Fraud Management & Cybercrime , Healthcare , Industry Specific

UK Vendor's Attack Disrupts Care at London NHS Hospitals

London Incident Is Latest Major Ongoing Outage From Recent Ransomware Attacks
UK Vendor's Attack Disrupts Care at London NHS Hospitals
King's College Hospital in London is one of several NHS healthcare facilities affected by a Monday cyberattack on pathology services vendor Synnovis. (Image: NHS)

A ransomware attack on Synnovis, a U.K.-based provider of medical laboratory services, is significantly disrupting patient care and testing services at several NHS hospitals and other healthcare facilities in London.

See Also: How to Build Your Cyber Recovery Playbook

The U.K. incident is one of at least two major disruptions hitting the healthcare sector. In the U.S., hospital chain Ascension said it is making regional progress in restoring electronic health records and other critical IT systems taken offline by a May 8 attack. Still, EHRs won't be back online at Ascension hospitals across all regions until mid-June.

The cyberattack hit U.K.-based Synnovis on Monday, and the incident is taking a toll on patient services at several London hospitals and other care sites, a spokesperson for the NHS England London region told Information Security Media Group in a statement on Tuesday.

"This is having a significant impact on the delivery of services at Guy's and St Thomas', King's College Hospital NHS Foundation Trusts and primary care services in southeast London," the spokesperson said. "We apologize for the inconvenience this is causing to patients and their families."

“We are working urgently to fully understand the impact of the incident with the support of the government's National Cyber Security Center and our cyber operations team."

NHS providers have tried-and-tested business continuity plans for instances such as this, which include offering mutual aid, the NHS said.

Some patient care activities have already been canceled or redirected to other providers as urgent work is prioritized, the spokesperson said.

"Emergency care continues to be available, and patients should attend appointments unless otherwise informed," the spokesperson said. "We will continue to provide updates for local patients and the public about the impact on services and how they can continue to get the care they need."

Synnovis in a statement provided to ISMG described itself as a pathology partnership between Guy's and St Thomas' NHS Foundation Trust and King's College Hospitals NHS Trust, and SYNLAB, Europe's largest provider of medical testing and diagnostics. Synnovis provides services to the NHS, clinical users and other service users.

The incident has affected all Synnovis IT systems, resulting in interruptions to many of its pathology services, Synnovis said. "The immediate impact is on patients using NHS services within the two partner hospitals, as well as GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs," the vendor said.

"It is still early days, and we are trying to understand exactly what has happened. A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had, and to take the appropriate action needed. We are working closely with NHS Trust partners to minimize the impact on patients and other service users."

Ascension Update

In the U.S., Ascension, which was hit on May 8 with a cyberattack that disrupted clinical IT systems at many of its 140 hospitals and other care facilities in 19 states, said in an updated statement Tuesday that it is making progress in restoring many IT services in several regions, and full EHR restoration is expected in about 10 days.

EHR access has been restored in its facilities in Florida, Alabama, and Austin, Texas, Ascension said.

"Based on what we have learned about this process to date, we are working toward completing EHR restoration across our entire ministry by the end of the week ending June 14," Ascension said.

"As EHR is restored across the entirety of our networks, clinicians will be able to access patient records as they did prior to this incident," Ascension said.

"While these are promising developments in our recovery efforts, our investigation into this incident remains ongoing, along with the remediation of additional systems. This is a complex process, and it will still take time to complete."

Ascension Rx retail, home delivery and specialty pharmacy sites are now open and able to fill prescriptions, the organization said. "This means that healthcare providers are able to transmit prescriptions electronically and can send prescriptions to Ascension Rx pharmacies for their patients."

Last week, Office and Professional Employees International Union Local 40 in Macomb Township, Michigan, which represents nurses, radiological technologists and other medical professionals who work at Ascension Providence Rochester Hospital, sent a petition to the hospital leadership demanding that several patient safety measures be put in place while EHRs and other clinical systems are offline (see: Union Demands Patient Safety Fixes in Ascension Cyber Outage).

As of Tuesday, some 232 union members had signed the petition. Dina Carlisle, a registered nurse who works at a non-Ascension hospital and is president of the Local 40 OPEIU RN staff council, told ISMG that Ascension Providence Rochester Hospital has communicated with the union, but it has still not implemented the specific patient safety measures requested in the petition.

Disturbing Trends

The attacks affecting NHS hospitals in the U.K. and Ascension facilities in the U.S. are among the latest hacking incidents that have caused major IT disruptions in the healthcare sector.

"These attacks are most often carried out by ransomware gangs residing in Eastern Europe, and it's always possible the groups are being provided safe haven by the Russian government," said Sean Deuby, principal technologist at security firm Semperis.

"In the last year, the LockBit and ALPHV ransomware gangs have conducted nearly 20% of all ransomware attacks and collected more than $1 billion in ransom payments from victims," he said.

"I highly recommend that hospitals operate based on an 'assumed breach' approach. This not only means responding to the attack but being prepared to quickly recover should systems be compromised," Deuby said.

"A threat actor with enough motivation and resources will find a way to infiltrate most hospitals, and that's why they should implement solutions and practices for detecting, responding and containing breaches as soon as possible."

As these assaults continue to surge, it is critical for healthcare sector entities and their major vendors to take action to strengthen their security posture, said Patrick Garrity, security researcher at security firm VulnCheck.

That includes quickly updating and patching systems that have vulnerabilities with known exploitation, he said. "It also means eliminating end-of-line applications and technologies, which can be difficult in a patient care environment due to the complexity involving things like medical devices. This shouldn't be used as an excuse, though," he said.

"I can confirm from working with healthcare providers in the U.K. and the U.S. that end-of-life technology is often rampant as healthcare organizations still rely on legacy systems and applications," Garrity said. Maintaining and testing a backup and disaster recovery plan that includes ransomware scenarios internally and with third-party providers is also critical, he added.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.