The vulnerabilities in London hospitals were known for years before the cyber attack
Five London hospitals had to cancel operations and divert incoming ambulances following a cyber attack against Guy’s and St Thomas’ NHS Foundation Trust in June 2024
Since then, hundreds of operations have been postponed or rescheduled, and the NHS has called on O-negative blood donors to donate nationwide.
It has now emerged that the affected hospitals had been aware of the vulnerabilities exploited by the hackers for years, according to documents reviewed by Bloomberg News have found.
Vulnerabilities that have been known for years
According to the documents, which contain publicly available information about board meetings, Guy’s and St Thomas NHS Foundation Trust frequently failed to meet data security standards, with the board questioning the risks for the IT systems of hospitals and their external parties. supply chain only in January 2024.
In the attack, which took place in early June, the attackers hit Synnovis, the trust’s pathology services provider, forcing hospitals to rely on handwritten data and postpone a range of medical procedures.
In meeting minutes, the board has continued a number of IT modernization programs to boost the trusts’ cyber security capabilities, with a meeting in January this year praising that the IT infrastructure within the trust was “configured to a good standard “, but concerns continued to be made about third-party interfaces, including Synnovis.
The attack is attributed to a Russian ransomware group identified as Qilin, which has emerged as a cross-industry ransomware threat since 2022. Hospitals are increasingly becoming a favorite target for rogue gangs thanks to their sensitive medical data and extensive third-party equipment. providers, which offer a large attack surface.
Mark Dollar, CEO of Synnovis, said of the attack: “We take cyber security very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as secure as possible. This is a stark reminder that these types of attacks can happen to anyone at any time and that, dishearteningly, the individuals behind them have no compunction about the consequences of their actions.”