There have been widespread attacks on health care institutions and their supply chains over the last 12 months.
As we approach the 2024 national election, the NHS has faced a significant impact from a cyber-attack on one of it’s supply chain partners, Synnovis. It's highlighted the vulnerabilities in their information security systems and demonstrates the level and potential for state actors in cyber crime in the UK.
Evaluating your supply chain security is such a critical part of your due diligence, and must not be overlooked. The NCSC has called out the predictable rise in ransomware attacks so it’s something we need to guard against with proactive prevention and protection.
"Ransomware continues to be the most acute cyber threat facing UK organisations and businesses, with cyber criminals adapting their business models to gain efficiencies and maximise profits." NCSC, 2024
So, what's happened so far?
In short, the supplier Synnovis has been subject to:
- A ransomware attack: The attackers encrypted vital information, rendering IT systems useless and demanding a ransom for their release.
- Data theft: Sensitive patient data was stolen and downloaded to further extort the organisation and prove their claims.
- Service disruption: The attack caused significant disruptions to the service Synnovis provides, which in turn impacted normal hospital operations, leading to the postponement of critical procedures, tests, diagnoses etc. Major London hospitals, including King’s College Hospital, Guy’s and St Thomas’, the Royal Brompton, and Evelina London Children’s Hospital, have been critically impacted since early June, causing widespread disruption.
| 3 June 2024: Synnovis, an NHS supply chain provider of laboratory services, was the victim of a ransomware cyber attack. 4 June 2024: Major hospitals in London declared a critical incident due to a cyber-attack, leading to the cancellation of operations and the diversion of emergency patients. The hospitals affected, which partner with Synnovis, experienced a significant disruption in services, particularly in blood transfusions and test results. Synnovis documents their statement here. 9 June 2024: The attack, attributed to the Russian-speaking group Qilin, reportedly disrupted services at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust. Staff resorted to using paper-based methods, significantly slowing down operations and test processing. 10 June 2024: An appeal was launched for O blood-type donors due to the compromised ability of affected hospitals to match patients' blood as efficiently as usual. 13 June 2024: Delays in blood tests and prioritisation of "clinically critical" samples were reported, affecting patient care across several London boroughs. 14 June 2024: NHS London revealed over 800 planned operations and 700 outpatient appointments were rearranged in the first week following the attack. The impact extended to suspensions of some blood-borne virus tests. 19 June 2024: The cyber-criminals Qilin, expressed regret for the harm caused but claimed it was a reaction to the UK government's actions in an unspecified war. This political motive was met with scepticism by experts. 21 June 2024: Qilin published nearly 400GB of stolen patient data online, escalating the severity of the incident, demonstrating their capability and causing widespread concern. 27 June 2024: NHS England confirmed the theft of patient data. More than 1,000 operations and over 3,000 outpatient appointments were postponed due to ongoing disruptions. Data lost includes names and personal details of patients. |
Impacts & Challenges
The impact of an attack on just one single supply chain partner has been devastating for the NHS and the patients it serves. It has had profound effects on patient care, regional health, and has disrupted critical services delaying essential medical procedures.
Hospitals have faced significant operational challenges, with staff having to revert to manual processes, impacting the efficiency and safety of medical services. The incident has underscored the NHS's struggle to maintain robust cyber defences amidst it’s continuous financial constraints.
Enhancing NHS Cyber Security
Apart from the obvious due diligence around supply chain security, all organisations need to determine their level of risk, and protect themselves accordingly against such attacks. Taking a holistic approach, the NHS (and their suppliers) needs investment in several key areas:
- Advanced Cyber Security Tools: Implementing robust security measures such as multi-factor authentication, advanced firewalls, and intrusion detection systems.
- Regular Training: Ensuring all staff are trained on the latest cyber security practices and aware of potential threats.
- Incident Response Plans: Developing and maintaining comprehensive incident response plans to quickly address and mitigate the impact of cyber attacks.
- Investment in IT Infrastructure: Allocating sufficient budget to update and maintain secure and resilient IT infrastructure.
- Collaboration with Experts: Working closely with organisations like the National Cyber Security Centre to stay ahead of evolving threats.
This cyberattack has been a stark reminder of the critical importance of cyber security in protecting public health services. It exposes the dire consequences of neglecting cyber security, as the NHS grapples with cancelled operations, delayed treatments, and compromised patient data.
The future
To safeguard against future attacks and ensure the continuity of patient care, the NHS must prioritise strengthening its cyber defences through sustained investment, comprehensive staff training, and the implementation of cutting-edge security technologies.
Proactive collaboration with cyber security experts and continuous updating of cyber security protocols are essential steps to protect the NHS and its patients from the ever-evolving threat landscape. But this also needs investment, skills and expertise, and support from specialist service providers, and not forgetting compliance frameworks like Cyber Essentials + and others.