City of London skyline showing cyber attack on London hospitals

Cyber Attack on Synnovis Pathology Lab Traced to Longstanding Known Weaknesses at London Hospitals

A cyber attack on London hospitals that has unfolded over the course of June has had a devastating impact on the city’s blood supply, and has caused hundreds of operations to be postponed. New reporting from Bloomberg indicates that the city’s hospitals have long known that Synnovis, the pathology lab at the center of the attack, was a cybersecurity risk.

Synnovis and other contractors were named in internal conversations among the Guy’s and St Thomas NHS Foundation Trust board of directors earlier this year, according to leaked documents seen by Bloomberg reporters. These conversations noted that the contractors were repeatedly failing to meet data security standards and could pose a serious cybersecurity risk to London hospitals. Synnovis was hit by a cyber attack in early June that has been attributed to a Russian ransomware gang.

London hospitals left struggling in wake of seemingly preventable ransomware incident

The incident began on June 3, when Synnovis was hit with a cyber attack that involved the deployment of ransomware. The organization is a pathology partnership that processes samples and donated blood for Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals NHS Trust, and European medical testing giant SYNLAB.

The impact to London hospitals was quite broad. Hospitals under the two Trust partners were impacted along with the South London and Maudsley NHS Foundation Trust, and general practitioners (GPs) in a number of the city’s boroughs. Synnovis said that its capacity to process samples was “significantly reduced” and that it was farming out non-urgent work to other pathology labs. NHS England London declared the issue a regional incident and put out an emergency call for O positive and negative blood donation, and at least 1,100 operations were reportedly rescheduled or “rearranged” due to delays caused by the cyber attack during the first week. About 2,000 outpatient appointments were similarly impacted.

Synnovis has not yet confirmed the identity of the attacker, but some third-party cybersecurity researchers say the attack is the work of the Russia-based Qilin group. The group is an emerging ransomware-as-a-service (RaaS) provider that has been active for at least two years and has recently begun building a reputation for targeting critical infrastructure. The group has posted 112 victims on its leaks site, but had previously appeared to prefer small-to-medium targets and asked relatively small ransoms of under $1 million (and in some cases under $100,000). The group has stepped up to another level with the Synnovis attack, reportedly attempting to extort its victims for $50 million.

London hospitals had been worried about a cyber attack for years

The exact security lapse that led to the cyber attack has yet to be revealed. But officials with the London hospitals and impacted trusts had expressed concerns about the cybersecurity posture of assorted third-party vendors for years, Synnovis among them, pursuing IT infrastructure modernization programs meant to head off exactly this problem.

Other than knowing that ransomware caused a severe disruption, the technical particulars of the cyber attack have yet to come to light. But the human impact was immediate. Of the roughly 1,100 operations that had to be rescheduled in the early part of June, about 200 were considered to be emergency procedures that were risky to delay. One of those, an 81-year-old man in need of two heart valve replacements and a coronary artery bypass to restore proper circulation, shared his story with The Independent. NHS England has said that full recovery from the cyber attack will likely take months. The incident illustrates and personalizes the increasing threat that cyber attacks pose to the health of everyday people, and it is now far from the first time that a ransomware attack on a hospital has created imminent risk of injury (and in some cases has even contributed to a death).

Andrew Whaley, Senior Technical Director of Promon, sees this as the final wake-up call for the healthcare industry: “Being in a situation where patients can’t receive life-saving blood transfusions because the hospital isn’t equipped to defend against cyber attacks is simply unacceptable; the NHS is in critical condition without the threat of cyber warfare. Never should a healthcare organisation which cares for millions of people find itself struck down and unable to serve its primary function (saving lives) due to an IT issue. This is no surprise, however. And while no sector is invulnerable to these attacks, with lives on the line, healthcare providers have proven time and time again that they’re the most willing to pay a ransom following these incidents. Bad actors know this and smell blood in water. Sadly, in the current geopolitical climate, this is possibly just a warning sign of much larger attacks to come on the UK’s healthcare systems. Combine the rise of state-sponsored cyberattacks with the further digitisation of the NHS, and this paints a pretty grim picture for the defensive capabilities of the British healthcare sector.”

The damage is also not limited to delayed surgeries and a lack of emergency blood supply. A ransom payment was apparently not made, and some 400 GB of data stolen from the London hospitals was recently dumped to the dark web. These files include patient names, dates of birth, NHS numbers and descriptions of blood tests, as well as internal Synnovis business information that outlines their financial arrangements with partner hospitals and GPs. NHS issued a statement indicating the National Crime Agency and National Cyber Security Centre are poring through the “complex” files and that it will take weeks to verify the full extent of information included.

The attack on the London hospitals also furthers the established trend of ransomware operators specifically targeting patient care, though in this case it did not appear to be profitable for the hackers. Dmitry Sotnikov, Chief Product Officer at Cayosoft, notes that these incidents nearly doubled in 2023 and may well dobule by the end of 2024: “Qilin’s ransomware attack on Synnovis and their demand of $50 million contributes to an ethical downward spiral among cybercrime groups that condone trading lives for profit. Ransomware attacks targeting healthcare providers worldwide nearly doubled last year – 389 in 2023, up from 214 worldwide in 2022.”

“Synnovis claims that Qilin gained access to its systems via a zero-day vulnerability. Unfortunately, the use of outdated systems, which was likely the case for the affected hospitals run by Guy’s and St Thomas’ NHS Foundation Trust hospitals, likewise increased the chances of the attackers getting into their networks. Outdated cyber defense capabilities are very common in healthcare, where IT budgets are tight. After initial network entry, Qilin typically uses a company’s Active Directory (the main enterprise identity and access store) to elevate its privileges to spread laterally and find the target’s critical systems. Once identified, data can be stolen, and those systems are encrypted to take them offline. From the outside, this is the most likely scenario suffered by the affected London hospitals,” noted Sotnikov.

Kevin Kirkwood, Deputy CISO at LogRhythm, is another voice calling for the health care industry to step up its cybersecurity game: “Traditional reactive approaches are no longer sufficient to mitigate these threats. Healthcare providers need to implement robust security measures that encompass not just their own systems but also those of their third-party partners. This includes continuous monitoring, regular security assessments, and comprehensive incident response plans. By adopting these strategies, healthcare organizations can better protect their critical infrastructure and, most importantly, ensure the safety and trust of their patients.”

Dan Lattimer, Vice President of Semperis, provides some more specific advice: “Today, there’s no silver bullet that will solve the cybersecurity challenges facing hospitals. First, identify the critical services that are “single points of failure” for the business. If critical services go down, then the hospital won’t be able to operate and leaders will be forced to make tough decisions and likely divert the most critical patients to other facilities in the area. Have a plan for “what to do if.” And keep in mind that in nearly 90 percent of ransomware attacks, the hackers will likely compromise the organization’s identity system, which stores the crown jewels of the business. In the case of hospitals, it is patient data and other forms of proprietary information. Active Directory environments are the most vulnerable entry points, making it imperative that hospitals have real-time visibility to changes to elevated network accounts and groups.”