A Cyber Clinician’s Perspective on the OneBlood Ransomware Attack, Outage
OneBlood, a nonprofit blood donation provider to the Southeast US, is experiencing a significant software disruption impacting its ability to ship blood products to hospitals in the wake of a ransomware attack.
As noted on their website, “Although OneBlood remains operational and continues to collect, test and distribute blood, they are operating at a significantly reduced capacity.”
“Our team reacted quickly to assess our systems and began an investigation to confirm the full nature and scope of the event,” said Susan Forbes, OneBlood senior vice president of corporate communications and public relations.
Our comprehensive response efforts are ongoing and we are working diligently to restore full functionality to our systems as expeditiously as possible, she added. “We have implemented manual processes and procedures to remain operational. Manual processes take significantly longer to perform and impacts inventory availability.”
To dampen the impact and manage the current blood supply, OneBlood has asked more than 250 hospitals it serves to activate critical blood shortage protocols and to “remain in that status for the time being.”
Hospitals remain committed to patient safety, pushing back non-emergency surgeries and transfusions to reduce the potential for error. The transparency provided by OneBlood is enabling the impacted hospitals to utilize their previously practiced emergency contingency plans to keep operations rolling with patient safety in focus.
However, this incident should serve as a continued reminder that attackers are pinpointing our vulnerabilities, and no one is immune.
A Concerning Trend
There’s a frequently cited axiom “What’s old is new again” that applies to healthcare cybersecurity today. Carl von Clausewitz, a Prussian general and oft-cited/studied military strategist and theorist, wrote “On War” after the Napoleonic war in 1816-1830. In this seminal work, he states that if your opponent must rely on focused supply areas to support operations, “it may be advisable not to march our main forces against those of the [opponent], but to attack his base of supply.”
With the attack on Change Healthcare, and now OneBlood, we’re seeing these tactics from 200 years ago significantly impact healthcare delivery and the broader critical infrastructure sector.
In 2013, Presidential Policy Directive 21 (PPD-21) identified Healthcare and Public Health as one of the 16 critical infrastructure sectors, which all contribute to sector-specific plans and comprise the National Infrastructure Protection Plan. This document provides a coordinated approach to protect the United States’ critical infrastructure and key resources, while outlining how the U.S. protects its people and national security.
The focus to date has been on the Healthcare Delivery Organizations (HDOs). The 405(c) Task Force in 2017 began to open up the focus area to include entities that have Business Associate Agreements (BAA) with the HDO, or covered entity. Since the Task Force, we have seen the “shields go up” and the protections at major HDOs increase. Smaller organizations continue to struggle, but that is for another article.
As the front lines formed at the HDOs and our focus isolated, the enemy was studying Clausewitz.
This year, we’ve seen a drastic increase in attacks in areas that are several parties away from the HDOs, but still have a serious rippling affect throughout the sector. The most recent attack on OneBlood focused, not on an HDO, but rather a supplier of blood to hospitals and hospital systems.
It’s this tactic, reminiscent of Clausewitz, that should have our C-Suites, IT/IS teams, clinical staff, and logistics teams working together to inventory and identify areas of potential risks outside of just the local IT network and BAAs. Identifying those areas which, if compromised, would jeopardize the ability to deliver care is critical to quantifying the true risk to the organization.
First Health Advisory engages our clinicians, biomedical technicians, IT/IS specialists, and our executive leadership to help guide our clients through resilience plans. These plans are part of overall business continuity and disaster recovery policies. Collaboratively, our efforts focus on helping clients identify potential vulnerabilities and the critical questions for those entities in your supply chain that rely on your security and risk resilience.
To continue our Military references, there’s a long standing saying, “No plan survives first contact.” This means that once the first engagement happens, the plan changes. That’s why we consider and research a multitude of possibilities during – not after – the planning process. If our published plan is challenged, we have the research to help inform how we change it with evidence and not a knee-jerk reaction. At First Health it is our mission to “See First, Understand First, Act Decisively.”