Some UK hospitals appear to be publicly documenting their own Cybersecurity weaknesses. The Guy's and St Thomas' NHS Foundation Trust meeting notes from 20th December 2023 state: "There was discussion about how the Trust routinely monitors and manages cyber security arrangements where the Trust had interfaces with third parties, for example the Pathology Business Unit (PBU)". https://www.guysandstthomas.nhs.uk/media/13533/Board%2Bof%2BDirectors%2Bmeeting%2Bpapers%2B-%2BWednesday%2B31%2BJanuary%2B2024
Meeting notes from 28th February 2024 also note that "Cyber security remained a high risk, and the Trust had not met the standards for the NHS data security protection toolkit self-assessment in recent years." https://www.guysandstthomas.nhs.uk/media/13680/Board%2Bof%2BDirectors%2Bmeeting%2Bpapers%2B-%2BWednesday%2B24%2BApril%2B2024
On 3rd June the hospital declared a critical incident when Synnovis (their pathology services provider) was the victim of a ransomware attack. I can't help but wonder if they essentially painted a big target on themselves here.
These meeting notes also refer to other ongoing cybersecurity activities and known areas of risk. It would be trivial to automatically scrape and analyse all of these meeting notes and then use that data to focus future attacks on other NHS trusts. Accountability and transparency are good things, but publicly documenting security risks before they have been addressed is never a good idea. #ransomware #nhs