Most patient services are online after the Synnovis attack

The NHS said in a statement on Friday that despite most affected IT systems having been brought back online, it expects it will take “some time” to replenish supplies of O-type blood (see: British blood supply plummets after ransomware hack).

“One of the final pieces of the puzzle was reconnecting the IT systems of the blood transfusion laboratories. “The attack meant the affected trusts could not carry out ‘cross-matching’ for blood transfusions and therefore had to use type O blood, that’s for sure,” the NHS said.

“This in turn has contributed to a nationwide shortage of O-type blood supplies. The yellow warning for blood supplies remains in place and new and existing O-negative blood donors and blood donors of black heritage continue to be encouraged to come forward and donate,” NHS said.

The attack and recovery in June forced the postponement of 10,152 acute outpatient appointments and 1,710 elective procedures at the worst affected trusts: King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust in London, NHS said (see: Attack by a British provider disrupts care in London’s NHS hospitals).

“The trusts are now able to issue all blood group products for transfusions again. While some important administrative work still remains, the further impact on patient care will be minimal.”

Russian-speaking ransomware group Qilin claimed responsibility for the attack on Synnovis, which describes itself as a pathology partnership between the NHS trusts and SYNLAB, Europe’s largest provider of medical tests and diagnostics. Synnovis provides services to the NHS, clinical users and other service users. (see: The Qilin RaaS Group is suspected to be behind Synnovis and the NHS attack).

Synnovis did not immediately respond to Information Security Media Group’s request for comment on the incident, details of operations still affected and an expected timeline for a full IT recovery.

In the NHS statement, Synnovis CEO Mark Dollar said reconnecting its blood transfusion laboratory’s IT systems was “a significant milestone” in the provider’s turnaround program.

“Restoring this particular system required intensive effort from experts at Synnovis, the NHS and suppliers,” he said.

“Thanks to the efforts of these and many others, this first phase of our recovery plan is now complete and service users have access to almost all services that were available before the cyberattack,” he said.

Dollar said the company still needs to restore some business IT systems, but “we now see light at the end of this tunnel.”

Long recovery periods

“The time it takes to recover from a ransomware attack is steadily increasing in healthcare,” said Jon Moore, chief risk officer at security and privacy consulting firm Clearwater. “Recent research shows that 36% of healthcare organizations need at least a month to fully recover from an attack, with many trending towards two to three months or longer,” he said.

Longer recovery times increase the need for healthcare organizations to conduct business impact analysis to develop a thorough understanding of how operations will be impacted if a feature or process is unavailable, Moore said.

“They need to assess their maximum allowable downtime (MAD) to quantify how quickly a business process needs to recover during an attack,” he said. “Your MAD may be affected by factors such as your ability to provide an appropriate level of service through alternative means, financial impact and other intangible impacts such as loss of patient or customer trust.”

The Synnovis attack was one of several devastating cyber incidents worldwide in recent months involving third-party blood organizations.

In addition to the Synnovis attack, OneBlood, a nonprofit blood donation center that serves about 350 hospitals in the southeastern United States, also fell victim to ransomware in July, which followed an attack in April on Octapharma Plasma, the U.S. operation of a Swiss drugmaker that almost 200 blood plasma donation centers were closed for several days.

The incidents prompted the American Hospital Association and the Health Information Sharing and Analysis Center in July to issue a joint health sector warning about cyber threats to the medical blood supply chain (see: Attacks on blood suppliers trigger a warning in the supply chain).

The ransomware attack on UnitedHealth Group’s IT services unit Change Healthcare was the most devastating of all third-party hacks in the U.S. healthcare sector so far this year.

The attack halted payment processing and other critical functions for thousands of healthcare organizations for many weeks, resulting in a data breach potentially affecting several million patients.