‘Two-factor authentication may have stopped Synnovis cyber attack’

The cyber attack on pathology provider Synnovis could have been prevented by two-factor authentication, according to Beverley Bryant, strategic advisor in the frontline digitisation team at NHS England.

Speaking at the Health Excellence Through Technology (HETT) conference on 24 September 2024, in a session titled ‘Best practice in cyber security: Achieving excellence in the health and care sector’, Bryant said that two-factor authentication “is the single biggest deterrent we can put in” to ensure trusts are more cyber resilient and minimise the risk of attack.

Bryant was joint chief digital information officer at Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Foundation Trust in June 2024, when Synnovis was hit by a ransomware attack, which disrupted services in south east London and led to thousands of appointments and operations being postponed.

She described the three months of disruption after the cyber attack as “unbelievable” and said that if two-factor authentication was in place “the cyber attack may not have happened”.

Although Bryant said that clinicians sometimes moan about two-factor authentication, she added that “they soon get over it” and “it’s something we [the NHS] should really push”.

She also said that hospital boards should prepare for potential cyber attacks by planning for three to six months’ down time, including how drug rounds would be run, and what legal and contractual mechanisms would be in place if third party suppliers go down.

Bryant, who will join University Hospitals Dorset NHS Foundation Trust as chief digital officer in October 2024, believes that the NHS has “moved into a new era of awareness and prioritisation” around cyber security, but said that the NHS supply chain still faces issues.

Also speaking in the session, were Nasser Arif, cyber security manager at London North West University Healthcare and Hillingdon Hospitals NHS Trust, Saira Ghafur, lead for digital health at the Institute for Global Health Innovation, Imperial College London, and Daniel O’Shaughnessy, head of programme delivery at Better Security, Better Care.

O’Shaughnessy said: “It is an example of the strength [of the NHS’ cyber approach] that even some of the worst actors in the world are coming in through the supply chain rather than directly through hospital trusts.

“I think it is something we should celebrate”.

NHS England and the National Data Guardian announced an updated cyber resilience framework for health and social care organisations, starting from 2 September 2024.

The change will see the NHS Data Security and Protection Toolkit gradually transition from using the NDG’s 10 data security standards to the National Cyber Security Centre’s cyber assessment framework (CAF) as its underpinning assessment mechanism.