With Guy’s (and their Synnovis software partnership with Synlab) affected by the Pathology ransomware this week, just a reminder of the standard first actions for malware:
PACS Managers look to intensively monitor their systems for abnormal signs. When a linked infection in the NHS connected estate is found, this would usually be on a rolling or 24/7 basis as per local policies.
Superintendents / area leads who notice suspicious or unusual activity on workstations, CT scanners etc., should be briefed to disconnect the affected device from the network (pull the network cable out) and contact the PACS Manager.
All departmental staff should urgently review their malware response SOP for the department concerned.
Temporary local area network kits should be checked that all parts are working and ready in case deployment is needed to replace a compromised or disabled hospital network.
Fingers crossed this has now been contained to the affected services and hats off to those working to reverse the damages!
Unfortunately, the patient data involved has now been published as a result of this attack:
This is being quite heavily covered by the media, but buried in all the ‘interviews’ via Telegram, the group responsible has advised they are actively targeting further healthcare sites in the UK, and it is likely to continue work on other Pathology sites with similar vulnerabilities.
As a summary of the (many) advice notes given over the past week by the various bodies and the usual warnings issued by the National Cyber Security Centre, Radiology staff should be particularly aware to::
check for any otherwise unaudited ‘personal’ archives by imaging staff (e.g. NAS boxes running open source PACS for teaching or research purposes, connected to CT / MR scanners, research depts., or in offices on the network more generally);
ensure RIS systems and their backups are monitored for wholesale data exfiltration (i.e. being copied)
Cloud based systems at the moment are quite vulnerable as they generally fall between the gap of supplier and site based monitoring responsibility.