OneBlood, a prominent nonprofit blood collection and distribution business that serves South and Central Florida, is the latest large business to fall victim to cyber insecurity as it came under an attack from an unidentified ransomware actor that stole its information.
The company, which serves more than 350 hospitals in 31 Florida counties including the tri-county region, as well as in Alabama, Georgia and North and South Carolina, announced Wednesday that its data system had been invaded, effectively slowing the nonprofit’s blood collection and distribution system in the Southeast.
Susan Forbes, who heads corporate communications, told the South Florida Sun Sentinel the intrusion was discovered on Monday and OneBlood immediately contacted the FBI and the Food and Drug Administration, which is its primary regulatory agency. Those agencies are among a large group of state and local organizations that are helping to troubleshoot the intrusion and help the organization recover.
“OneBlood takes the security of our network extremely seriously,” Forbes said in a statement. “Our team reacted quickly to assess our systems and began an investigation to confirm the full nature and scope of the event. Our comprehensive response efforts are ongoing and we are working diligently to restore full functionality to our systems as expeditiously as possible,”
“It’s important to know we are open for business,” Forbes said in a telephone interview. “People depend on us to live and we are moving forward with our operations.”
OneBlood is one of the largest blood centers in the country, distributing more than a million blood products annually. Forbes acknowledged that the episode has slowed the blood collection and distribution process “because it does take longer to do it.”
“All of our donor centers are operating as normal,” she said. “We have been working with our hospital partners.”
Federal law enforcement and private security researchers assert ransomware attacks are becoming more frequent, with hospitals and pharmacies the prime targets.
Who should you trust?
The OneBlood incident, coupled with this month’s software corruption issue that crashed the IT systems of countless private and public sector clients of the third party vendor CrowdStrike, raises questions about the degree to which companies are training their employees to be mindful about security hazards raised by outside actors, as well as the reliability of third-party vendors entrusted with the maintenance and security of IT systems.
On Wednesday, Delta Air Lines CEO Ed Bastian, whose Atlanta-based carrier canceled more than 5,000 flights over a six-day period that started last Thursday as a result of the CrowdStrike incident, vowed to sue the technology company to recover an estimated $500 million in losses.
“We have to protect our shareholders,” Bastian told CNBC in an interview. “We have to protect our customers, our employees, for the damage, not just to the cost of it, but to the brand, the reputational damage.”
The airline has retained the firm of Boies Schiller Flexner, which maintains offices in South Florida and is headed by nationally known litigator David Boies, to press Delta’s case for compensation.
Car retailing giant AutoNation of Fort Lauderdale said its second-quarter earnings were eroded by the June cyberattack against CDK Global, a dealership software company that serves vehicle sellers nationwide. The episode forced dealers across the country to revert to the manual processing of transactions.
While the ransomware attack on OneBlood and the global cyber-outage linked to CrowdStrike represent different categories of business disruptions, the tasks of troubleshooting and restoring order to an affected data system are expensive and time-consuming. Even when a problem is resolved, the resulting damage to a business’s brand and reputation can be long-lasting.
“The big things stemming from anything [concerning] ransomware, especially an organization handling personal health information, is they are going to have to have someone come in to determine the scope of what was touched and what was stolen,” said Kyler Hevia, a cyber solutions manager for United Data Technologies in Miramar.
Whoever is at the forefront of the OneBlood intrusion, he said, the goal is to make a fast buck.
“What they’re really looking for isn’t necessarily the sale (of information) on the dark web,” Hevia said. “What they are looking for is an immediate payday.”
Hypothetically, intruders “more often than not exfiltrate data, cut your access, encrypt the data and offer to return it if payment is made.”
“That’s why backups are so important regardless of the size of your company,” Hevia said. “That is your life’s blood.”
Forbes said it was too early to identify the type and extent of any data stolen from OneBlood. And she had no immediate information on what types of monetary demands the organization might be facing.
Safeguards
John Wensveen, executive director of the Alan B. Levan | NSU Broward Center of Innovation in Davie, said private and public sector organizations need to be willing to invest more to keep their security systems updated to counteract sophisticated schemes that are often outpacing the ability of businesses and individuals to deflect them
The center operates a military grade “cybersecurity range” that offers executive briefings, certifications and analysis.
“It’s going to save you money in the long term,” he said of the investments. “You have to make sure you’re updating that cyber infrastructure.”
Failing to do so is akin to allowing a security software subscription for your laptop expire without renewing it.
Some advice for managements from Wensveen:
- Regularly conduct employee training; take them through a process so they have an ability to respond to threats.
- Maintain backup files and recovery plans.
- Adopt a “zero trust” architecture so you are limiting access and limiting the potential for attacks. “Some companies are better at that than others.”
- Conduct vulnerability tests. “There isn’t an organization that is 100% foolproof. Technology emerges so fast humans don’t have the ability to keep up with the pace.”
- Replace and/or update legacy systems. “A lot of businesses in the private sector are using outdated software and hardware. There are a lot of legacy systems out there that are incredibly vulnerable,” largely because of budget constraints.
As the CrowdStrike incident proved, third-party vendors are far from infallible.
“We end up trusting the vendors more than we end up trusting ourselves,” said Hevia of United Data Technologies. “When you have an Apple device, how many times do you click, ‘yes, I accept these terms and conditions’ without taking a close look at them?”
For many businesses, the notion of self-help — bringing cyber operations and their oversight in-house — is a “pipedream,” he said. That’s largely because of the expense and the limited numbers of specialists available to do the job. Salaries are competitive, and skilled technologists are hard to retain.
“The percentage of companies that would do this is in the single digits,” he said.
Still, whether companies and agencies farm out their security or do it themselves, someone needs to be on watch to keep information safe and secure.
“Without somebody watching, things are going to slip through the cracks no matter what.”
