U.S. flag An official website of the United States government

On Oct. 1, 2024, the FDA began implementing a reorganization impacting many parts of the agency. We are in the process of updating FDA.gov content to reflect these changes.

U.S. Food and Drug Administration
  1. Home
  2. Vaccines, Blood & Biologics
  3. Safety & Availability (Biologics)
  4. Important Information for Blood Establishments Regarding Cybersecurity Resiliency
  1. Safety & Availability (Biologics)

Important Information for Blood Establishments Regarding Cybersecurity Resiliency

December 5, 2024

The Food and Drug Administration (FDA) is providing this information to blood establishments, including transfusion services, as a resource for strengthening their cybersecurity practices in order to prevent and mitigate cybersecurity incidents that could affect the availability and safety of blood and blood components for transfusion or further manufacture. 

Background

Recent cybersecurity incidents have disrupted healthcare systems and halted blood establishment operations (Ref 1-3). Blood collection establishments use computer systems and networks for all steps involved in the manufacture, processing, labeling and distribution of blood and blood components for transfusion or source plasma for further manufacture. Transfusion Services use computer systems and networks for modifying (e.g., irradiation) and labeling blood components, performing compatibility testing between donor and recipient, performing positive identification of patients and blood components at the point of transfusion to prevent transfusion reactions, and other functions. 

The cybersecurity incidents have revealed gaps in cybersecurity measures and exposed vulnerabilities in the highly interconnected computer systems and networks used to ensure the safety and availability of the blood supply. Recovery from cybersecurity incidents may take several days to months, during which time the manufacturing functions of blood establishments and the ability to distribute blood and blood components or Source Plasma could be disrupted. 

In light of these current and potential cybersecurity threats, we encourage blood establishments and transfusion services to identify possible shortcomings of their current disaster plans and implement and strengthen measures for cybersecurity resiliency to protect their data, ensure continuity of operations and maintain a safe and adequate blood supply for patients. 

Considerations

1.    In accordance with 21 CFR 606.100, blood establishments must establish, maintain, and follow standard operating procedures (SOPs) for all steps in the collection, processing, compatibility testing, storage, and distribution of blood and blood components for allogeneic transfusion, autologous transfusion, and further manufacturing purposes. Blood establishments may wish to consider including measures to prevent and mitigate cybersecurity incidents in their SOPs.

a.    Blood establishments may refer to the Department of Health and Human Services (HHS) Cybersecurity Performance Goals (CPGs) to implement high-impact cybersecurity practices (https://hhscyber.hhs.gov). The essential goals include, but are not limited to, the following safeguards: 

•    Mitigate known vulnerabilities of organizational networks  
•    Ensure email security 
•    Use multifactor authentication 
•    Provide basic cybersecurity training 
•    Use strong encryption
•    Revoke credentials for departing staff 
•    Perform basic incident planning and preparedness 
•    Utilize unique credentials 
•    Separate user and privileged accounts
•    Maintain vendor/supplier cybersecurity requirements.

b.    Blood establishments must maintain and follow SOPs for performing manufacturing steps when their computer systems are not available (21 CFR 606.100). Blood establishment downtime procedures must comply with all FDA regulations including but not limited to donor eligibility and donation suitability (21 CFR Part 630).

c.    Blood establishments should consider that recovery of normal operations after a cybersecurity incident may last several weeks or months. Therefore, blood establishments may consider developing procedures that ensure the continued operations of the blood establishment over an extended period of time.

d.    Blood establishments may wish to consider using blood establishment computer software (BECS) devices and versions that are currently supported by the manufacturer of the device. This helps ensure that the BECS receives routine updates and patches to prevent cybersecurity incidents.  

e.    Blood establishments should consider conducting routine training exercises to ensure that staff are trained on general cybersecurity practices and are familiar with processes that may be necessary in a cybersecurity incident.

f.    Blood establishments should be aware of relevant laws regarding cybersecurity incidents and may wish to include in their procedures a description of the agencies or organizations (e.g., state or local law enforcement, Federal Bureau of Investigation, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)) they will inform when a cybersecurity incident occurs.  

Additional resources are available on the Health Sector Cybersecurity Coordination Center (HC3) which was created by the Department of Health and Human Services to aid in the protection of vital, controlled, healthcare-related information, and to ensure that cybersecurity information sharing is coordinated across the health and public health sector. (https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html )

2.    Blood establishments must report to FDA when there is an interruption in manufacturing likely to result in a significant disruption in supply in accordance with 21 CFR 600.82 (Ref. 4). In addition, FDA issued draft guidance to manufacturers on providing timely notification which might help the Agency prevent and mitigate shortages (Ref 5). 

a.    Given the significant consequence of cybersecurity incidents in blood manufacturing settings, licensed blood establishments should notify FDA if their blood manufacturing operation is interrupted by a cybersecurity incident.

b.    FDA also encourages registered-only blood establishments to notify FDA because of the interconnectedness of healthcare and blood establishment computer networks. 

c.    Blood establishments may contact the Office of Blood Research and Review (OBRR, CBER, FDA) if there is uncertainty about notification under 21 CR 600.82   

3.    In the event of a cybersecurity incident, blood establishments must continue to maintain records for the performance of each significant step in the collection, processing, compatibility testing, storage and distribution of each unit of blood and blood components so that all steps can be clearly traced (21 CFR 606.160 (a)).

4.    Blood establishments that cannot follow their standard operating procedures during a cybersecurity incident should request a meeting with OBRR through the Regulatory Project Manager. 

5.    Blood establishments with general questions can contact OBRR at CBEROBRRBPBInquiries@fda.hhs.gov.

References

1.    NHS cyber security: Ex security chief warns of future attacks 
2.    Cyberattack hits blood-donation nonprofit OneBlood | CNN Politics 
3.    ‘Most Wanted’ Man Pleads Guilty in Cyberattack That Upended Vermont Hospital - The New York Times 
4.    How to Report a Product Shortage or Supply Issue to FDA | FDA.
5.    Notifying FDA of a Discontinuance or Interruption in Manufacturing of Finished Products or Active Pharmaceutical Ingredients Under Section 506C of the FD&C Act | FDA

Back to Top