The Synnovis cyber attack, glaring neglect, and business discontinuity

Comment. The Synnovis pathology lab malware attack on June 3 has resulted in delayed hospital treatments and operations in London, UK, with the Qilin ransomware gang now publishing stolen information. The affected Synlab business has been attacked twice before by malware gangs, and cyber security specialists are asking questions about why it hasn’t protected its systems more effectively against such attacks.

So far the attack has caused more than 2,194 outpatient appointments and 1,134 elective procedures (operations) to be postponed at the UK King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – 1,184 of which were for cancer treatment – because of the inability to get blood analysis results from the affected Synlab facility.

The Synlab pathology operations are mission-critical to the hospital trusts, yet the effects of the attack – an NHS statement notes “disruption from the cyber incident will be felt over coming months” – show that there was no effective business continuity or disaster recovery procedure in place for the affected IT systems.

What’s been done?

A Synnovis spokesperson told us: “Synlab constantly improves security measures and emergency processes as they are vital components in responding to and mitigating cyber attacks on essential healthcare providers.

“Furthermore, Synlab follows a ‘zero trust’ approach to cyber security and continuously invests in the security of its IT systems and processes as well as the awareness of employees to protect its infrastructure and data.

“We have taken several steps to further secure our infrastructure and implement operational mitigations for  partners. These have included but are not limited to:

  • Standing up new datacenter infrastructure
  • Resetting all service platform passwords and expiring MFA tokens.”

This is after-the-event activity. Why was it not done before? Why was it not done after Synlab France was attacked in June last year, and Synlab Italy in April this year?

A rude awakening

Dmitry Sotnikov.

Columbus, Ohio-based Cayosoft is a software developer focused on security, efficiency, and compliance for Active Directory (AD), Azure Active Directory (Azure AD), and Microsoft 365 customers. Chief product officer Dmitry Sotnikov told us: “Unfortunately, the situation with Synnovis and the affected hospitals is not unique, and healthcare organizations are experiencing a rude awakening. In the past, many assumed that hackers – those who were state-affiliated – mostly targeted commercial enterprises and generally avoided sensitive industries such as healthcare. However, the war in Ukraine radically changed cyber security and left no industry immune. The recent attacks on Change Healthcare and Ascension in the US are stark reminders that massive ransomware attacks can now put numerous lives in danger. 

“The healthcare industry needs to review its priorities and urgently invest in IT security. It is responsible for the privacy and lives of its patients.

“Luckily, the attacks that we are seeing are not tailored to healthcare targets at all. The criminals are using the same general-purpose attack methods in healthcare as they do with other industries: attacking via phishing or credentials, and then using Active Directory to spread laterally and elevate privileges. Cyber defense solutions exist to mitigate the threat of ransomware – MFA, threat detection, monitoring, recovery, etc. – but the sector needs to start applying them consistently.”

Contingency plans

An NHS document dating from the 2017 WannaCry attack states: “Organizations should have plans in place to detect and eliminate malware within their systems. These plans should include measures to minimize the impact of a security breach and to expedite the organization’s response. Organizations should adopt a ‘defence-in-depth’ approach, using multiple layers of defence with various mitigation techniques at each layer to detect malware and prevent it from causing significant harm.”

Further: “All NHS organizations must have business continuity plans in place so that they can maintain their services to the public and patients in the event of both large and small incidents.”

Because the Synlab June 3 attack has had such devastating consequences, and recovery will take several months, one might conclude the Synnovis partnership may not have followed this advice.

A combined Guy’s Hospital Foundation Trust and St Thomas’ Hospital Foundation Trust document refers to their claimed responsible attitude to cyber security, at least concerning the Synnovis EPIC software-powered pathology laboratory information management system: 

As the June 3 attack and its ongoing effects seem to demonstrate, though, Synnovis did not have “strong procedures in place to detect and eliminate malware” within its systems. You’d be forgiven for thinking lip service was paid to cyber security instead of erecting and maintaining effective malware attack defenses. The current business discontinuity was the result of this inadequate provision.

Leaving the door open

Richard May.

Richard May, CEO at UK-based specialist Cloud Service Provider, virtualDCS, told us: “As a specialist in data recovery, I am frequently disheartened by the delayed and often lackluster approach many organizations take toward disaster recovery (DR) and backup solutions. Decisions that should be made with urgency often languish for over six months, leaving critical data vulnerable. If an individual left their front door wide open, they would undoubtedly rush to secure it. It is expected that organizations handle others’ information with the same level of care and expedience as they would their personal belongings.

“The situation with Synlab is a glaring example of neglect in both risk prevention and mitigation. Recent reports suggest that restoring their services could take several months, highlighting a severe failure in its data protection strategy. This delay demonstrates negligent complacency and a blatant disregard for safeguarding mission-critical systems. Clearly, data assets were neither properly identified nor protected, and there appears to be no effective DR ‘playbook’ in place to facilitate a swift recovery.

“This incident should serve as a wake-up call for all organizations to prioritize the implementation of robust DR and backup solutions immediately. The protection of data should be approached with the utmost urgency and diligence, ensuring that comprehensive plans and technologies are in place to mitigate risks and ensure rapid recovery from any disruptions.”

Check out this specific UK NHS website to read updates about the attack and the progress of the recovery from it.