Qilin ransomware attack on NHS supplier contributed to patient fatality The NHS says Qilin's ransomware attack on pathology services provider Synnovis last year led to the death of a patient. King's College Hospital NHS Trust, one of the many trusts affected by Qilin's attack, confirmed the news on Wednesday. An NHS spokesperson told The Register: "One patient sadly died unexpectedly during the …
Yes, bad ransomware people.
Bad hospital executives, too? Could this attack have been thwarted or mitigated by proper IT systems, staff training, and failover systems (possibly manual)?
A "Magic computer box not work, we give up, send everyone home" attitude is inexcusable for a hospital.
> Could this attack have been thwarted or mitigated by proper IT systems, staff training, and failover systems (possibly manual)?
Of course it could.
And it WAS.
The problem in this case is that the primary day-to-day method (Bloodwork services provided by Synnovis) was orders of magnitude faster than the contingency methods (which, yes, included a lot of "doing it manually"). The act of flipping to contingency methods meant getting accurate bloodwork results suddenly became much slower; which resulted in medical professionals having incomplete information for a longer period of time; which meant that patients did not get correct and timely treatment.
Car analogy: I need to get to work. I usually take my car. If my car is unavailable, I can use my bike or walk. Those contingencies will get me to work, but not as quickly or efficiently as taking my car. Which is why they are secondary fallback methods rather than the primary day-to-day one.
Sure, if the health service had two completely independent providers; both of which possessed sufficient capacity to cover the other's slack in an emergency with no notable degradation in performance (the real-world equivalent of having an "Active-Active High Availability" switch/firewall pair) then they would have been fine. But that arrangement would (i) cost a LOT of money (ii) require that there wasn't just a single provider available for this sort of work within the UK.
That last point is a big one IMO - a lot of suppliers have a monopoly on various aspects of Healthcare stuff; so there's no possibility of getting a "fully resilient backup" in place even if the NHS *DID* have enough money to throw at the problem. I've lost count of the number of systems in our place which are single supplier that is forcing a move from a reasonably-bulletproof-on-prem system (segmented off and locked down from the rest of the network) to a "cloud only" offering (that has no real backup plan for "what happens if this supplier's internal network is compromised and we need to block them for x weeks/months").
BEFORE computers were used in medical settings, the old methods were more labor-intensive, but fast-enough to handle the load, given the number of staff employed to do the work.
Enter computerisation. With the aid of computers, more work could be done with less staff. That means less money is spent to do the same amount of work. That also means various individuals and/or organisations are pocketing the "saved" money -- which is okay, as far as it goes. Efficiency should be rewarded.
HOWEVER, with the deployment of money-saving computer systems in the medical field comes the moral responsibility to also set up and regularly test failover modes which provide 100% or better speed and quality as the pre-computer way of doing things!
Not some sort of degraded (or total failure) mode. 100% or better.
Failing to do this is corruption. It is no different than building a bridge with under-spec materials. The builder doing so knowingly imperils the lives of others in exchange for wrongly-gained profit.
Bad hospital executives, too? Could this attack have been thwarted or mitigated by proper IT systems, staff training, and failover systems (possibly manual)?
Or competent IT staff, who have a dreadful habit of pointing fingers up ("it's all management's fault that we don't do our jobs properly") or down ("it's all the users' fault for doing things we let them do") whenever their incompetence bites.
While ransomware gangs are rightly blamed, it’s a bit like blaming the rain for getting wet - instead of asking why no one brought an umbrella. The deeper rot goes unexamined: health systems treated as cost-cutting puzzles, where digital resilience is an afterthought. Cybersecurity isn’t just about protecting data anymore - it’s about whether someone lives or dies while waiting for test results or urgent care.
Critical services run on legacy systems, brittle integrations, and vendors selected more for cost than reliability. Ministers talk up “digital transformation” while treating the domestic tech workforce with open disregard.
Stagnant wages, chaotic tax policy, and zero incentive to work in the public sector have created a vacuum. There’s no queue of skilled engineers lining up to secure NHS infrastructure when better pay and conditions await elsewhere.
And when the inevitable happens? No names. No resignations. No transparency. Just another wave of glossy AI brochures and vague assurances that “lessons will be learned.”
Until critical infrastructure is funded, staffed, and built with resilience - not outsourced in the name of “efficiency” - these quiet tragedies will continue. Buried in euphemism, in a system too fragmented to protect the people it’s meant to serve.
Whilst I don't disagree that organisations need to take all reasonable precautions to protect their IT systems, and have mitigation plans in place (and practised), focusing all blame on them is like blaming a householder for being burgled because they hadn't installed a monitored security system. Whilst bad actors are an unavoidable fact of life in many areas, and we need to take reasonable measures to protect ourselves, there needs to be an acceptance of what is reasonable.
In UK contract law, there is an assumption that consumers are vulnerable and need protecting from bad actors, whereas businesses are fully competent and stand equal with bad actors (i.e. a seller to consumers must be open and fairly represent what they are selling, whereas it's caveat emptor for businesses) - a simplification, but useful rule of thumb. However, whilst the contract market is a mature one (after all, some of our laws can be traced back over a millennium), IT is quite new and still developing. It's still an arms race and few of us would take a stance that, for example, it's Ukraine's fault for being invaded by Russia because they didn't have strong enough defences.
Yes, organisations must do better, but every failure needs to be treated as an opportunity for everyone to learn. Swinging into attack mode on companies suffering from a breach doesn't help. Drawbridges are raised and they go on the defensive, resulting in valuable learning experiences being lost. Better to have a system like air travel where pilots can own up to mistakes without fear of the pillory.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
