When is Enough, Enough?


This week marks yet another dark moment for healthcare with yet another Russian cyber-attack against a supplier of critical services for two major London hospital trusts where over 200 life-saving operations and hundreds of other appointments have had to be cancelled, while ambulances have been placed in divert.

Impacted are King’s College Hospital, Guy’s and St Thomas’ - including the Royal Brompton and the Evelina London Children’s Hospital – along with their associated primary care services. This includes GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs. All have had to revert to paper for blood tests and transfusions thanks to a ransomware attack against Synnovis, a provider of pathology services.

“This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families,” said an NHS spokesperson in statement.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics. On Monday it was hit with a cyber extortion attack thought to be the work of a Russian criminal group known as Qilin. As a result, an emergency was declared, the National Cyber Security Centre notified, and the Cyber Operations Team called in for assistance. All of Synnovis's IT systems are believed to be affected.

The incident follows a separate case at Synlab Italia, which in April involved a different Russian group known as Black Basta forcing the company's services offline. The group has been linked to the Conti ransomware group, an even more infamous Russian organized crime syndicate. Following this attack, it took the provider nearly a month to restore the majority of its systems. It appears Synlab Italia didn't pay whatever ransom was demanded of it as Black Basta claims it has Synlab's data available for download in its blog. Black Basta is also thought to have been responsible for the attack last month against US healthcare provider Ascension Health.

The attack this week against Synnovis however, appears to be the work of yet another Russian crime group known as Qilin. This ‘Ransomware for rent’ group has targeted IT firms, medical organisations, courts, the 'Big Issue', and appears to operate with Vladimir Putin’s blessing. 'Qilin', also known as 'Agenda', has hacked hundreds of victims over the two years it has been operating under its known identities. Qilin’s 112 known victims span 30 different countries, with Russia and the Commonwealth of Independent States – (ex-Soviet satellite countries) - being the notable exceptions. No need to wonder why!

The Guy’s and St Thomas’ and the King’s College Hospital NHS Foundation Trust attacks are not unique events. In fact it's the third such attack in the past 12 months against NHS trusts. In June of last year, a Russian cybercrime gang called BlackCat hacked the Barts Health NHS Trust. Then earlier this year yet another Russian gang, INC Ransom, attacked NHS Dumfries and Galloway stealing 3 TB of protected health data.

The Russians have certainly cornered the cyber-extortion market, a criminal industry worth $14 billion as of 2022 and one growing rapidly at 73% according to SANS. Indeed, the growth of this industry appears to be directly linked to the number of ransoms being paid by victims, which in the first half of 2023 were estimated to have been more than $590 million. Cyber-extortion is according to the NCA and FBI, a form of cyber-terrorism. So, in effect, those who pay extortion payments could be breaking the law by giving money to wanted terrorists, yet many still do so and few of those who are directly financing this trade have been arrested or prosecuted thus far.

$590 million is also a valuable source of income and hard currency for Russia given all the trade sanctions the country is under following its partial invasion and ongoing war with Ukraine. What’s also apparent, is that no one in a criminal oligarchy like the Russian State is going to make $20 million a pop in ransom payments without sharing at least some of that new-found wealth with others all the way to the Mafia Don at the top, i.e. one Vladimir Vladimirovich Putin, reportedly the richest man in the world today.

But the costs of a ransom attack are far greater than merely the ransom payment (if payment is made), or the costs of forensic investigation, incident response, fines, lawsuits, and punitive damages. The costs when healthcare is attacked is measured in lives. How many patients die as a result of not receiving timely intervention and treatment (mortality), how many will die earlier than expected or are made to suffer for longer periods of time (morbidity), and how many patients are placed at risk thanks to critical IT and IoT systems being down and whose safety maybe compromised as a result.

Attacks against healthcare are not only an attack by a foreign adversary against a critical national infrastructure industry of a nation state, but also an attack that threatens the lives and wellbeing of its citizens. Attackers therefore run the risk that the full power of the state they attack might be used against them, kinetically, when all legal avenues fail to bring them to justice, or to stop their attacks. Russia does not regard cyber-attacks against other countries as a crime, nor does it honour extradition treaties with the rest of the world. Even then, its criminal justice system is irrevocably compromised and corrupted by money, power, and influence.

It is unknown to what extent the Kremlin is behind cyber-attacks against foreign critical national infrastructure, but Russia certainly turns a blind eye to it at the very least, by offering safe harbour to those engaged in this criminal activity. What is for sure, is that the criminal activities of some Russians, is helping to weaken and degrade many of Russia’s foreign adversaries. At the very least, the use of criminal proxies rather than official state assets, provides the Kremlin with some level of plausible deniability, no matter just how implausible that is now becoming, or how insincere Putin’s claims of denial are today.

Until such times as Russia finally fails as a state, and a new Russia adopts a real legal-judicial system - one uncorrupted by others so that criminals can eventually be held to account, the NHS and other providers of healthcare services including third parties, will need to seriously improve cybersecurity and operational resiliency of key systems needed by patients. The UK will also need to critically evaluate any single points of failure in application or underlying infrastructure, just as the US needs to following the recent UHG Change Healthcare attack. Relying on a single vendor or single application for critical parts of medical workflow can no longer be supported. The ability to switch out failed components of a modular architecture is already crucially needed, yet few healthcare providers have reached that level of resiliency today.

Out of all industries, health-care providers were the most targeted by ransomware gangs last year, according to a report by Cisco's Talos threat intelligence division. Cisco attributed the targeting to health-care organizations generally having “underfunded budgets for cybersecurity and low downtime tolerance.”

Given the criticality of IT and IoT in today’s digital health system and continuously rising cyber threats by adversaries, we need to focus a lot more time, effort, and money to build our healthcare services to be able to withstand all but the most destructive of attacks.



















Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.