South Africa National Healthcare Lab Still Reeling From Ransomware Attack

South Africa's National Health Laboratory Service (NHLS), the government-run network of healthcare testing laboratories, continues to battle in its recovery from a ransomware attack that disrupted systems and deleted backups.

The attack targeted specific weak points in the NHLS's information infrastructure on June 22, effectively blocking communications between the laboratories' information systems and other medical databases, resulting in delays in lab testing across public health facilities. All laboratories are "currently fully functional and are receiving and processing clinical samples," but physicians across the country no longer have access to test results through an online portal, the agency said in a statement published last week.

The ransomware disruption comes as South Africa is dealing with stress on its healthcare systems, including an outbreak of mpox (formerly known as monkeypox) that has caused three deaths with 16 laboratory-confirmed cases since May, says Yotasha Thaver, senior research analyst for IT security and software in market-intelligence firm IDC's Middle East and Africa group.

"With public hospitals and clinics already being overwhelmed and understaffed even prior to the mpox outbreak, yes, this comes at a bad time," she says. "With the [mpox] outbreak, there will be more pressure on testing in the labs ... as systems now need to be shut down in order to recover from damages. ... This will delay the processing of lab tests in public health facilities."

Ransomware attacks on the healthcare industry have taken off worldwide, more than doubling in just a year, with 358 organizations suffering an attack in 2023, according to cybersecurity firm Group-IB. Africa saw an annual increase of 62% in successful ransomware attacks for 2023, says Ivan Pisarev, head of threat intelligence for the Middle East and Africa for Group-IB.

"Ransomware is currently one of the most widespread threats, if not the most widespread, and it certainly ranks among the top threats for all organizations and countries — with very few exceptions," he says.

Ransomware and Fatalities

The increasing focus of cybercriminals on compromising healthcare organizations poses a significant risks for national patient care. Ransomware leads to operational disruption, which increases strain on the affected healthcare system and can lead to death for patients who might otherwise have recovered, according to a post-coronavirus pandemic analysis conducted by the US Cybersecurity and Infrastructure Security Agency (CISA).

"Results indicate that [an affected] system's hospitals were more likely to experience hospital strain ... in the long term following the attack compared to ... hospitals" not in the affected healthcare system, the paper stated. "This supports the assessment of the longer-term implications of cyberattack on degraded hospital capacity, implicating worsened health outcomes as measured in excess deaths."

Ransomware attacks on healthcare organizations ramped up in 2023. Source: US Office of the Director of National Intelligence

Because South Africa's healthcare system is already burdened, the nation will likely feel a greater impact, IDC's Thaver says.

The "time taken for the patients to get their test results and the doctors to get the test results will increase, resulting in a further potential increase in infections," she says. "Since South Africa is a developing country with a high poverty rate, many people cannot afford health insurance and rely on public health."

Government Assistance Needed

The vulnerabilities typically exploited by attackers include unpatched systems, stolen credentials, and phishing attacks, requiring a multilayer approach to defense, says Ignus De Villiers, managing executive for cybersecurity at Liquid C2, a pan-African managed service provider.

"In today's increasingly digital landscape, organizations must be prepared by ensuring they have an effective and tested incident response plan and assistance from third-party experts," he says. "Attacks are sometimes targeted and sometimes not, but they are widely spread and equally devastating for large, medium, and small enterprises, and they always have monetary value for cybercriminals."

With ransomware ranked as a top-five threat in South Africa, the government should step in and help companies, educational institutions, and smaller agencies by requiring strict compliance and clearly defining a cybersecurity road map, Thaver says.

"While there are many African countries taking these initiatives during recent years, more and more need to follow in [their] footsteps," she says. "This will force all organizations to have basic security measures in place as a starting point."