11. Create a post mortem report of an incident (AC 3.4)

I will base my post mortem report on a NHS partner this attack .(fun fact: I'm currently writing this from NHS hospital) Executive summary On 3 June, Synnovis, a pathology laboratory was the victim of a ransomware attack. The attack has damaged some of the systems essential to run blood tests in south-east London. It is confirmed that data has been stolen from our systems. Full technical restoration will take time and patients will need to re-book tests and appointments in the coming months. Section one - Causality - Understanding the attack Almost all Synnovis IT systems were affected by this attack. Many of our processes have had to revert to paper and manual rather than electronic, which has significantly affected capacity and delivery timeframes. The investigation into the attack and any possible impact to data continues. The nature of ransomware is that our data has now been published. Some of the information may contain personal data such as names, NHS numbers, and test codes. Synnovis personnel files and payroll information were not published but there's ongoing analysis to review data that has been published relating to our employees. The format and nature of what has been published makes it complex to interpret. It will take some time to conduct a comprehensive analysis in order to identify the full nature of the impacted data, organisation and individuals. Section two - Impact The affected sites and services include: Guy's and St Thomas' NHS Foundation Trust (GSTT) King's College Hospital NHS Foundation Trust (KCH) South London and Maudsley NHS Foundation Trust (SLAM) Lewisham and Greenwich NHS Foundation Trust Oxleas NHS Foundation Trust (district nursing) Bromley Healthcare Primary care services in Southwark, Lambeth, Bexley Greenwich, Lewisham and Bromley Synnovis also provides specialist tests for other hospitals in the country however service impact remains in south East London The financial impact of this ransomware attack led to an estimated loss of £32.7m. Section three - Crisis response and recovery We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they can be. This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect. The incident was reported to law enforcement and the Information Commissioner and we are working with the NCSC and the Cyber Operations Team We have sent out a leaflet to 150,000 patients to assume data has been published how to protect themselves. We have taken steps to further secure our infrastructure and implement operations mitigations for partners. These have included but are not limited to : Working with a taskforce of IT experts from Synnovis and the NHS, together with third-party advisers Standing up new data centre infrastructure Resetting all service platform passwords and expiring MFA tokens Section four - Technology infrastructure Even though are systems were of great standards, the attackers still managed to get through our defences. Our systems grew organically instead of having a grand design in mind. This means that systems and databases were added on top of existing systems. This and insufficient number of MFA and weak passwords allowed the attackers to get much further into our systems. Section Five - Future risk assessment Going forward, Synnovis will be at increase risk of cyber-attack going forward because of this successful attack can encourage opportunistic attackers to either take advantage of the disruption or the rebuild phase. Our well funded technology department did everything right before the incident and now after the attack, we pledge to allocate even more funding to this crucial department. Despite this, Health care sector is under constant cyber attack, especially from ransomware groups. Section Six - Learning lessons from the attack Sector wide lessons: The attack we faced can and very likely will happen to many of our dear friends in the health sector. It's essential that we all strive towards cyber resilience. What we're going to do going forward, and we recommend any organisation do the same: Enhance network monitoring capabilities Retain on-call external security expertise Fully implement MFA Enhance intrusion response processes Implement network segmentation Practice comprehensive business continuity plans Proactively manage staff and user wellbeing