Fraud Management & Cybercrime , Healthcare , Industry Specific
NHS: Most Patient Services Online Following Synnovis Attack
UK Blood Supply Shortage Still Lingers 4 Months After Attack on Pathology LabThe United Kingdom's National Health Service said nearly all blood testing and related services disrupted by a June ransomware attack on pathology laboratory services provider Synnovis are finally back online. The incident forced NHS hospitals in London to cancel thousands of patient appointments and procedures, and triggered a national O-type blood shortage, which still lingers.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
NHS in a statement Friday said that despite most affected IT systems coming back online, it expects that it will take "some time" to replenish supplies of O-type blood (see: UK Blood Stocks Drop After Ransomware Hack).
"One of the final pieces in the jigsaw was the reconnection of blood transfusion laboratory IT systems. The attack meant the affected trusts were unable to carry out 'cross-matching' for blood transfusions so had to use O-type blood which is safe for all," the NHS said.
"This in turn, contributed to a national shortage of O-type blood supplies. The amber alert for blood supplies remains in place and new and existing O negative and Black heritage blood donors are still being urged to come forward and donate," NHS said.
The June attack and recovery forced the postponement of 10,152 acute outpatient appointments and 1,710 elective procedures at the most affected trusts: King's College Hospital NHS Foundation Trust and Guy's and St Thomas' NHS Foundation Trust in London, NHS said (see: UK Vendor's Attack Disrupts Care at London NHS Hospitals).
"The trusts have now moved back to being able to issue all blood group products for transfusions. While some important administrative work remains, any further impact on patient care will be minimal."
Russian-speaking ransomware group Qilin claimed responsibility for the attack on Synnovis, which describes itself as a pathology partnership between the NHS trusts and SYNLAB, Europe's largest provider of medical testing and diagnostics. Synnovis provides services to the NHS, clinical users and other service users. (see: Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack).
Full IT Restoration Work Continues
Synnovis in a statement provided to Information Security Media Group on Wednesday said that since the attack, it has the completed the first phase of its restoration plan, which included rebuilding and restoring critical IT platforms and interfaces that support blood sciences and primary care, including the reconnection of blood transfusion laboratory IT systems.*
"Over recent weeks the majority of services provided to Synnovis’ NHS partners – King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trusts – as well as local general practitioner practices, have operated at pre-cyberattack capacity levels. The majority of services for other customers have also continued to be provided, although we are asking that a small number of tests be prioritized by clinical need," Synnovis said.
"We can now begin to address all other systems, including the back office IT systems and platforms that, while not clinically critical, are key to the smooth operation of our business."
Meanwhile, an investigation into data potentially compromised in the incident is "advanced and ongoing," Synnovis said.
"Conducted with the support of national bodies and technical specialists, it involves interrogation of the published data to identify whether and to what extent any patient or employee data is affected," Synnovis said.
"The investigation timeframe, in keeping with the scale and scope of such an incident, is commensurate with the time required to thoroughly conclude which individuals or organizations have been impacted. As soon as it is appropriate and responsible to do so, Synnovis will communicate with the relevant, impacted stakeholders."
In the NHS statement, Synnovis CEO Mark Dollar said the reconnection of its blood transfusion laboratory IT systems "is a significant milestone" in the vendor's recovery program.
"Restoration of this particular system required intensive effort by experts within Synnovis, the NHS and suppliers," he said.
"Due to the efforts of these individuals and many more like them, this first phase of our restoration plan is now complete, and service users have access to almost all of the services that were available prior to the cyberattack," he said.
Dollar said the company still needs to restore some business administrative IT systems, but "we now see light at the end of this tunnel."
Long Recoveries
The time taken to recover from a ransomware attack is steadily increasing in healthcare, said Jon Moore, chief risk officer at security and privacy consultancy Clearwater. "The latest research indicates that 36% of healthcare organizations take at least a month to fully recover from an attack, with many trending toward two to three months or longer," he said.
Longer recovery times reinforce the need for healthcare organizations to perform a business impact analysis to develop a strong understanding of how operations will be affected if a function or process is unavailable, Moore said.
"They need to evaluate their maximum allowable downtime, or MAD, which helps quantify how quickly you must recover a business process during an attack," he said. "Your MAD may be influenced by factors such as your ability to provide a reasonable level of service through alternative means, financial impacts and other intangible impacts such as a loss of patient or customer confidence."
The Synnovis attack was one of several disruptive cyber incidents worldwide in recent months involving third-party blood supply organizations.
Besides the Synnovis attack, OneBlood, a nonprofit blood donation center that serves about 350 hospitals in the southeastern U.S., also suffered a ransomware in July, which followed an April attack on Octapharma Plasma, the U.S. operations of a Swiss pharmaceutical maker that shut down nearly 200 blood plasma donation centers for several days.
The incidents prompted the American Hospital Association and Health Information Sharing and Analysis Center in July to issue a joint healthcare sector warning about cyberthreats facing the medical blood supply chain (see: Attacks on Blood Suppliers Trigger Supply Chain Warning).
So far this year, the February ransomware attack on UnitedHealth Group's Change Healthcare IT services unit was the most disruptive of all third-party hacks in the U.S. healthcare sector.
The attack stopped payment processing and other critical functions for thousands of healthcare entities for many weeks, resulting in a data breach potentially affecting tens of millions of patients.
*Update Oct. 9, 2024 14:53 UTC: Updated to include Synnovis' statement to ISMG.