Synnovis breach: How do mission-critical operations become life critical?

David Critchley, regional director for UK&I at Armis discusses how the recent NHS cyberattacks demonstrate how essential operations can become life threatening.

On 4 June this year, Synnovis, a prominent pathology lab servicing some of London’s largest hospitals and general practitioner surgeries, fell victim to a crippling ransomware attack. The incident significantly disrupted diagnostic services, delaying medical care for countless patients, and casting a spotlight on the targeted security risk impacting patient care in healthcare systems.

The cyberattack has disrupted the ability to match patients’ blood types and provide appropriate transfusions, forcing multiple London hospitals to declare a critical health incident. More than 200 emergency and life-saving operations had to be cancelled. The effects of this cyber event has impacted the ability to perform routine blood screenings. Processing is severely impacted with healthcare providers having to resort to manual paper-based analysis.

The disruption is expected to last several weeks and impact at least two million people. A Russian cybercrime group, Qilin, is suspected to be behind the ransomware attack, as reported by the former chief executive of the National Cyber Security Centre.

A Worrying Trend

The Synnovis attack is not an isolated case.

In the past 12 months alone, the lab’s parent company, SynLab, has endured multiple cyberattacks. The company’s Italian subsidiary was hit in April, and its French laboratory faced a similar fate in 2023. The frequency of these attacks underscores a growing and persistent issue – third-party risk in the healthcare sector.

This attack also follows two other significant healthcare breaches in recent months, showing that it is not simply a Synnovis issue, but an issue that is plaguing healthcare in general. Ascension – one of the largest healthcare entities in the United States with over 140 hospitals and over 40 care facilities – was a major victim, with its operations massively disrupted due to a ransomware attack on its comprehensive network of facilities.

The attack severely impacted its ability to provide care, as various crucial clinical systems such as the electronic health records (EHR) were compromised. Change Healthcare was also impacted by stolen credentials to gain access through an external-facing platform that lacked multi-factor authentication.

The aftermath of a cyberattack can be lengthy. While the most critical impacts may be resolved quickly, the full recovery process can take much longer. The impact on NHS services could last for months, although the most urgent and priority services could be restored in weeks.

Recovering from a cyber incident in such an interconnected environment requires pulling at multiple threads to resolve every element of the risk. Such prolonged disruption can severely impact patient care, as seen by the volume of cancelled procedures, delayed treatments, and lack of routine health services as a result of the Synnovis attack.

Understanding Third-Party Risk in Cybersecurity

The ongoing targeting of hospitals and healthcare organisations raises critical questions about the cybersecurity measures that are in place for both healthcare providers, pharma and medical device manufacturers.

One of the fundamental issues is that visibility into an organisation’s own environment is often insufficient, particularly in healthcare, which is perhaps one of the most connected environments. Devices range from registration technology used in patient intake or check-in, building management systems, medical devices, to technology used in the clinical environment such as tablets or electronic medical records (EMR) systems. Comprehensive security must encapsulate the wide variety of devices as well as the even broader spectrum of third-party providers that create a healthcare technology ecosystem.

The attacks on SynLab serve as a poignant but certainly not the only reminder that cybersecurity is only as strong as its weakest link. In an interconnected healthcare environment, each third-party vendor becomes a potential entry point for malicious actors. This places increased scrutiny on third-party risk management and underscores the importance of stringent cybersecurity measures for all partners involved in healthcare services.

Organisations should ensure a dedicated effort to catalogue vendor-managed assets, footprints, and connections into your environment. Areas to be specifically reviewed include vendor credentials, site-to-site tunnels and the presence of remote access sanctioned and non-sanctioned software.

The NHS Cybersecurity Strategy: Proactive Measures

In response to the growing threat landscape, the NHS has outlined five key pillars in its cybersecurity strategy. These include Governance and Leadership, Risk Management, Technology and Process, People and Culture and Partnerships and Collaboration.

While these pillars are essential, healthcare delivery organisations must go one step further. True, up-to-date knowledge of the devices and exposures within your environment is fundamental to effective protection. Shifting from a reactive to a proactive cybersecurity posture is critical.

This means anticipating potential threats, continuously monitoring for vulnerabilities and other security issues, and implementing pre-emptive measures to thwart cyberattacks before they occur.

Preventive Care in Cybersecurity

The recent cyberattacks on Synnovis and other healthcare entities highlight the urgent need for comprehensive, proactive cybersecurity strategies. As healthcare organisations continue to digitise their operations, the importance of securing every aspect of their ecosystem, including third-party vendors, cannot be overstated.

Ultimately, the goal is to ensure that healthcare services remain resilient in the face of cyber threats, minimising disruptions and safeguarding patient care. By adopting this approach and abiding by the key pillars of the NHS cybersecurity strategy, healthcare organisations can better protect themselves against the evolving threat landscape and maintain the trust of the communities they serve.