for their sophisticated and relentless tactics, have targeted key healthcare suppliers such as Synnovis, OctaPharma and OneBlood, disrupting essential services and jeopardizing patient care on a global scale.

As these threats escalate, healthcare organizations must reassess their cybersecurity strategies and take steps to include mission-critical suppliers in their risk management plans. Failure to do so could leave them vulnerable to severe disruptions, compromising the integrity of their operations – and leaving them unable to deliver life-saving patient care. 

Evolving Tactics of Cybercriminals

2024 has seen three major ransomware attacks disrupting critical healthcare services. On July 30, a ransomware-induced software outage at OneBlood, a Florida blood supplier, led to severe delays and shortages across the state and surrounding areas.

On June 3, Synnovis, a pathology provider, was targeted by the Qilin gang, resulting in over 3000 hospital and GP appointments being disrupted in the greater London area, and thousands of blood donations also had to be destroyed. Earlier, on April 15, the BlackSuit gang attacked Octapharma, shutting down 190 US plasma centers and stealing sensitive donor information, affecting plasma supplies across the US and EU.

While these attacks appear unrelated and were carried out by different Russian-speaking ransomware groups, their close timing and similar targets are deeply concerning. The global healthcare system has become increasingly interconnected with third-party suppliers.

This growing dependence on external partners heightens the risk of cascading disruptions, as a single attack on a critical supplier can have widespread repercussions for multiple healthcare providers.

Thinking ahead, it’s not hard to imagine a scenario in which a coordinated attack on multiple critical suppliers could lead to significant disruptions in patient care, massive delays in essential services and a potential collapse in the supply chain.

To mitigate these risks, healthcare organizations must prioritize strengthening their cybersecurity protocols and ensure that their third-party suppliers are equally fortified against cyber threats.

Intelligence Sharing and Collaboration

As part of this effort, there is a real need to increase intelligence sharing and collaboration among healthcare information security, physical security and risk management teams. Efforts in this direction have been ongoing for years but they must be intensified as cyber threats continue to grow in complexity and frequency.

Traditional, siloed approaches to cybersecurity are no longer sufficient. Instead, healthcare organizations must embrace a more unified strategy. This includes establishing robust communication channels between organizations, sharing real-time information on attacks and vulnerabilities and collaborating on best practices and mitigation strategies.

Joint efforts like these, as shown in Health-ISAC’s collaboration with the American Hospital Association (AHA), are vital in the fight against cyber threats. By working together, healthcare organizations can share critical intelligence, allowing them to anticipate and respond more effectively to potential attacks.

This collaboration enhances their ability to identify emerging threats early, develop coordinated defenses and implement strategies that mitigate risks. Ultimately, intelligence sharing strengthens individual organizations and fortifies the entire healthcare system, ensuring it remains resilient against cyber-attacks.

Strengthening Supply Chain Cybersecurity

In the meantime, healthcare organizations should incorporate supply chain availability and outages into their overall risk management assessment. Health providers should consider alternative or multiple suppliers for critical resources to build redundancy in case a key supplier is compromised by a cyber-attack.

At the same time, healthcare organizations should take steps to identify critical supply chain entities that could jeopardize their operations and patient care if those suppliers are attacked. This assessment should be based on three criteria: the entity's essential role in healthcare, the severe consequences of its failure and the absence of suitable alternatives.

Blood suppliers, key software providers and vital business relationships can often, unfortunately, meet these criteria. For instance, the Change Healthcare cyber incident and subsequent outage in February 2024 demonstrated how a reliance on a single electronic claims processing system, with no redundancy in place, became a point of failure that severely disrupted operations and finances for pharmacies and hospitals across the US.

To address these risks, healthcare organizations should establish a third-party risk management (TPRM) committee, composed of multidisciplinary members, to continuously identify and assess life-critical, mission-critical, and business-critical third parties and supply chains.

Additionally, organizations need to develop continuity procedures to prepare for the potential loss of critical services and supplies, ensuring they can maintain business operations and quality care for at least 30 days.

Organizations should also routinely document and test their continuity and downtime procedures to ensure preparedness. It's essential to conduct risk prioritizations by evaluating third parties based on factors such as sensitive data access, network privileges, and cybersecurity posture.

In addition, organizations should develop tailored cybersecurity and insurance requirements for each critical supplier. Lastly, all risk-based requirements should be incorporated into business associate agreements and third-party contracts to ensure comprehensive protection.

Final Thoughts

While not foolproof, the above measures can provide a strong foundation for reducing risks and minimizing disruptions. By identifying vulnerabilities and building redundancies, healthcare organizations can better protect their operations and patient care from cyber-attacks.

These steps, along with enhanced intelligence sharing and collaboration among healthcare security teams, will help minimize the impact of cyber incidents on critical services and supplies, ensuring that essential healthcare delivery remains resilient.

What’s hot on Infosecurity Magazine?