select search filters
briefings
roundups & rapid reactions
before the headlines
Fiona fox's blog
Scientists react to news of a cyber attack on London hospitals.
Professor John Clark, Professor of Computer and Information Security at the University of Sheffield, said:
“The attack has been reported as a ransomware attack, i.e. someone is demanding money to undo the current blocks to data and services. However, the exact nature by which the Synnovis system was initially penetrated is unclear. It is critical to understand this because otherwise, after the system has been ‘cleaned’, the attackers could simply re-penetrate (though such efforts would be subject to highly intense monitoring).
“Patient safety is of paramount concern and the accuracy of results is essential, so it is important to stress that unless it is known what has happened to the system, the accuracy of any stored data cannot be ensured. Determining whether stored data has been manipulated may simply not be possible and tests may have to be rerun and results re-recorded.
“As far as we know only Synnovis is a direct target and current reports suggest that NHS systems more generally are affected only in that they cannot access online IT services that Synnovis provides (e.g. access to results). If so, this is encouraging in that containment (i.e. stopping the spread of problems to other systems) is far easier than might have been the case: compare with the 2017 Wannacry ransomware attack, in which malware spread to and disrupted virtually every NHS trust across the UK.
“NHS and Synnovis cyber-experts are on the case and the National Computer Security Centre (NCSC) are assisting. External experts will have to get to grips with the detailed operation of Synnovis’ systems to determine the ‘lie of the land’, understanding technically what has happened as a precursor to deciding what to do about it. The degree of sophistication exhibited by the attackers will determine just how difficult this task is. Sophisticated attackers can hide their tracks to a very considerable extent.
“The attack is a specific instance of a much more general concern in UK government agencies about supply chain vulnerability across many sectors. Many services are outsourced by government agencies, including the NHS. Connectivity with such external systems radically increases the number of entry points for attack on services provision and the systems that combine to provide them.
“The range of service targets is wide too: denial of access to blood analysis services is obviously critical and disruptive, but disrupting more mundane administrative systems, such as appointments booking, can also inflict significant damage (both in the near and longer-term).
“The attack seems to be straightforward extortion, with a Russian group – Qilin – implicated by the NCSC. However, the possibility that such capability could find itself at the disposal of unfriendly governments with wider disruptive aims will not be lost on cybersecurity experts or the UK government.”
Dr Christian Schroeder de Witt, Postdoctoral Research Assistant in Artificial Intelligence, University of Oxford, said:
“I think it would be good if journalists could prepare the public for the possibility of such incidents occurring increasingly frequently ahead of the elections. While we do not yet seem to know who is behind these specific attacks, we do know that ransomware attacks on critical infrastructure such as hospitals are part of the playbook of hybrid warfare.
“This is not saying this is necessarily such an incident – criminals, or nation states seeking illicit funding streams are also increasingly crossing the bar to ransomware attacks on hospitals or other critical infrastructure and there is sometimes also accidental mistargeting, but remaining conscious of the current geopolitical reality, specifically the UK’s rightful opposition to Russia’s invasion of Ukraine, may be helpful.
“It remains essential for the public to keep calm and carry on while recovery efforts are underway – the UK is overall well-prepared and has ample resources to deal with such incidents, despite opportunities for further improvement. Having said this, it remains to be hoped that the current interruptions do not result in loss of life and other harm.”
Steve Sands, of BCS, The Chartered Institute for IT, and a cyber security expert said:
“This incident reminds us that the ransomware threat is now an ever-present danger to critical institutions from schools to hospitals; it should be among the highest risks on the register.
“Of course, the perpetrators have no conscience, and they will attack any organisation whose cyber defences are not sufficiently robust. We need to ensure that all public sector organisations have contingency plans in place to manage cyber-attacks, that staff are regularly trained on risk and there is sufficient investment in software resilience. Whoever forms the next government needs to make sure the NHS has this resource and that it is spent correctly, to ensure that lives are not put at risk.”
Professor Awais Rashid, head of Bristol Cyber Security Group at the University of Bristol, said:
“Digital infrastructures on which critical services, such as those provided by the NHS, rely are often a complex combination of many different systems and third-party service providers. Hence, cyber-attacks can have significant and substantial cascading impacts as we are seeing in this unfolding situation where critical health services are being impacted.
“There are myriad intersections of complex technology stacks and software and service supply chains. Attackers are increasingly targeting these elements leading to wide ranging disruptions to key societal functions.
“We need ways to ensure that critical services such as healthcare continue to operate safely and reliably even when parts of the infrastructure are under attack or compromised.”
Declared interests
Dr Christian Schroeder de Witt: I am volunteering on the Board of SimPPL (SimPPL.org), apart from that I am an employee by the University of Oxford.
Steve Sands: No conflicts of interest to declare.
Professor Awais Rashid: No conflicts of interest to declare. I am a researcher in cyber security and undertake UKRI-funded research on cyber security of critical infrastructure if you need it for transparency. I do not have any relationship with the NHS or Synnovis.