The ransomware attack on Synnovis in June 2024 exposed critical vulnerabilities in NHS cyber resilience, disporting patient care and highlighting the growing threat to UK public services. As cyberattacks escalate, the government is responding with the Cyber Security and Resilience Bill

On 3rd June 2024, several NHS organisations, primarily based in South East London, were affected by a ransomware attack. Synnovis, a pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust and King’s College Hospitals NHS Trust, was hit by the ransomware cyber-attack, stealing data and halting blood tests in South East London. Russian group Qilin later published almost 400GB of data stolen from Synnovis.

More than 11,000 hospital appointments, GP appointments, and elective treatment, were disrupted by the attack, stolen data included patient names, dates of birth, NHS numbers and descriptions of blood tests. One patient died unexpectedly during the attack, which was later linked to the long wait for a blood test result. The Health Service Journal additionally reported there were almost 600 “incidents” linked to the attack, with patient care suffering in 170 of these.

This cyberattack on the NHS has not been the first and will not be the last. In 2017, the NHS was one of several victims of a global ransomware attack known as ‘WannaCry’, which targeted computers running Windows by spreading a self-replicating worm that encrypted data and demanded ransom payments in the Bitcoin cryptocurrency. The attack disrupted over a third of England’s NHS trusts, cancelling over 6,900 NHS appointments, and costing the NHS around £92 million.

Critically, WannaCry’s effect on the NHS also had political implications. Many NHS trusts were using computers running Windows XP, an operating system first released in 2001 that Microsoft stopped supporting in 2014, and that the government had stopped paying for a cybersecurity package in 2015, which led to a Guardian article in 2017 entitled: ‘The ransomware attack is all about the insufficient funding of the NHS'. Then-health secretary Jeremy Hunt was accused of refusing to act on a critical note from Microsoft, the National Cyber Security Centre and the National Crime Agency, that might have been able to prevent the attack.

Following the attack, NHS Digital refused to foot the £1 billion bill to meet the Cyber Essentials Plus standard, which is a certification to show an organisation has cyber security protection. The WannaCry ransomware attack revealed critical holes in NHS’ cybersecurity, and outlined the need for adequate government investment in cyber protection. 

Security of Network and Information Systems Regulations

In 2018, the Security of Network and Information Systems Regulations (NIS Regulations) were introduced, which provided legal measures to boost the overall level of security of network and information systems of both digital and essential services. These regulations currently cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services such as online marketplaces, online search engines, and cloud computing services. Twelve regulators are responsible for implementing these regulations.

As part of the government’s £2.6 billion 2022 National Cyber Strategy under the Johnson Conservative government, two Post-Implementation Reviews in 2020 and 2022 found that these regulations, although promoting positive change, were not thorough nor extensive enough.

Following a 2022 consultation, several recommendations to the NIS regulations were made, including giving the government power to amend NIS regulations in future to ensure they remain effective and improving cyber incident reporting to regulators. These changes, including several others, were implemented under the Sunak Conservative government. Starmer’s Bill, set to be introduced to Parliament this year, comes off the back of the NIS regulations. 

Cyber Security and Resilience Bill

First announced as part of the King’s Speech last July, the Bill will modernise the NIS Regulations to keep up to date with rising cybersecurity threats. The current NIS Regulations, inherited from EU law, have now been superseded in the EU and require an urgent update should the UK wish to ensure their infrastructure and economy is not comparably more vulnerable.

The Bill makes changes to existing regulations, such as expanding the remit of said regulation to protect more digital services and supply chains, which are an increasingly more vulnerable entrance for would-be attackers. The Bill attempts to fill a gap in defences to prevent similar attacks to that on public health services, like the ransomware attack last year.

Additionally, the Bill would ensure that regulators were able to implement essential cyber safety measures, including potential cost recovery mechanism to provide resources to regulators and providing powers to investigate potential vulnerabilities before they escalate.

The Bill will also ensure that organisations adhere to reporting incidents to give government better data on cyber attacks, including where a company has been held to ransom. This is to help improve understanding of the threats and alert of potential attacks by expanding the type and nature of incidents that regulated entities must report.

The importance of cyber security

The tighter measures are to defend the public sector from a rapidly shifting cyber landscape, in which cyber criminals continue to advance their technologies and improve the effectiveness of their strategies. Cyber attacks, or attempted cyber attacks, are rife, with the 2024 Cyber Breaches Survey revealing that half of the participating businesses reported some form of cyber security breach in the past twelve months. Beyond the NHS, the Ministry of Defence, Leicester City Council, and the Post Office have all suffered cyber breaches with severe consequences within the last few years.

Cyber security, quite critically for the government, enables prosperity and growth, through allowing businesses to expand and attract investment. In 2024, Howden found that cyber attacks have cost UK business £44 billion in the last five years, with half of UK businesses (52 per cent) having experienced at least one cyber attack in the past five years.

Peter Kyle, secretary of state for department for science, innovation and technology, said: 
“At the core of our proposals is this government’s number one mission: economic growth. Growth is the only route to creating new jobs and putting more money in working people’s pockets. But there is no growth without stability. By securing the digital infrastructure upon which a growing number of our businesses depend, we can deliver the stability they need to innovate and invest.

“Every business I have spoken to has said the same thing: we need agile, pro-innovation regulation that is designed for the digital world we live. Change has never been needed more. “Together, we can grow our economy, rebuild our public services, and deliver a more secure, resilient and prosperous digital future for Britain.”

www.gov.uk/government/collections/cyber-security-and-resilience-bill