As I sit here, reflecting on the recent news of the ransomware attack on pathology lab Synnovis, I can’t help but feel a sense of unease wash over me. It’s not just another headline or statistic; this time, it’s a bit more personal.
My neighbour, Oliver Dowson, is one of the many individuals directly affected by this breach, his heart valve replacement surgery postponed indefinitely due to the fallout. The gravity of the situation weighs heavily on my mind, as I consider the far-reaching consequences of this single cybersecurity incident.
Oliver’s story is a reminder that behind every data breach, there are real people whose lives are thrown into turmoil. The stress and uncertainty that come with a postponed medical procedure cannot be overstated. It’s not just the inconvenience of rearranging one’s schedule or the disappointment of a delayed surgery; it’s the constant worry about potential health complications that may arise from the delay. For someone like Oliver, who has likely spent months mentally preparing for this life-altering operation, the emotional toll is immeasurable.
As a cybersecurity professional, I’ve built a career on analysing breaches, dissecting the technical details, and offering insights on how to prevent future incidents. However, Oliver’s situation has forced me to confront the human impact of these attacks in a way I’ve never experienced before. It’s one thing to discuss the importance of data protection and the need for robust cybersecurity measures in abstract terms; it’s another to witness firsthand the pain and frustration of someone whose life has been upended by a breach.
Covering cybersecurity breaches and incidents is my daily bread and butter, but rarely do I come face-to-face with the human impact of these attacks. Oliver’s story brings into sharp focus the real-world consequences of cybercrime – the stress, the uncertainty, and the potential health complications that can arise from delayed medical procedures. It’s a stark reminder that the work we do in the cybersecurity industry is not just about protecting data; it’s about safeguarding the well-being of individuals and communities.
The more I delve into the details of the Synnovis breach, the more I realise that this incident is not an isolated case, but rather a symptom of a larger problem plaguing the healthcare industry. The attack on Synnovis is just one example of how cybercriminals are increasingly targeting healthcare organisations, drawn by the wealth of sensitive data and the potential for significant disruption. In recent years, we’ve seen a surge in ransomware attacks on hospitals, clinics, and other medical facilities, with devastating consequences for patients and healthcare providers alike.
The healthcare sector is particularly vulnerable to cyberattacks due to a combination of factors, including outdated IT infrastructure, a lack of cybersecurity expertise, and the pressing need to prioritise patient care over security concerns. Many healthcare organisations operate on tight budgets, with limited resources to invest in cybersecurity measures. Additionally, the rapid adoption of digital technologies, such as electronic health records and connected medical devices, has expanded the attack surface, providing more opportunities for cybercriminals to exploit vulnerabilities.
According to Check Point Research, in the first three quarters of 2023, there was a 3% uptick in average weekly global cyberattacks compared to the corresponding period in the previous year – not enough to set off alarms. But the attacks in the global healthcare sector outpaced the global average by nearly four times, with an average of 1,613 attacks per week – an 11% year-over-year surge that is still rising.
IBM’s 2023 Cost of a Data Breach Report showed the global average cost of a data breach reached $4.45 million in 2023 – an all-time high for the report and a 15% increase over the last three years. Both the rate of increase in costs per attack for the sector in the last three years, and the average cost of a breach, were more than three times higher than the global average in the same period, with the cost per breach in healthcare averaging nearly $11 million, the costliest of all sectors.
As I dig deeper into Synnovis’ history, a troubling pattern emerges. Formerly known as Viapath, the company has a track record of mismanagement and questionable practices. In 2014, leaked internal documents revealed that Viapath had overcharged the NHS by £283,561 over a mere three-month period due to “unreliable” and “materially inaccurate” invoicing and billing systems. Complaints from clinicians also surfaced, highlighting concerns over the company’s policy of employing less experienced and less expensive staff.
This revelation is particularly disturbing, as it suggests a culture of prioritising financial gain over the quality of service and the well-being of patients. The decision to employ less experienced and less expensive staff may have contributed to the company’s vulnerability to cyberattacks, as a lack of skilled personnel can lead to inadequate security measures and a failure to identify and address potential threats.
Fast forward to 2022, and Viapath, now rebranded as Synnovis, experienced an IT outage that impacted genetic testing capabilities. And now, in the wake of this ransomware attack, it appears that the company had no backups or alternative methods to continue operations, leaving patients like Oliver in limbo. This is a damning indictment of Synnovis’ cybersecurity practices and overall management.
The absence of a robust backup and recovery plan is a cardinal sin in the world of cybersecurity. It’s a fundamental principle that organisations should always have multiple copies of their data, stored in separate locations, to ensure business continuity in the event of a breach or system failure. The fact that Synnovis had no such plan in place is a clear indication of a cavalier approach to cybersecurity and a disregard for the potential consequences of a successful attack.
Moreover, the inability to continue operations in the aftermath of the breach suggests a lack of preparedness and resilience… or put in other words, a poor cybersecurity culture. In today’s digital landscape, it’s not enough to simply have cybersecurity measures in place; organisations must also have well-rehearsed incident response plans and the ability to maintain essential functions even in the face of a cyberattack. Synnovis’ failure in this regard has left patients like Oliver bearing the brunt of the company’s shortcomings.
When it comes to cybersecurity, we’re not just protecting data or bits and bytes; we’re protecting people. The consequences of a breach can be far-reaching and devastating, as evidenced by past incidents such as the Ashley Madison data breach or the exposure of users on alternative dating apps in countries with restrictive laws. In these cases, lives were irrevocably altered, and in some instances, even lost.
The Ashley Madison data breach, which occurred in 2015, saw the personal information of millions of users of the infidelity-focused dating site leaked online. The fallout was immense, with reports of suicides, extortion attempts, and the breakdown of marriages and relationships. The breach highlighted the deeply personal nature of the data we entrust to online platforms and the devastating impact that can result when that trust is betrayed.
Similarly, the exposure of users on gay dating apps in countries with restrictive laws against homosexuality has had life-altering consequences for those affected. In some cases, individuals have been arrested, imprisoned, or even subjected to violence and harassment as a result of their sexual orientation being revealed through these breaches. It’s a sobering reminder of the power that data holds and the responsibility that organisations have to protect the privacy and safety of their users.
As I reflect on Oliver’s situation and the broader implications of cybercrime, I can’t help but feel a sense of frustration and helplessness. How many more people will have to suffer before organisations truly grasp the gravity of their responsibilities? How many more lives will be put at risk before we, as a society, demand better from those entrusted with our most sensitive information?
The answer, I believe, lies in fostering a strong cybersecurity culture within organisations. It’s not enough to simply implement technical solutions and hope for the best; we must fundamentally change the way we think about and approach cybersecurity. This means embedding security into every aspect of an organisation’s operations, from the boardroom to the front lines.
Building a strong cybersecurity culture starts with leadership. Executives and decision-makers must prioritise cybersecurity as a strategic imperative, allocating the necessary resources and empowering their teams to make security a top priority. This includes investing in ongoing training and education for employees, as well as establishing clear policies and procedures for handling sensitive data and responding to potential threats.
It also means fostering a culture of transparency and accountability. Organisations must be willing to openly communicate about their cybersecurity practices, both internally and with their customers and stakeholders. They must also be prepared to take responsibility when breaches occur, working swiftly to mitigate the damage and provide support to those affected.
Crucially, building a strong cybersecurity culture requires a shift in mindset from one of compliance to one of continuous improvement. It’s not enough to simply meet the minimum regulatory requirements; organisations must strive to stay ahead of the ever-evolving threat landscape, constantly reassessing and strengthening their defences. This means embracing a proactive, rather than reactive, approach to cybersecurity, and being willing to learn from past incidents and adapt accordingly.
In the healthcare sector, this cultural shift is particularly urgent. The sensitive nature of the data handled by healthcare organisations, coupled with the potential for direct harm to patients in the event of a breach, demands a higher standard of cybersecurity. Healthcare providers must prioritise the protection of patient data and the resilience of their systems, working closely with cybersecurity experts to implement best practices and stay ahead of emerging threats.
This includes investing in modern, secure IT infrastructure, regularly updating and patching systems, and providing comprehensive cybersecurity training for all staff members. It also means establishing robust incident response plans and partnerships with trusted cybersecurity firms to ensure rapid detection and containment of potential breaches.
Beyond the healthcare sector, the need for a strong cybersecurity culture extends to all industries and sectors of society. As our lives become increasingly intertwined with digital technologies, the potential for harm resulting from cybercrime grows exponentially. From financial institutions to government agencies, from schools to small businesses, no organisation is immune to the threat of cyberattacks.
As individuals, we also have a role to play in building a stronger cybersecurity culture. We must educate ourselves about the risks and take steps to protect our own data and devices. This includes using strong, unique passwords, regularly updating our software, and being cautious about the information we share online. We must also hold organisations accountable for their cybersecurity practices, demanding transparency and taking our business elsewhere when companies fail to prioritise the protection of our data.
Ultimately, building a strong cybersecurity culture is a collective responsibility. It requires the commitment and collaboration of individuals, organisations, and governments alike. It demands a willingness to have difficult conversations, to challenge the status quo, and to prioritise the safety and well-being of people over short-term profits or convenience.
As I reflect on Oliver’s situation and the countless others like him who have been impacted by cybercrime, I am reminded of the urgent need for action. We cannot afford to wait for the next headline-grabbing breach or the next heartbreaking story of a life forever changed by a cyberattack. We must act now, with purpose and determination, to build a stronger, more resilient cybersecurity culture.
It means fostering greater collaboration and information sharing between organisations and across borders, to enable a more coordinated and effective response to global cyberthreats. And it means prioritising the development of innovative technologies and approaches to cybersecurity, from artificial intelligence and machine learning to quantum computing and beyond.
Most importantly, it means never losing sight of the human impact of cybercrime. Behind every statistic, every headline, every breach, there are real people whose lives are forever changed. People like Oliver, who are left to grapple with the stress and uncertainty of a postponed medical procedure.
As a society, we owe it to these individuals, and to the countless others whose stories we may never hear, to do better. We owe it to them to build a world in which the protection of people and their data is not an afterthought, but a fundamental priority. A world in which organisations are held accountable for their cybersecurity practices, and in which individuals can trust that their sensitive information will be safeguarded with the utmost care and respect.
It won’t be easy, and it won’t happen overnight. But with commitment, collaboration, and a shared sense of purpose, I believe we can rise to the challenge. We can build a stronger, more resilient cybersecurity culture that prioritises the safety and well-being of people above all else. And in doing so, we can create a digital world that is worthy of the trust and confidence of every individual who interacts with it.
*** This is a Security Bloggers Network syndicated blog from Javvad Malik authored by j4vv4d. Read the original post at: https://javvadmalik.com/2024/07/05/protecting-people-not-just-data/