The Health Information Sharing and Analysis Center (Health-ISAC) and the American Hospital Association (AHA) are delivering this Joint Threat Bulletin to inform readers of the potential for cascading impacts from cyberattacks on healthcare suppliers. The recent ransomware attacks on OneBlood, Synnovis, and Octapharma by Russian cybercrime ransomware gangs resulted in a massive disruption to patient care. The outcomes of these attacks highlight the need to incorporate mission-critical and life critical third-party suppliers into enterprise risk management and emergency management plans to maintain resiliency and redundancy in the modern digitally connected healthcare ecosystem. Since three critical third-party supply chain attacks have significantly impacted healthcare delivery in the past three months, it should serve as a wake-up call across the industry to address supply chain security and resilience.
Organizations should prioritize applying risk management assessment principles to their critical suppliers and partners. Consider supply chain outages, and availability, determine impact to business operations and care delivery, and identify alternative suppliers or use multiple suppliers to create redundancy. The idea is to eliminate the single points of failure in healthcare supply chains and minimize disruptions to healthcare delivery in the event of ransomware attacks on critical suppliers. The joint bulletin contains background analysis, recommendations, mitigation strategies, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.