Criminals are increasingly targeting healthcare organizations by exploiting weaknesses in third parties. Credit: chrisdorney / Shutterstock Several large hospitals in Britain’s capital London face days and possibly weeks of disruption after a partner organization was compromised by a potent ransomware attack. The attack on June 3 targeted medical diagnostics company Synnovis, causing huge disruption to pathology and testing, an essential service that hospitals depend on for routine diagnostics. Specifically, the cyberattack caused the connection between the hospitals and the company’s servers to be disconnected, taking down access to essential data. The incident has badly affected two National Health Service (NHS) hospital trusts responsible for several of the capital’s busiest centers, including St Thomas’ Hospital, King’s College Hospital, Guy’s Hospital, Royal Brompton Hospital, and Evelina London Children’s Hospital. By June 4, the hospitals started cancelling transplant operations and described blood transfusions as “particularly affected” in an internal memo written by Guy’s and St Thomas’ head, Professor Ian Abbs. On the same day, Synnovis, a joint venture between the two health trusts involved and German medical testing and diagnostics company Synlab, acknowledged the attack. “It is still early days, and we are trying to understand exactly what has happened,” it said in a statement. “We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be. This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect.” Only a few weeks earlier, the Italian subsidiary of Synlab was badly affected by a ransomware attack later claimed by an affiliate operating on the Black Basta ransomware-as-a-service (RaaS) platform. Supply chain pain Ransomware attacks are now so frequent across the world that they almost feel routine, but incidents affecting hospitals still have the ability to generate extra public anxiety. Given the time-sensitive nature of medical workflow, hospitals and health systems make the perfect target for extortion. Widely cited incidents include the 2021 attack on Ireland’s Health Service Executive (HSE), the bill for which reached €102 million ($111 million) plus hundreds of millions in additional security upgrade costs. In February, a ransomware gang stole an estimated 3 TB of sensitive patient data from NHS Dumfries and Galloway, much of which was later leaked. Further afield in the same month, ransomware brought large parts of the Romanian health system to a standstill in an attack affecting dozens of hospitals. However, alongside the notorious WannaCry incident in 2017, this week’s incident still counts as among the most disruptive ever to affect the NHS. An increasingly common thread in many of these attacks is the targeting of third-party service providers rather than the hospitals themselves. This is a logical evolution: As hospitals become better defended the next points of weakness are the organizations that support them. Qilin ransomware In a BBC radio interview this week, former chief executive of the National Cyber Security Centre (NCSC) Ciaran Martin blamed the Russian “Qilin” (aka “Agenda”) RaaS platform for the attack although this has not been confirmed. According to security company Group-IB, Qilin has been active since 2022, mainly targeting organizations in critical sectors such as healthcare. The platform — or the affiliates that use it in return for a cut — is not especially prolific by ransomware standards. The latest attack would by some distance be its most consequential compromise to date. Neither is Qilin especially innovative, adopting a standard double extortion modus operandi that tries to phish credentials or compromise poorly secured Remote Desktop Protocol (RDP) connections. Once Synnovis has restored services to hospitals, the next worry for the company will be the extent of any data that might have been lost. As with so many ransomware incidents before it, many details are still up in the air and might not be confirmed for weeks or months, or perhaps ever. Related content feature Main Line Health deploys chaos engineering to bolster healthcare resilience Patient care downtime is a critical concern for healthcare orgs. MLH CISO Aaron Weismann spearheaded an award-winning cybersecurity initiative aimed at reducing it. By Bob Violino 23 Aug 2024 7 mins CSO50 Healthcare Industry Incident Response feature The cyber assault on healthcare: What the Change Healthcare breach reveals February’s ransomware attack is a wake-up call for healthcare execs – and a reminder to leaders in other industries about what can go wrong. By Mary K. Pratt 12 Aug 2024 12 mins Data Breach Ransomware Healthcare Industry opinion How cyber insurance shapes risk: Ascension and the limits of lessons learned A disparity in how some big insurance cases are handled can muddy the takeaways for CISOs gauging their own insurance needs. By Christopher Whyte 07 Aug 2024 10 mins Insurance Industry Ransomware Healthcare Industry feature 8 critical lessons from the Change Healthcare ransomware catastrophe From fundamental security mistakes and strategic shortcuts, to emerging industry trends, Change Healthcare’s security meltdown provides ample fodder for thought on how not to be the next high-profile victim. By John Leyden 12 Jun 2024 11 mins Multi-factor Authentication CSO and CISO Ransomware PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe