Regarding safety, you’d think healthcare is one of the safest avenues, but that isn’t the case. This
year, a significant cyberattack targeted South Africa’s National Health Laboratory Service (NHLS) on
June 22nd, 2024. The Blacksuit Ransomware group attack was swift and strategic, aiming to disrupt
critical healthcare services. Unfortunately, the attack was successful since its aftermath was devastating:
millions of laboratory tests were compromised, and patients’ lives were placed at direct risk.
To prevent a further escalation of the attack, the NHLS had to adopt containment measures and
shut down its IT systems which included its email, website, and several databases that were crucial in
retrieving patient test results. In lieu of this, over 6.3 million blood tests were not processed on time. As
such, essential diagnostics for serious health conditions like Tuberculosis, HIV/AIDS, and mpox were
delayed indefinitely.
How far-reaching was it?
Its impact was felt nationwide. Since their IT system was compromised, the NHLS was in a rough
spot in processing tests. They lost the ability and speed for which they are famed. This inability caused
substantial delays for healthcare professionals who had to rely on the telephone rather than electronically
to communicate urgent test results. This begs the question, what about the risks posed to emergency
patients? Will a life or loss within seconds hinge on a call that’ll take minutes to arrive when an email is
instantaneous? This is alarming, to say the least, and hundreds of essential operations were canceled
because of insufficient and unavailable test results.
All was not lost, though. While the NHLS sustained countless setbacks from the breach, they
restored some of its services, although at great manual cost. Manual processes were not ideal, but they
had to substitute the corrupted IT systems — while already implemented, such manual processes for
registering and distributing test samples were time and labor-consuming. Some of the immediate
repercussions felt were persistent issues with access to historical test results that were reliant on online
databases and general system functionality.
The breach has some far-reaching consequences that affect the entire healthcare system. The
breach occurred at a critical time in South Africa’s health history as the country was hit right when trying
to overcome the numerous healthcare challenges exacerbated by the recent mpox outbreak. Africa seems
to be a viral breeding ground of ransomware attacks, with a 62% rise in successful incidents since 2023.
From a cybersecurity perspective, is the straining healthcare sector as robust as it should be, and what
measures should be implemented?
How does the NHLS fully recover?
The National Health Laboratory Service (NHLS) has a long way to go before it resumes the full
operational scale it had before. A massive plus for them has been their quick transition into survival mode
because thousands of lives literally relied on them. The organization jumped into action impressively fast
to address immediate challenges and factor in long-term system improvements. Such included:
1. System Restoration and Rehabilitation.
The NHLS made significant progress in operationalizing some of its crucial systems within a
month after the ransomware attack. They had to rebuild and fortify their IT infrastructure, which was
severely compromised during the attack. While full system restoration is still in progress, most of their
critical systems are operational, and operations have resumed.
2. Manual Transmission of Results.
Even in the most unfortunate events, lives were at stake, and the NHLS had to step up. While
their electronic systems were incapacitated, it was pivotal for the NHLS to implement temporary
measures and communicate urgent test results to crucial healthcare personnel over the phone. Such quick
responses helped ensure that critical information reached clinicians despite the hack.
3. Critical Test List Distribution.
In any outage, the demand always exceeds the supply. The NHLS understood this and created a
“critical tests” list whose main objective was to classify the incoming influx of requests. The “critical
tests” lists were then disseminated to all healthcare facilities. They helped them prioritize urgent testing
requests and appropriately manage the considerable volume of tests being processed with their current
ransomware predicament.
4. Development of New Sytems.
“Fool me once, shame on you. Fool me twice; shame on me.” Undoubtedly, the NHLS has
learned the hard way about the importance of a robust system. They are developing an electronic
registration system to improve the efficiency and security of registering new samples and providing test
results. This way, they can kill two birds with one stone as they aim to restore their previous functionality
and enhance future operations.
5. Fortified Cybersecurity Measures.
The entry point of the ransomware was a subpar cybersecurity framework. It became more
important for the NHLS to invest in strengthening its cybersecurity protocols. As such, they focused on
utilizing advanced technologies and implementing new security measures to safeguard their IT systems
against future attacks. Furthermore, they have already engaged with several external cybersecurity firms
to assist in their recovery efforts and as a litmus test to ensure that all the measures in place will protect
them and thwart similar threats in the future.
What have they learned?
The National Health Laboratory Service (NHLS) ransomware attack was a crucial learning point
for South Africa’s healthcare system and cybersecurity industry. It reinforced the importance of a couple
of aspects that are often overlooked:
a. Robust Cybersecurity Infrastructure.
National assets must prioritize the safety of their data. The NHLS has been taught a hard lesson: a
sturdy cybersecurity framework is crucial when combating sophisticated threats. If they had advanced
security protocols and systems designed to detect and mitigate attacks early, they would have evaded this
situation, and we would not be writing this.
b. Regular Data Backups.
The vitality of data backups for crucial databases can never be overstated. The NHLS slacked
with this, and it was consequential to them. It is essential not only to maintain secure backups but also to
update them frequently. They should have stored and secured offline backups to protect their whole
organization from potential attacks and data loss in future incidents.
c. Effective Incident Response Planning.
While their response was timely, it was not quick enough, underscoring the importance of a
well-defined incident response plan. With cyberattacks on the rise in the country, the NHLS had a missed
opportunity to be one step ahead of cyber incidents by having a structured approach that would minimize
disruption and ensure a timely recovery of critical services.
d. Staff Training and Awareness Programs.
The first line of defense for crucial organizational data is often the staff members. The NHLS
found that continuous training and awareness programs for all its employees are crucial. Phishing is a
leading avenue through which cyber threats are fronted, and educating employees on how to recognize
such would have saved the organization a lot of time and effort. However, they can use this opportunity to
conduct staff awareness programs that will serve as the foundation to prevent similar breaches in the
future.
e. Proper Communication with Stakeholders.
Communication can either manage crises or blow them out of proportion. For the NHLS, their
communication was sometimes found wanting, but they understood how maintaining transparent
communication with stakeholders would play in their favor. In such a crisis, using clear messaging to
healthcare providers and regulatory bodies often helps in managing expectations and facilitating
coordinated responses.
f. Prioritizing Essential Testing Services.
One of the positive outcomes of this breach was the NHLS’s contingency plans. Prioritizing
essential services was a masterstroke that saved them and probably millions of patients. Their need to
facilitate even distribution of “critical tests” lists helped them effectively manage their workload and
improve their output despite the breach.
g. Investment in Cyber Resilience.
Robust cybersecurity infrastructure can never go out of date, and South Africa is playing
catch-up. The necessity to continue investing in advanced cybersecurity technologies and practices has
been underscored. While it might take time for the NHLS to build resilient infrastructure to withstand
future attacks while adopting best practices will be their best investment in the years to come, especially
after this game-changing setback.
Conclusion
South Africa’s National Health Laboratory Service suffered an unfortunate ransomware attack
that served as a stark warning to the healthcare and cybersecurity industry. The attack had far-reaching
consequences that are still being felt months later. However, the NHLS’s experience during the ordeal
emphasizes the urgent need for reinforced and enhanced cybersecurity measures in South Africa and
Africa at large