A cyberattack against an NHS IT service provider continues to cause havoc three weeks after the incident was first spotted, with the victim stating that some services could be offline for another 12 weeks. The attack targeted Birmingham-based company Advanced, forcing seven key services, including those used for patient check-ins, medical notes, and NHS 111, offline. On August 11, an NHS England spokesperson confirmed that the attack was ransomware, with experts warning that it highlighted the complex supply chain security threats the NHS faces.
Some NHS services remain offline due to ransomware attack
As reported by the BBC, some the victim’s services remain offline three weeks on from the attack, with healthcare staff in certain regions and clinics entering a fourth week of taking care notes with pen and paper. According to the BBC’s report, doctors have stated that it could take months to process mounting piles of medical paperwork.
An NHS spokesperson said robust contingency plans were in place across local health systems, urging the public to continue to use the health service as normal. “The use of electronic records is a small – but important – aspect of diagnosing and treating patients,” they added. “Advanced is working to resolve their software problems, and since Monday 22 August, NHS 111 service providers have been coming back online.” However, the effect on patient healthcare has been significant and is ongoing.
Attack recovery “more complex” than initially anticipated
In a security incident update published on August 25 Advanced wrote, “Over the last three weeks we have been focussed on assessing our ability to restore and provide reconnection to these services. Due to a number of factors, this has been more complex than we initially anticipated. All our efforts are focussed on restoring services for our customers as quickly as we can, whilst ensuring we do so in the most secure way possible.”
On August 23, Advanced said that its forensic investigation of the incident was progressing in line with its timeline and plan. “We are now building a much clearer picture of the incident. In parallel, our third-party experts are well advanced in their investigation into any potential data impact as a result of the incident. We will update customers as appropriate and comply with any applicable notification obligations.”
It is still unknown which ransomware group/actor was behind the attack, with Advanced yet to confirm whether it is negotiating with the cybercriminals. It has, however, enlisted Microsoft and Mandiant to assist with the recovery efforts.
Martin Riley, director of managed security services at UK cybersecurity firm Bridewell, tells CSO that it is not attack recovery per se that is slowing the restoring of Advanced’s systems. Rather, it is the additional steps that are being implemented to ensure safety ahead of being reconnected and established as a service for the NHS. “This includes measures such as the implementation of additional blocking rules and further restrictions on privileged accounts for Advanced staff,” he says. “Other steps being taken include the scanning of all impacted systems and ensuring they are fully patched, resetting of credentials, deployment of additional endpoint detection and response agents, and 24/7 monitoring.” If systems have been restored and they are only now putting assurance in about security, then it’s clear that the ability to detect and respond has not been built into the service, he adds.
Advanced must comply with NHS data security standards before full-service restoration
The NHS has a Data Security and Protection Toolkit, which stipulates the requirements to attain credentials to deliver a service that includes the use of “a proportionate monitoring solution to detect cyber events on systems and services” along with processes for vulnerability management, and prevention and response to advanced, persistent threats, Riley says. “Ultimately, the NHS needs to ensure that Advanced has addressed all of these requirements before it can re-provision the service, which takes time. I’m assuming that further assurance and verification are required before the NHS will re-validate and re-instate their connection, adding further delays.”