Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label patient data protection. Show all posts

Ransomware Attack on Pathology Services Vendor Disrupts NHS Care in London

 

A ransomware attack on a pathology services vendor earlier this week continues to disrupt patient care, including transplants, blood testing, and other services, at multiple NHS hospitals and primary care facilities in London. The vendor, Synnovis, is struggling to recover from the attack, which has affected all its IT systems, leading to significant interruptions in pathology services. The Russian-speaking cybercriminal gang Qilin is believed to be behind the attack. Ciaran Martin, former chief executive of the U.K. National Cyber Security Center, described the incident as "one of the more serious" cyberattacks ever seen in England. 

Speaking to the BBC, Martin indicated that the criminal group was "looking for money" by targeting Synnovis, although the British government maintains a policy against paying ransoms. Synnovis is a partnership between two London-based hospital trusts and SYNLAB. The attack has caused widespread disruption. According to Brett Callow, a threat analyst at security firm Emsisoft, the health sector remains a profitable target for cybercriminals. He noted that attacks on providers and their supply chains will persist unless security is bolstered and financial incentives for such attacks are removed. 

In an update posted Thursday, the NHS reported that organizations across London are working together to manage patient care following the ransomware attack on Synnovis. Affected NHS entities include Guy's and St Thomas' NHS Foundation Trust and King's College Hospital NHS Foundation Trust, both of which remain in critical incident mode. Other impacted entities are Oxleas NHS Foundation Trust, South London and Maudsley NHS Foundation Trust, Lewisham and Greenwich NHS Trust, Bromley Healthcare, and primary care services in South East London. 

The NHS stated that pathology services at the impacted sites are available but operating at reduced capacity, prioritizing urgent cases. Urgent and emergency services remain available, and patients are advised to access these services normally by dialing 999 in emergencies or using NHS 111. The Qilin ransomware group, operating on a ransomware-as-a-service model, primarily targets critical infrastructure sectors. According to researchers at cyber threat intelligence firm Group-IB, affiliate attackers retain between 80% and 85% of extortion payments. Synnovis posted a notice on its website Thursday warning clinicians that all southeast London phlebotomy appointments are on hold to ensure laboratory capacity is reserved for urgent requests. 

Several phlebotomy sites specifically managed by Synnovis in Southwark and Lambeth will be closed from June 10 "until further notice." "We are incredibly sorry for the inconvenience and upset caused to anyone affected." Synnovis declined to provide additional details about the incident, including speculation about Qilin's involvement. The NHS did not immediately respond to requests for comment, including clarification about the types of transplants on hold at the affected facilities. The Synnovis attack is not the first vendor-related incident to disrupt NHS patient services. Last July, a cyberattack against Ortivus, a Swedish software and services vendor, disrupted access to digital health records for at least two NHS ambulance services in the U.K., forcing paramedics to use pen and paper. 

Additionally, a summer 2022 attack on software vendor Advanced, which provides digital services for the NHS 111, resulted in an outage lasting several days. As the healthcare sector continues to face such cybersecurity threats, enhancing security measures and removing financial incentives for attackers are crucial steps toward safeguarding patient care and data integrity.

Strengthening Healthcare Cybersecurity: A Collaborative Imperative

 

In recent years, cyberattacks have surged, putting every segment of the nation's healthcare system—from hospitals and physician practices to payment processing companies and biomedical facilities—under stress. These attacks disrupt patient care and cost the industry billions. Erik Decker, Vice President and Chief Information Security Officer (CISO) at Intermountain Health, emphasized the need for an "adversarial mindset" to counter these sophisticated threats during a recent U.S. News and World Report virtual event. 

Decker, who also chairs the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council, highlighted that cybercriminals aim to maximize profits swiftly, targeting vulnerable points within the healthcare sector. Marc Maiffret, Chief Technology Officer of BeyondTrust, explained that attackers typically infiltrate through three primary avenues: social engineering, misconfigured devices, and risky third-party connections. Social engineering often involves phishing emails or impersonation calls to service desks, where attackers request the enrollment of new devices using compromised credentials. 

Misconfigured devices exposed to the internet also provide easy entry points for attackers. The third method involves exploiting unattended remote access systems. Once inside, cybercriminals often target active directory and administrator workstations to gain critical credentials. To bolster defenses, Decker highlighted that the Department of Health and Human Services offers resources and voluntary cybersecurity performance goals developed with the HSCC’s Joint Cybersecurity Working Group. 

Zeynalov described Cleveland Clinic's approach of understanding the business thoroughly and aligning cybersecurity measures with healthcare needs. His team visited various locations to map the patient journey from admission to discharge, ensuring that protections are seamless and do not hinder patient care. Incident response planning is crucial. Maiffret advised against overly imaginative scenarios, favoring practical preparedness. Decker recommended establishing clear command structures and regularly simulating attack responses to build effective "muscle memory." “Your event that happens will never happen according to the way you planned it. 

For smaller, financially constrained hospitals, Zeynalov advocated for shared defense strategies. The Biden Administration’s 2025 fiscal year budget proposal allocates $1.3 billion through HHS to support cybersecurity adoption in under-resourced hospitals, reminiscent of the electronic medical records stimulus from the American Recovery and Reinvestment Act. 

Ultimately, the panelists emphasized a collaborative defense approach to withstand sophisticated cyber threats. By pooling resources and strategies, the healthcare sector can enhance its resilience against the ever-evolving landscape of cybercrime. This shared defense strategy is crucial, as Decker concluded, “We cannot do this stuff individually, trying to stop the types of organizations that are coming after us.” By uniting efforts, the healthcare industry can better protect itself and ensure the safety and trust of its patients.

Ascension Cyber Attack Heightens Focus on Healthcare Cybersecurity Measures

 

The healthcare sector is increasingly targeted by cybercriminals, as evidenced by recent high-profile attacks that disrupt services and highlight vulnerabilities in this critical industry. The recent cyber attack on Ascension, in particular, has raised concerns due to its significant impact on healthcare operations, resulting in patient diversions and disrupted clinical services across its 139 hospitals.

This attack follows closely behind other major incidents involving United Health and Change Healthcare, where patient data was compromised, and significant financial demands were made. These attacks not only underscore the importance of robust cybersecurity measures within healthcare but also raise concerns about patient privacy and data security.

While details about the Ascension cyber attack are still emerging, there are suspicions that it could be a ransomware attack, given the patterns observed in similar incidents targeting healthcare organizations. Regardless of the exact nature of the attack, any threat to healthcare services has serious consequences.

There is growing evidence suggesting a connection between ransomware attacks and geopolitical aims, with some attacks possibly serving the interests of adversarial nations. This blurring of lines between criminal and state-sponsored activities underscores the need for a more aggressive approach in combating cyber threats to healthcare and critical infrastructure.

Phishing attacks remain a common entry point for cybercriminals, highlighting the need for organizations to adopt more comprehensive strategies to combat them. Traditional defenses like email filters and user awareness training have proven insufficient, emphasizing the importance of innovative approaches to email security.

The Ascension cyber attack serves as a wake-up call for the healthcare industry to strengthen its cyber defenses against evolving threats. As cybercriminals continue to target sensitive patient data and critical healthcare services, proactive measures are essential to safeguarding the integrity of healthcare systems and ensuring uninterrupted patient care.

Rising Healthcare Cyberattacks: White House Contemplates Response

 

Amidst a continuous stream of cyberattacks targeting the healthcare sector, leading to disruptions in hospitals and patient care, the Biden administration is taking a measured approach in formulating regulations to bolster the industry's cybersecurity defenses.

Andrea Palm, Deputy Secretary of Health and Human Services, stated that they are thoroughly exploring various options to ensure a comprehensive advancement of this agenda. The department oversees several critical aspects of healthcare cybersecurity, including incident preparedness, certification of health IT vendors, and compliance with data security and privacy regulations.

Health and Human Services has multiple potential avenues to regulate cybersecurity within its purview, making it distinct among federal agencies. It remains uncertain if internal disagreements on the right approach or the need for additional resources are delaying the development of healthcare cyber regulations.

During a recent cybersecurity roundtable with industry leaders, representatives from hospital associations and cybersecurity groups discussed concerns and ways for the government to address security gaps that have fueled ransomware attacks. One prevalent concern was the vulnerability of rural hospitals, underscoring how their cybersecurity shortcomings pose a risk to the entire industry.

Many rural hospitals lack specialized IT or cybersecurity staff, and even when present, executives may not be equipped to ask the right questions. To assist these facilities, suggestions included launching regional training programs or "boot camps" for rural hospital leaders.

Mark Jarrett of Northwell Health emphasized the importance of integrating cybersecurity discussions into patient care dialogues, suggesting that it should become a routine part of safety rounds in hospitals. Additionally, Mari Savickis urged the federal Centers for Medicare & Medicaid Services to incorporate cybersecurity into billing discussions with doctors.

Health and Human Services has collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) to address cybersecurity concerns in the healthcare sector. CISA has identified hospitals as one of three priority communities with highly vulnerable targets. Nitin Natarajan, CISA's Deputy Director, emphasized the significance of cybersecurity in safeguarding patient safety.

However, a major challenge remains: how to make cybersecurity upgrades viable for the numerous small, under-funded medical providers across the U.S. One proposed solution is for larger hospital systems to directly offer cybersecurity services to smaller institutions in their regions, possibly with the aid of federal grants. This approach is being discussed, but no specific endorsement has been made yet.

Natarajan stressed that the industry should not solely rely on federal funding for this substantial undertaking, emphasizing the need for a collaborative effort to mitigate cybersecurity risks effectively.