Ransomware Attack Disrupts Operations Across London Hospitals

This article originally appeared on Dark Reading.

A ransomware attack this week on UK healthcare provider Synnovis has forced several London hospitals to cancel services and surgeries, or redirect them to other facilities. The incident occurred Monday and has had a significant impact on their ability to deliver patient care, demonstrating once again the ripple effect that modern cyberattacks have on healthcare systems, demanding an immediate security response.

Synnovis — a partnership between two London-based hospital trusts and SYNLAB — said June 4 that it was the victim of a ransomware attack the day before that affected all of its IT systems, "resulting in interruptions to many of our pathology services," according to a post on the company’s website. Even before the company officially acknowledged the attack, however, social media posts already were reporting the effect it was having on the services of major London hospitals.

One of the key services that Synnovis provides are blood transfusions, which meant that some facilities — including King's College Hospital, Guy's Hospital, St Thomas' Hospital — had to cancel operations. Meanwhile, transplant surgeries at Royal Brompton and Harefield Hospital also were "axed," according to a post on X by Shaun Lintern, health editor at the UK's Sunday Times newspaper. Lintern included a screenshot of a letter sent by the CEO of Guy's and St Thomas NHS Foundation Trust to inform facilities of the situation, mentioning the "major effect" it was having on some facilities.

Related:UnitedHealth Data Leak May Affect ‘Substantial’ Swath of U.S.

The UK National Health Service (NHS) also weighed in with a statement on Tuesday, noting that the incident forced hospitals to "prioritize" urgent work. Emergency services across the UK continued to be available as usual, and the NHS directed patients to attend scheduled appointments unless informed otherwise.

Cyberattacks Have Human Consequences

The attack demonstrates once again how repercussions of ransomware attacks can extend "beyond operational and financial disruptions" and into the sphere of public health and well-being, notes one security expert.

The attack directly impacted and endangered patient health, which "not only highlights the immediate impact of ransomware attacks on healthcare facilities but also erodes public trust in the very institutions responsible for safeguarding our health and well-being," says Kevin Kirkwood, deputy CISO at LogRhythm.

Indeed, high-impact attacks on healthcare providers have been ramping up recently, with several high-profile attacks occurring in the US earlier this year. In February, United Healthcare's Change Healthcare was hit by not one but two attacks, a nightmare for the healthcare provider that didn't end even after it paid the ransom demanded by a Black Cat/ALPHV ransomware affiliate.

Related:Kaiser Health System Sent Private Patient Data to Tech Giants

Then in April, Ascension, which operates 140 hospitals across 19 states, was hit with a cyberattack that took down multiple essential systems including electronic health records (EHRs), the MyChart platform for patient communication, and certain medication and test-ordering systems.

Increasing Chances of a Payout

Indeed, attackers target healthcare providers because the disruption can mean life or death for patients, increasing the likelihood that the affected facility will pay, Dan Lattimer, vice president of security firm Semperis, tells Dark Reading. This means that facilities need "to conduct day-to-day operations assuming breaches will occur," he says.

"Preparing now for inevitable disruptions will dramatically improve hospitals' operational resiliency and better prepare them to turn away adversaries, leading the threat actors to softer targets downstream," Lattimer says.

Still, even being prepared may not ensure a provider can quickly rebound from an attack.. In its statement, Synnovis said that it has "invested heavily in ensuring our IT arrangements are as safe as they possibly can be," but is now left apologizing for the disruption and "the inconvenience and upset this is causing to patients, service users and anyone else affected."

Synnovis has employed a taskforce of both in-house and NHS IT to assess the attack's impact and respond appropriately, according to its statement. It's also reported the attack to law enforcement and also is working with the UK National Cyber Security Center and the Cyber Operations Team, as well as with NHS Trust partners to minimize further fallout.

Respond, Don't React

Still, it's become clear that merely reacting after an attack occurs is no longer an option for victims of ransomware, particularly healthcare providers and facilities. In fact, the risk these organizations face has already inspired the US government's Advanced Research Projects Agency for Health (ARPA-H) to pledge $50 million for an initiative to create software that helps hospitals become cyber-resilient.

One of the biggest issues that healthcare organizations face that was highlighted in the Synnovis attack is that they work with numerous third-parties whose systems also have to be taken into consideration when evaluating how to secure infrastructure, Kirkwood says, driving new requirements.

"This includes continuous monitoring, regular security assessments, and comprehensive incident-response plans," he says. "By adopting these strategies, healthcare organizations can better protect their critical infrastructure and, most importantly, ensure the safety and trust of their patients."

Healthcare organizations also should identify critical services that are "single points of failure," and have a plan in place for what to do in the event that an attack occurs, Lattimer says.

"Keep in mind that in nearly 90% of ransomware attacks, the hackers will likely compromise the organization's identity system, which stores the crown jewels of the business," he warns. In the case of hospitals, that is where patient data and other forms of proprietary information is stored, so it's the "most vulnerable" entry point for organizations.

Having such an obvious weak spot demands a response from hospitals, making it "imperative" for them to have "real-time visibility to changes to elevated network accounts and groups," Lattimer advises.