A ransomware attack against a lab provider disrupted several hospitals and primary care doctors in London this week, delaying operations and blood tests.
The attack had a “significant impact,” with the lab provider Synnovis stating it was a “harsh reminder that this sort of attack can happen to anyone at any time,” but the NHS does not know the full impact on data at this point.
“All urgent and emergency services remain open as usual and the majority of outpatient services continue to operate as normal,” an NHS spokesperson said on Thursday.
“Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritised for the most urgent cases, meaning patients have had phlebotomy appointments cancelled”.
A ransomware attack is one in which malware prevents people from accessing files to force the victim to pay for access.
It reflects what experts have called a growing trend of cyber incidents in the health sector.
European healthcare sector ‘increasingly targeted’
“The healthcare sector has been increasingly targeted as digitalisation has expanded the attack surface and giving rise to increased phishing and ransomware attacks,” Laura Heuvinck, a spokesperson at the EU Agency for Cybersecurity (ENISA), told Euronews Health.
An ENISA report published last year found that ransomware attacks represented 54 per cent of cyber incidents in the sector from January 2021 to March 2023, with this type of attack being named a “prime threat in the health sector”.
Yet just 23 per cent of health sector organisations had a dedicated ransomware programme in 2023, the agency said.
The report, which covered part of the COVID-19 pandemic era where the health sector was a primary target, found that most of those behind the ransomware attacks were driven by financial gain.
“Attacks mostly target patients' data such as electronic health records which are then used for example for fraud, identity theft or use sensitive data for extorsion,” the agency spokesperson added.
EU healthcare providers and hospitals were particularly affected by the incidents compared to health authorities and the pharmaceutical industry.
A French Digital Health Agency report last month noted a “persistence of incidents of malicious origin” in 2023, with 581 reports of cyberattacks in healthcare, at least half of which were malicious.
But they also noted that the year was marked by a “significant reduction in major incidents and stability in the number of incidents that had an impact on patient care”.
Some 53 per cent of structures said that a cyber incident had no impact on their functioning, and analysts said proactive monitoring of information systems had helped make cyberattacks less effective.
There was, meanwhile, an increase in ransomware attacks targeting US hospitals in 2023, according to a report this year from the software company Emsisoft.
Ransomware attacks affected 46 US hospital systems spanning more than 140 hospitals last year, and at least 32 hospital systems had protected health data stolen, Emsisoft said.
Why would criminals target the healthcare sector?
Alan Woodward, a computer security expert at the University of Surrey in the UK, said hospitals may be at risk as they “aim to communicate between a lot of different providers,” making their systems more “open”.
“It's one of those things where the more connectivity there is, the attack surface grows, so that there's going to be more opportunity for criminals to get in,” said Woodward.
“Just imagine the number of emails going backwards and forwards to a hospital and all the people in the hospital every day…You only need one to get through with a bit of malware in it; it spreads”.
An example of this was the 2017 global WannaCry ransomware attack which impacted 80 hospital trusts in England.
One analysis from Imperial College London put the cost of the massive cyberattack at nearly £6 million (€7 million) for the NHS due to appointment cancellations and delays to life-saving care for patients.
“The bottom line is criminals don't care. They really don't care who they hit, and I think some of the thinking probably in their mind is if we attack things that are critical, people might be more likely to pay up because they’ve just got to have it,” he added.
Hospitals are also already stretched resource-wise.
“IT isn't their core business, but they are very dependent on it,” he added, so “finding time and resources to make sure you've got the latest software, the latest versions of things that are not vulnerable, it's difficult”.
What can hospitals do to prevent attacks?
“Most hospitals now are prepared for the fact that it’s a case of when rather than if they’re going to be attacked,” said Woodward.
People need to know who to call and what actions to take in the event of a cyberattack as part of their incident response plan.
But overall, ransomware typically gets into a system “by fooling somebody,” says Woodward.
“One should never ever victim blame when it comes to cybersecurity. But what organisations should do is repeatedly run awareness education of how this could happen, you know what to look out for,” he said.
All logins should also have multi-factor authentication, he added, and education should include password hygiene.
Experts say that the key is also to not pay the ransom, with some pushing for an international ban on these payments.
A 2022 Sophos survey across 31 countries found that the healthcare industry was the most likely to pay ransom but also paid the least amount.
“The only solution is to financially disincentivise attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work,” said Emsisoft threat analyst Brett Callow in a blog post earlier this year.
“The advice always is please don't pay up because A. you just embolden the criminals and B. you guarantee nothing. You don't guarantee getting your data back,” Woodward added.
