In this week’s bulletin, Charlie discusses the recent NHS cyber attack and what lesssons we can learn from what happened.

Last week I was keen to write a bulletin on the above subject, but I ran out of time. This week I was determined to get it written and out to bulletin readers. The incident is one of the most high-profile hacks of the moment as it impacts the public and the NHS. Any cyber incident which affects these two is always going to be high-profile and well-reported.

Synnovis is a joint venture between two London hospitals (St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust), and German-headquartered multinational laboratory diagnostic services provider SYNLAB. Synnovis, which manages labs for NHS trusts and GPs in south-east London, had a cyber attack on the 3rd of June 2024, which had a major impact on their ability to process and report on NHS samples, including blood samples. At the same time as encrypting the organisation’s files, the hackers, who are reported to be the Russian ransomware gang Qilin, stole 400 GB of the company’s data. It was reported by Bloomberg that Qilin had demanded a $50m ransom. Presuming no ransom was paid, the gang released the company’s data on its darknet site and Telegram channel on the 17th of June. The data included patient names, dates of birth, NHS numbers, and descriptions of blood tests, as well as spreadsheets containing financial arrangements between hospitals and GP services.

The cyber incident has had a major impact on the NHS in south-east London, affecting both hospital and GP services. According to the CPO magazine “NHS England London declared the issue a regional incident and put out an emergency call for O positive and negative blood donations, and at least 1,100 operations were reportedly rescheduled or “rearranged” due to delays caused by the cyber attack during the first week. About 2,000 outpatient appointments were similarly impacted”.

• On the 24th May I wrote a bulletin on the “Cyber incidents affecting MSPs: Six lessons from the CTS Cyber Incident”. This is another of the same sort of incident, where an MSP provides a ‘mission critical’ service to an organisation and the loss of that service has a major impact on the delivery of their services. This is slightly different as it is a joint venture rather than a separate third party, but the impact is still the same.
• It is interesting that in this case, there have been a number of articles critical of the level of preparation of Synnovis for this incident. This is quite unusual as many of the comments on cyber incidents have been more sympathetic. SYNLAB, Synnovis’ parent company, has had two recent cyber attacks on their subsidiaries, one in France and one in Italy, and so there is commentary on why they hadn’t learned from these incidents and improved their cyber security preparation. A number of articles have commented on healthcare being prime targets for hackers and they have had a reasonable amount of success at attacks on them. Healthcare contains a large amount of personal and sensitive data which most organisations would not want to have in the public domain. Their operations within hospitals are very reliant on IT for patient data, information and visibility of treatment, and struggle to look after patients without IT. Many healthcare providers are underfunded, especially within the UK, and so their security systems may be outdated, poorly managed or not at the level required to protect the sensitivity of data they are designed to protect. I personally think there will be further pressure on healthcare to improve the level of IT security.
• I noticed that Synnovis had a SOC which managed their IT services security so having one is not a guarantee that you will not have a security incident.
• On Synnovis communications, I noted that there was leadership from the front with Mark Dollar, Synnovis CEO, signing off the initial media statement on the 4th of June 2024. He apologised and was empathetic to those affected “We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected”. He also mentioned that they were doing their best “to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments”.
• Later statements kept mentioning the time it will take to sort out the incident and return to normal as well as they are still working to understand the scope of the incident and understanding what data and whose data had been exfiltrated. I think it is good that they have managed expectations in the time it takes to respond to cyber incidents and manage expectations. “Investigations of this type are complex and can take time. Given the complexity of the investigation it may be some weeks before it is clear which individuals have been impacted.”
• It is difficult for two organisations to manage the communications of an incident and as far as I can see the communications from Synnovis and NHS England don’t contradict each other. Both have put out questions and answers they are not exactly a cut and paste, but they are the same words in a slightly different order and headings.
• It is unclear to me how quickly this incident will be resolved. It is also not clear whether Synnovis had business continuity plans which they enacted to manage this incident. I couldn’t find anything in official statements that mention business continuity, so I suspect they didn’t have any or they were not usable under these circumstances. Business continuity plans need to take into account cyber incidents.

So, what can we learn from the incident?

Healthcare is a popular target for hackers and attacks in the USA on healthcare providers, the attack on Advanced in 2022, as well as the attack on Irish healthcare, have had a major impact on their delivery of services as well as many organisations having to pay ransoms. Will this attack be another lesson identified or will security be improved and turn this into a lesson learned?