In June of last year, a Russian cybercrime gang called BlackCat hacked the Barts Health NHS Trust, a part of the UK’s National Health Service that operates several hospitals in London, and published some of it online in an extortion attempt.
Last month, a different group, called INC Ransom, published a huge trove of data — three terabytes’ worth — culled from a hack of the NHS Dumfries and Galloway, an NHS board overseeing a region of Scotland for the health service.
And on Monday, hackers launched a ransomware attack against a key partner to the NHS, a company called Synnovis that helps manage blood transfusions and lab services for hospitals operating under the Guy’s and St Thomas’ NHS Foundation Trust and the King’s College Hospital NHS Foundation Trust. The attack crippled services at those hospitals.
The incidents illustrate the numerous cybersecurity challenges facing the NHS, which delivers care to the UK’s 68 million residents through a network of 229 trusts spread out across the kingdom. The system amounts to a vast network of providers and computer systems that makes the NHS the keeper of one of the richest and most comprehensive national health datasets anywhere.
Additionally, with 1.7 million workers, the health service is one of the world’s largest employers, by some measures behind almost everyone except the U.S. and Chinese militaries, Walmart Inc. and McDonald’s Corp.
All of that makes the NHS an attractive target at a time when financially motivated cybercriminals are increasingly targeting health-care organizations and seeking to damage or disrupt their IT systems in hopes of extorting them for huge ransom payments. In addition to the recent hacks, the health service was one of the most prominent victims of the 2017 WannaCry attack, which involved an early strain of ransomware that spread around the world including disrupting services at a third of the NHS’s trusts, including forcing the temporary closing of several emergency rooms.
Out of all industries, health-care providers were the most targeted by ransomware gangs last year, according to a report by Cisco Systems Inc.’s Talos threat intelligence division. Cisco attributed the targeting to health-care organizations generally having “underfunded budgets for cybersecurity and low downtime tolerance.”
Across the Atlantic, cybercriminals have repeatedly broken into various parts of the health-care sector, from major hospital systems to one of America’s largest health insurance companies. Last year, the FBI received more reports of ransomware attacks in health care and public health than in any other of the 16 industries that the US government designates as critical infrastructure.
“When health-care systems and data are unavailable, lives are potentially at risk. This makes the sector a tempting target for criminals,” Martin Lee, Cisco’s UK-based technical lead of security research, wrote in an email. “Outages ply pressure on management to pay off the attackers to restore availability quickly. However, paying the ransom means that these attacks remain profitable and ultimately only serves to encourage further attacks.”
Cybersecurity experts say the growing number of attacks against health-care providers — including the NHS — also highlights the difficulty of them policing not only their own security, but that of key suppliers as well.
This week’s ransomware attack against Synnovis was the third in the last 12 months to hit Munich, Germany-based Synlab AG, the company that runs Synnovis with the two London-based NHS hospital trusts. In June 2023, Synlab, which is one of Europe’s biggest providers of medical diagnostic services and testing, said its French branch was hit by attacker group Cl0p. In April this year, a cyberattack paralyzed the group’s Italian operation.
The company described the latest attack as “an isolated incident with no connection” to the April incident in Italy. It declined to respond to other questions and said it’s still trying to assess the impact of the breach.
Once an organization has been breached, hackers learn its “cyber terrain,” which increases the chances they’ll be able to get back in later, even after the victim has cleaned up the original breach and applied more security controls, according to Brad Freeman, co-founder and director of technology for the London-based cybersecurity firm SenseOn. If an attacker exploits a flaw in a website that’s then fixed, for instance, it’s likely that they and other attackers will find other, similar ways in, as the original flaw could be a seen as a sign of poor software development practices, he said.
“Suppliers such as Synnovis are life-critical elements of the NHS supply chain,” he wrote in an email. “This data breach demonstrates how difficult securing systems from multiple independent suppliers and the potential impact to operations,” he said.
Like their counterparts in the UK, experts say that American health-care providers remain attractive targets for cybercrime because they often have limited security budgets, complex and vulnerable computer systems, and troves of sensitive information that’s used to make life-or-death decisions.
Hitting hospitals gives attackers leverage because doctors have to resolve the ensuing disruptions fast, according to Mark Montgomery, a senior fellow for the Foundation for Defense of Democracies who led a U.S. government commission studying cybersecurity.
“They immediately provide potentially life-threatening conditions – whether it’s your MRI doesn’t work, or you can’t get data to the surgical suite or you can’t get information on blood type,” Montgomery said.
In 2021, a ransomware attack on Scripps Health’s network of hospitals in San Diego forced staff to cancel medical procedures and divert emergency patients to other hospitals. The hackers took patient records, scheduling and other critical systems offline, the San Diego Union-Tribune reported, forcing medical personnel to resort to pen and paper.
Last year, another ransomware attack hit Ardent Health Services, which operates 30 hospitals in six states, forcing them to postpone certain elective procedures and divert patients from some of its emergency rooms. This year, another major attack struck Ascension, one of the country’s largest nonprofit health systems. The Catholic-affiliated hospital network had to divert ambulances, suspend elective surgeries and reschedule appointments as it worked to get systems up and running again.
“It’s become a rinse-and-repeat target,” said Joshua Corman, who led strategy for the US Cybersecurity and Infrastructure Security Agency’s Covid-19 response task force.
The Biden administration recently announced that it intends to require hospitals to meet minimum cybersecurity standards.
Meanwhile, other parts of the health-care industry have also been hit.
In February, hackers broke into a subsidiary of UnitedHealth Group Inc., which delayed billions of dollars of payments to doctors and hospitals and saw hackers make off with data on as many as one in three Americans. The insurance giant said it paid the hackers a ransom of more than $20 million to stop the release of patient data.
“When attacking life-saving infrastructure like hospitals and care centers, attackers know that they’ll have the upper hand in any ransom negotiation,” said Adam Marrè, chief information security officer at the cybersecurity firm Arctic Wolf.
