Semperis comment on hospital cyberattack
June 2024 by Simon Hodgkinson, Strategic Advisor, Semperis
Simon Hodgkinson, Semperis Strategic Advisor comment the new hospital cyberattack
“Sadly, the latest cyberattack on Synnovis is having a significant impact on the delivery of clinical care in several Hospitals in London. Synnovis provide pathology services to several Hospitals and primary care providers in London.
This is an example of a cybercriminal attacking an organisation which is a critical supplier of healthcare services, creating major disruption and putting patients’ lives at risk. Whilst there is no evidence this was targeted at the NHS, it amplifies the importance of understanding the end-to-end supply chain, assuring suppliers have the appropriate security controls in place, and documented and tested recovery plans. All too often, this is assurance is delivered through questionnaires which is insufficient for critical suppliers.
However, it is not just suppliers, one must understand from the point of care, the processes and systems that enable the clinical outcome and ensure appropriate security measures are in place. At the very heart of the digital eco-system is the identity platform, and in 90%+ of organisations this is Active Directory (AD). Gaining control of AD (and hybrid identity platforms such as EntraID/Okta) is the target of most cybercriminals and yet in many organisations there are misconfigurations which are exploited by the criminals. I would encourage every organisation, however big or small to run Purple Knight. Purple Knight is a free tool, which assesses the security of your hybrid identity platform, and provides a prioritized list of issues with clear actions to improve the security posture. Ask your critical suppliers to run Purple Knight and share the results and action plan, rather than rely on a questionnaire!.
Finally, organisations must have robust and realistic business continuity plans (BCP) to minimize disruption to critical services whilst the technology is recovered. In my experience, those organisations without documented and tested plans under-estimate the time to recover services and as a result the continuity plans are unrealistic.
As always, the NHS, NCSC and suppliers will deal with this situation and ensure they do their utmost to minimize the disruption to patient care. We are so fortunate to have such wonderful mission-oriented people – thank you!”