Cybersecurity Attack on South Florida Hospital System Leads to Valuable Lessons Learned

On the morning of Sunday, July 28, our hospital transfusion team was informed by the region’s major blood supplier that a critical computer software malfunction had occurred.

It has now been determined that a ransomware attack by a non-state Russian actor was responsible for this event. It resulted in our facility’s inability to provide critical O-positive red blood cells, O-negative red blood cells, platelets, and other blood products to all hospitals in the region.

In fact, this event initiated a statewide crisis of blood product shortage.

A rapid response team was assembled that included all five hospitals in the network. The team implemented its blood shortage policy, but also creatively tackled issues through other various methods. This article describes strategies to resolve, and hopefully, prevent future blood shortages at the local, region, and federal levels.

Timeline of the Crisis

The main constraints of this crisis, which continue today, were experienced mainly in the first 72 hours. During this time, smaller blood product suppliers were contacted. The main supplier reached out to the American Red Cross and Association for the Advancement of Blood & Biotherapies emergency task force and was able to procure some critically needed blood products.

The primary issue, due to computer software malfunction, was the ability to label the blood products for distribution. At our center, the inventories from the main local supplier already had been constrained along with the main hospital supply due to a 100-unit liver transplant case the night before. After 72 hours of implementing blood conservation efforts and securing blood products from other blood suppliers, the only ongoing shortage was the inventory of platelets. It took exactly 1 week for the main Florida supplier to resolve its information technology-related issues. At that point, most of the hospitals were reporting adequate blood product supplies.

Interhospital Communication

During the first 72 hours, communication with leadership, the OR staff, and the trauma and transplant teams resulted in the postponement of several elective cases. Trauma teams were instructed to be more judicious on product use in stable or unsalvageable patients. There were other hospitals that had to postpone a significant number of elective cases due to insufficiency of blood product inventories for which platelets were the main critical deficiency.

The hospital transfusion medicine teams along with hospital administration, consisting of the chief medical officer (CMO) and director of perioperative services, established a crisis group that also included the director of clinical services stakeholders. This team served as the conduit to report inventories of blood product and issues to the rest of the hospital staff. Table 1 was adjusted to carry real-time inventories three times a day.

The original transfusion policy was modified, which resulted in the policy shown in Table 2. The policy was distributed to all staff via their service leaders and enforced by the CMO and transfusion medicine services.

CMO Strategies

Chiefs of service were proactively asked to develop a plan for deferral of elective cases if such a plan was needed. The CMO distributed the transfusion policy to all physicians, and a pop-up was created in the electronic health record if blood or platelets were ordered to serve as a reminder of appropriate criteria prior to ordering the product. If there was a concern that a case would require high blood or platelet usage, surgeons were asked to defer cases when possible. Daily usage and inventory reports were circulated to share periodic automatic replenishment levels and current available units in the blood bank. The CMO requested procurement teams to contact other blood vendors to obtain additional units of blood and platelets until the crisis could be resolved.

Blood Bank Management

Early notification to blood bank management and executive leadership was initiated, and contingency planning, with an emphasis on securing a backup supplier, also was implemented. Debrief sessions were held with physician partners, members of risk management, and executive leadership on day 1 through each day of the crisis. Other blood bank management strategies included:

• Maintaining close communication with the main south Florida supplier
• Fostering strong internal communication among all hospital blood bank management teams in the safety net hospital system and the affiliated university hospital system
• Building strong relationships with neighboring facilities
• Organizing blood drives at the main hospital
• Monitoring inventory counts three times per day and communicating counts to stakeholders
• Implementing a split platelet dose and extended platelet shelf-life plan

It is interesting to note from the blood bank data outlined in Table 3 that before this event there were no reported acute negative patient outcomes from decreased usage, so we may have been using unnecessary amounts of product in the past. These findings should encourage further study on blood bank product management and usage.

Summary of Lessons Learned

• Institute a minimum requirement of two blood product suppliers in hospitals that serve as transplant or trauma centers
• Establish regional and national networks to supply different areas in the future that may experience disruption from cyberattacks, military-related events, and national disasters
• Establish and coordinate hospital administration command center involving stakeholders from the different medical specialties to enhance communication to all staff
• Establish protocols for transfusion guidelines for blood products to be enforced by CMO/transfusion medicine services
• Advocate for increased funding by federal government toward research in a blood product innovation system
• Share resources among different allied hospitals to ensure no product expires during a crisis of critical shortage with priority of platelets
• Ensure blood suppliers provide transparent real-time information as well as 24–48 hour projection of blood product and platelet availability
• Request blood suppliers provide transparent allocation information during crisis time with priority to trauma centers and organ transplant centers
• Form an allocation formula for crisis management
• Facilitate collaboration between the state and US Food and Drug Administration (FDA) to establish new regulations for blood suppliers for a reciprocal labeling process when needed
• Champion national budget allocation to support blood collection from the US Department of Homeland Security facilities to ensure readiness and emergency response
• Employ emergency civilian blood shortage algorithm with the US Department of Defense where the Army, Navy, and Air Force have their own blood supplies from their collection services
• Facilitate coordination between US Department of Health and Human Services and local, regional, and national media to provide information on the crisis early and initiate blood drives to replenish critical blood and platelet inventories
• Recognize the need for coordination by each state’s hospital association to identify critical shortages of each individual hospital for suppliers, state, and federal agencies
• Support the manufacturing and use of cold-stored platelets, which was approved by the FDA in 2023

The authors want this event to serve as a warning to surgeons around the US and world. A cyberattack is an attempt by rogue actors to gain illegal access to a computer system for the purpose of causing damage or harm, and surgeons, along with our patients, are directly affected. Hopefully, surgeons worldwide will become aware of the risk and request the need to see how their individual institutions and regional leaders in blood transfusion services will respond in the future.

Disclaimer

The thoughts and opinions expressed in this viewpoint article are solely those of the authors and do not necessarily reflect those of the ACS.

Dr. Raul Coimbra is the surgeon-in-chief of the Riverside University Health System Medical Center in Moreno Valley, California, professor of surgery at Loma Linda University School of Medicine in California, and emeritus professor at the University of California San Diego.