Recent NHS Cyberattacks Demonstrate Mission-Critical Operations Becoming Life-Critical

On June 4th  2024, Synnovis, a prominent pathology lab servicing some of London’s largest hospitals and general practitioner surgeries, fell victim to a crippling ransomware attack. The incident significantly disrupted diagnostic services, delaying medical care for countless patients, and casting a spotlight on the targeted security risk impacting patient care in healthcare systems.

The cyberattack has disrupted the ability to match patients’ blood types and provide appropriate transfusions, forcing multiple London hospitals to declare a critical health incident. More than 200 emergency and life-saving operations had to be cancelled. The effects of this cyber event has impacted the ability to perform routine blood screenings. Processing is severely impacted with healthcare providers having to resort to manual paper-based analysis.

The disruption is expected to last several weeks and impact at least two million people. A Russian cyber crime group, Gilin, is suspected to be behind the ransomware attack, as reported by the former chief executive of the National Cyber Security Centre.

A Worrying Trend

The Synnovis attack is not an isolated case. In the past 12 months alone, the lab’s parent company, SynLab, has endured multiple cyberattacks. The company’s Italian subsidiary was hit in April, and its French laboratory faced a similar fate in 2023. The frequency of these attacks underscores a growing and persistent issue – third-party risk in the healthcare sector.

This attack also follows two other significant healthcare breaches in recent months, showing that it is not simply a Synnovis issue, but an issue that is plaguing healthcare in general. Ascension – one of the largest healthcare entities in the United States with over 140 hospitals and over 40 care facilities – was a major victim, with its operations massively disrupted due to a ransomware attack on its comprehensive network of facilities. The attack severely impacted its ability to provide care, as various crucial clinical systems such as the electronic health records (EHR) were compromised. Change Healthcare was also impacted by stolen credentials to gain access through an external-facing platform that lacked multi-factor authentication.

Understanding Third-Party Risk in Cybersecurity

The ongoing targeting of hospitals and healthcare organizations raises critical questions about the cybersecurity measures that are in place for both healthcare providers, pharma and medical device manufacturers. One of the fundamental issues is that visibility into an organization’s own environment is often insufficient, particularly in healthcare, which is perhaps one of the most connected environments. Devices range from registration technology used in patient intake or check-in, building management systems, medical devices, to technology used in the clinical environment such as tablets or electronic medical records (EMR) systems. Comprehensive security must encapsulate the wide variety of devices as well as the even broader spectrum of third-party providers that create a healthcare technology ecosystem.

The attacks on SynLab serve as a poignant but certainly not the only reminder that cybersecurity is only as strong as its weakest link. In an interconnected healthcare environment, each third-party vendor becomes a potential entry point for malicious actors. This places increased scrutiny on third-party risk management and underscores the importance of stringent cybersecurity measures for all partners involved in healthcare services.

“Organizations should ensure a dedicated effort to catalog vendor-managed assets, footprints, and connections into your environment,” says Moh Waqas, CTO of Healthcare at Armis. “Areas to be specifically reviewed include vendor credentials,  site-to-site tunnels, and the presence of remote access software (both sanctioned and unsanctioned). Vendors may have security hardening documents and procedures available to assist this effort.

For more on security best practices and guidance for healthcare organizations, read our recommendations here: https://www.armis.com/blog/navigating-the-ascension-and-change-healthcare-breaches-guidance-for-healthcare-cybersecurity-teams/.

A Lengthy Recovery

The aftermath of a cyberattack can be lengthy. While the most critical impacts may be resolved quickly, the full recovery process can take much longer. The Independent reports that the impact on NHS services could last for months, although the most urgent and priority services could be restored in weeks.

Recovering from a cyber incident in such an interconnected environment requires pulling at multiple threads in order to resolve every element of the risk. Such prolonged disruption can severely impact patient care, as seen by the volume of cancelled procedures, delayed treatments, and lack of routine health services as a result of the Synnovis attack.

The NHS Cybersecurity Strategy: Proactive Measures

In response to the growing threat landscape, the NHS has outlined five key pillars in its cybersecurity strategy:

1. Governance and Leadership: Establishing clear governance structures and roles to drive cybersecurity initiatives.
2. Risk Management: Implementing robust risk management frameworks to identify, assess, and mitigate cybersecurity risks.
3. Technology and Process: Investing in advanced cybersecurity technologies and processes to protect against evolving threats.
4. People and Culture: Fostering a cybersecurity-conscious culture through training and awareness programs.
5. Partnerships and Collaboration: Collaborating with industry partners, government agencies, and third-party vendors to strengthen collective cybersecurity defenses.

While these pillars are essential, healthcare delivery organizations must go one step further. True, up-to-date knowledge of the devices and exposures within your environment is fundamental to effective protection. Shifting from a reactive to a proactive cybersecurity posture is critical. This means anticipating potential threats, continuously monitoring for vulnerabilities and other security issues, and implementing preemptive measures to thwart cyberattacks before they occur.

Preventive Care in Cybersecurity

The recent cyberattacks on Synnovis and other healthcare entities highlight the urgent need for comprehensive, proactive cybersecurity strategies. As healthcare organizations continue to digitize their operations, the importance of securing every aspect of their ecosystem, including third-party vendors, cannot be overstated.

Ultimately, the goal is to ensure that healthcare services remain resilient in the face of cyber threats, minimizing disruptions and safeguarding patient care. By adopting a proactive approach and leveraging the key pillars of the NHS cybersecurity strategy, healthcare organizations can better protect themselves against the evolving threat landscape and maintain the trust of the communities they serve.

Is your organization prepared to meet the challenges of modern cybersecurity? Stay ahead of potential threats and ensure the safety of your data and operations. Explore our latest resources to learn how you can effectively prepare for the reality of today’s attack landscape with actionable threat intelligence and early warnings for future cyberwarfare events.

For more information, visit: https://www.armis.com/nhs