Ransomware: A Life and Death Form of Cybercrime

On 3 June, Synnovis, a provider of pathology services to the NHS in London, detected a ransomware attack. Since then, the attack has caused significant disruption to patient services at six NHS trusts and a number of primary care practices in southeast London. Among the services most disrupted are those involving blood tests and transfusions, which are essential components of emergency and elective procedures. Without access to digital pathology systems, hospitals have been forced to reduce the number of tests taking place and revert to a simpler but lengthier testing process.

The harm caused by the attack has rippled out throughout London’s healthcare services. Cancer care and emergency care have both been negatively impacted, with thousands of operations and appointments cancelled and slower processes exacerbating ambulance waits outside emergency departments. These delays have in turn created more pressure on community services, such as GPs and mental health services.

At the national level, the NHS has issued a call for O-type blood donations to meet shortfalls caused by the attack. Giving someone the wrong blood type can be fatal. As affected NHS trusts are unable to match blood at the same frequency as usual, hospitals are being forced to use even more precious ‘O negative’ blood, which can be given without additional testing in emergencies due its wide compatibility with other blood types. Although only 8% of people have O-negative blood, it makes up 13% of requests from hospitals. The blood drive in response to the attack has rapidly become a necessity, as blood holdings are tightly aligned with demand given that blood expires quickly, and a 5 June warning from NHS Blood and Transplant highlighted that stocks were already lower than normal before the incident due to school and bank holidays. Not for the first time, a serious ransomware attack has become a potential matter of life and death.

Known Impacts: Cascading Harms to Patients, Hospitals and the Nation

The far-ranging impact of the Synnovis incident helps illustrate how ransomware causes cascading harms that may begin with a technical system or service, but ultimately affect individual patients, staff and even national healthcare provision. The reality of the current ransomware epidemic means that this attack is merely the latest example of its pernicious impact on healthcare services.

Disruptions and delays to elective and emergency services have become increasingly normalised. During the ransomware attack against the Irish Health Service Executive (HSE) in 2021, radiation therapy stopped at five centres, while 513 patients had their cancer treatment disrupted. As a joint RUSI–University of Kent 2023 study of ransomware harms showed, this was merely one of the many harms that HSE patients experienced following the attack (see image below).

Figure 1: Harm model for ransomware attack against HSE, 2021

In other cases, ransomware attacks have caused emergency services to be diverted to neighbouring hospitals; in critical care services, where minutes or hours can determine whether a patient lives or dies, these kinds of diversions have the potential to reduce survivability and recovery. Research published in a medical journal also found that ransomware attacks increase pressure on the emergency departments of neighbouring hospitals.

As demonstrated by the current loss of access to digital pathology records in NHS trusts, disruptions to electronic health records can have a negative impact on patient care even if mission critical systems are still operational. Shifting to pen and paper reduces the productivity of doctors and nurses and increases the risk of error. Recent CNN reporting on an ongoing ransomware incident affecting a major US hospital network, for instance, highlighted one nurse’s fears about ‘how many safety guardrails [have been] out of service without any computers’. In the longer term, patients whose health records inform choices about their treatment may receive less effective care if those records are inaccessible, corrupted or incomplete.

Unknown Impacts: Is Ransomware Killing People?

While there is widespread agreement that ransomware is harming patients, proving causality between attacks and deaths at affected hospitals is much more contentious. In September 2020, there was intense speculation that a ransomware attack against a hospital in Düsseldorf had directly caused the death of a patient from an aortic aneurism, by causing her to be diverted to another emergency department more than an hour away. However, local prosecutors ultimately concluded they could not prove causality.

Several studies and surveys have also argued that there is a link between ransomware incidents and excess deaths. A 2023 paper by researchers at the University of Minnesota’s School of Public Health found that between 2016 and 2021, between 42 and 67 US Medicare patients died as a result of ransomware incidents. However, at the time of writing it is yet to be published by a peer-reviewed journal, and other researchers have questioned whether the findings are statistically significant.

This does not rule out the possibility that ransomware is contributing to deaths at affected hospitals – logically, it seems likely that it is given the delays and disruptions it creates – but rather emphasises the need to improve the collection and analysis of data that can help inform such assessments. Convincingly evidencing a link between ransomware and deaths may also be important for motivating political action.

Why is Healthcare Vulnerable?

While some ransomware operators purport to follow ‘ethical codes’ and rule out attacks on CNI and healthcare facilities, this is not the norm. Additionally, given the interconnected nature of supply chains, it is possible that ransomware operators may inadvertently trigger a crisis in the healthcare sector by attacking lynchpin systems or services. Other ransomware operators will be driven by a pure cost-benefit analysis, aiming for the most lucrative potential pay-out for the least required effort. In fact, some ransomware operators – such as BlackCat – have seemingly pivoted to focusing a greater concentration of their attacks on healthcare services. A recent Sophos State of Ransomware report highlighted that the ransomware incidence rate in the healthcare sector had increased and that among those paying a ransom, healthcare was one of the sectors where victim organisations were most likely to pay more than the original ransom demand.

Unfortunately, there are a range of factors that may make healthcare services a particularly attractive target. Operating in contexts that may be life-and-death, healthcare services are especially vulnerable to business interruption, even if it is not prolonged. Additionally, healthcare services are likely to hold highly sensitive personal data relating to patients. This is compounded by a cocktail of structural challenges, including a historical cyber security debt, a reliance on IT infrastructure built by a number of (often lowest bid) contractors in piecemeal fashion, and a reliance on the cumulative hardware and software of third party suppliers. In this context, ransomware is one digital risk among many others, both mundane and adversarial. Moderate and severe system issues in a typical hospital may occur as often as every three days.

Taking Stock and Looking Ahead

Our immediate thoughts and concerns turn to the patients and staff who are seriously impacted by the Synnovis attack. Nonetheless, the humbling seriousness of this breach reinforces the reality that ransomware can cause whole-of-society harms.

Given the dynamic nature of cyber security risks, the endeavour to raise cyber resiliency in the healthcare sector should be viewed as an evolutionary process. The UK government’s 2022–2030 Government Cyber Security Strategy recognised the challenge and outlined the ambition to improve preventative and reactive measures. However, with the societally disruptive Synnovis attack occurring in the midst of a general election campaign, there may be an opportunity for politicians to consolidate the framing of ransomware as a core national security threat.

Given the scope for lives to be put at risk, is it possible – and palatable – to juxtapose ransomware against other national security threats, such as terrorism? Two and a half weeks before polling day in 2017, the Manchester Arena terrorist incident resulted in the deaths of 22 people and an immediate shift in the election debate. The attack also prompted longer-term reflection through a formal inquiry.

While the terrorism comparison is imperfect, it is of note that ransomware groups – and ‘lone actors’ – typically act clandestinely with the tacit cover of adversarial foreign countries. Ransomware operators profit financially from the destruction that they wreak on lives and livelihoods. At the same time, the West’s primary adversaries – chiefly Russia, Iran and North Korea – reap strategic benefits. Suffering a ‘death by a thousand cuts’, Western states experience a range of ailments including reduced economic productivity and diminished trust in societal services. Again, seen in this light, healthcare services may be a particularly attractive target offering potentially immediate public-facing disruption – a contemporary ‘testicle of the West’.

Healthcare is vulnerable to simultaneous ‘vectors of attack’ in the context of state, terrorist or criminal group attacks on critical national infrastructure (CNI). Ransomware can paralyse key processes, making the service less efficient and more costly to run. At the same time, being a universal human concern, health is extremely sensitive to misinformation (as seen in the antivax arguments around COVID-19). In the case of Synnovis, uncertainty in pathology services could reduce confidence in the blood system (and so potentially reduce donations), especially at a time when blood-related scandals are in the news. At the other end of the spectrum, lack of confidence in services and misinformation can increase demand on the same compromised laboratory services by increasing health anxiety, thus feeding health-seeking behaviours. This combination of reduced supply, increased demand and degraded system performance could be catastrophic if brought about in a coordinated manner, especially if combined with economic and supply chain complications. Health needs to be recognised as a specific high-risk CNI, and its cyber security needs to extend beyond ‘simple’ episodic criminal threats to include countering systematic attacks.

Improving cyber security across CNI and societal services is paramount, but target-hardening will not solve this issue without altering the risk calculus for the perpetrators. Notwithstanding the success of recent takedown operations and sanctions, criminal ransomware groups continue to act with relative impunity, and the ‘thousand cuts’ continue to fester.

Now more than ever, it is time to ‘talk about ransomware’ and to acknowledge the risk that insufficient action not only fosters ‘normalisation of the unacceptable’, but also encourages growth and innovation in the ransomware community. There is a risk of collective exposure to an intentionally or inadvertently catastrophic ransomware breach. While an incoming government following the election will undoubtedly have a burgeoning in-tray, serious thought should be given to leveraging action against ransomware. This could include measures that increase the national intelligence picture and concurrently sow disruption and mistrust among ransomware actors.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.