FDA Calls on Blood Suppliers to Strengthen Cybersecurity Measures

The U.S. Food and Drug Administration (FDA) has issued a critical advisory urging blood suppliers to enhance their cybersecurity protocols. This initiative comes in the aftermath of several serious cyber incidents that have jeopardized the safety and availability of crucial blood and blood components necessary for transfusions and patient care.

This announcement follows high-profile attacks on blood suppliers, including a ransomware incident targeting Synnovis, a pathology service based in the U.K. This breach led to significant service disruptions across various National Health System hospitals in London and resulted in thousands of postponed medical procedures due to an acute shortage of type-O blood.

In the United States, ransomware attacks on OneBlood, a Florida-based blood center, and Octapharma Plasma, the U.S. arm of a Swiss pharmaceutical company, further complicated blood collection efforts in recent months. Cybersecurity experts suspect Russian-speaking ransomware gangs carried out these attacks, raising alarms within the healthcare community.

In August, the Health Information Sharing and Analysis Center and the American Hospital Association issued warnings regarding vulnerabilities in blood supply chains, emphasizing the need for improved resilience. Errol Weiss, Chief Security Officer at Health-ISAC, pointed out that a series of ransomware incidents across entities like OneBlood and Octapharma have had lingering effects on blood and plasma supplies, ultimately impacting patient care across regions in both the U.S. and U.K.

The FDA’s recent bulletin highlights significant cybersecurity weaknesses within the systems employed by blood establishments. These gaps pose risks not just to data security, but also to operational continuity in the face of system failures caused by cyberattacks. The FDA cautioned that recovery from such incidents could take weeks to months, during which blood distribution capabilities might be severely hindered.

The FDA emphasizes the importance of robust disaster recovery plans and encourages blood establishments to assess and rectify any deficiencies in their cybersecurity frameworks. This includes implementing measures to mitigate known vulnerabilities, enhance email security, and maintain stringent data protection protocols through multifactor authentication and encryption.

Furthermore, regular training for staff on cybersecurity best practices and maintaining compliance with FDA regulations for donor eligibility and safety during downtime are highly recommended. Blood establishments must also report any disruptions in their manufacturing operations due to cybersecurity incidents, as these can have considerable implications for supply continuity.

Weiss underlined the necessity of maintaining high cybersecurity hygiene within healthcare organizations. Recommendations for continued vigilance include timely software updates, systematic data backups, and participation in collaborative cybersecurity networks, which can provide vital support in anticipating and combating current threats.

John Riggi from the American Hospital Association echoed these sentiments, noting that attacks against blood suppliers pose direct threats to patient lives. He urged urgent preparedness across the healthcare sector to inoculate against these cyber risks, while advocating for governmental action to disrupt malicious cybercriminal activities.