What Occurred?

The NHS (National Health Service) in UK is investigating one of the ransomware attacks and subsequent leak of patient data. This ransomware attack was executed 3 weeks ago against Synnovis, which manages blood tests for NHS trusts and GP services. The presumed Russian-associated threat actor group, known as Qilin, uploaded 104 stolen files containing almost 400GB compressed – including patient names, dates of birth, NHS numbers and descriptions of blood tests – on their darknet site and Telegram channel just prior to their files being encrypted. In addition, there has been a massive disruption to patient care. The Impacted “Synlab” has been attacked twice prior and so far, this attack has caused more than 2,194 outpatient appointments and 1,134 elective procedures (operations) to be postponed at the UK King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – 1,184 of which were for cancer treatment – because of the inability to get blood analysis results from the affected Synlab facility.

Failure of Relying on just Zero Trust

While Zero Trust is effective at limiting users access to systems and applications, and presumably limiting unauthorized access the reality is that it offers little protection from stolen credentials or accessing unknown data stores, orphaned data, or data that is left exposed, such as a misconfigured S3 bucket. Identity has recently become a big focus as the ultimate security need, but the reality is that securing data and ensuring privacy is really the end game.

"These conversations noted that the contractors were repeatedly failing to meet data security standards and could pose a serious cybersecurity risk to London hospitals." – Ikeda, Scott. “Cyber Attack on Synnovis Pathology Lab Traced to Longstanding Known Weaknesses at London Hospitals”, CPO Magazine June 25, 2024

The situation with Synnovis and Synlab is a perfect example of NOT having visibility into where sensitive data is kept, how it is accessed and making sure it is kept safe through encryption or other means. We do know that despite a Zero Trust implementation, Qlin was able to exploit Active Directory to compromise the organization before finding sensitive data to encrypt. In addition, knowing where all the data exists provides an opportunity for improved backups and restoration needed to run business operations. Without this understanding, recent reports suggest that restoring their services could take several months. Data assets were neither properly identified nor protected, and there appears to be no effective DR ‘playbook’ in place to facilitate a swift recovery.

What is Needed to Protect Patient Data and Ensure Continued Operations?

Regulated and mission critical organizations with sensitive data and PII need to incorporate a data security solution that can help them eliminate as much risk as possible while providing them with simply and efficient ways to fix and solve data security issues to prevent business disruption and data theft/loss.

To prevent successful ransomware attacks, organizations need to:

• Have a real-time inventory of their data store assets and keep it updated.
• See where ALL confidential data is stored and protect it while also enabling proper planning of backups and recovery to reduce impact of an such as a ransomware attack.
• Classify data and data stores based on their classification policy and understand the ownership (or lack of) of data stores.
• Fully understand data risk and continuously assess data for exposure in real-time.
• Take remediation actions that are quick, efficient and don’t require large 3^rd party investments to achieve. This includes encryption of sensitive data to prevent threat actors from being able to see and steal sensitive data.

Through these measures, Synnovis would have been in a much better position to not only prevent the attack from being successful, but also prevent the exposure and posting of customer data. In addition, the major optimization would be that they would have also recovered from disruption within days versus months! To learn more about how Borneo go beyond current solutions to help you fix and thereby eliminate your data security risks, please contact us at info@borneo.io or visit our website at https://www.borneo.io.