Cyberattack on NHS IT provider confirmed as ransomware

A cyberattack on a major IT provider of the National Health Service (NHS) has been confirmed as ransomware by an NHS England spokesperson. The incident was first spotted by Birmingham-based company Advanced, which provides services such as patient check-in and NHS 111, on August 4. A software outage affected the system used to refer patients for care, including ambulance dispatch, out-of-hours appointment bookings, and emergency prescriptions. Since then, the firm has been working to rebuild and restore impacted systems which were forced offline, whilst the UK’s National Cyber Security Centre (NCSC) has also been helping Advanced recover from the attack.

Attack contained to small number of servers, unclear if NHS data stolen

As reported by the BBC, an NHS England spokesperson said, “While Advanced has confirmed that the incident impacting their software is ransomware, the NHS has tried and tested contingency plans in place including robust defences to protect our own networks, as we work with the NCSC to fully understand the impact.” The public should continue to use NHS services as normal, including NHS 111 for those who are unwell, although some people will face longer waits than usual, they added.

Platforms affected by the attack include Adastra, which is used by NHS 111, and Caresys and Carenotes, which deliver essential care home processes like patient notes and visitor booking. Advanced boss Simon Short previously stated that the issue was contained “to a small number of servers,” although it is not currently known if NHS data has been stolen, nor if Advanced is in negotiations with the attackers or paying a ransom. It is estimated that it could take the company three to four weeks to fully recover from the attack.

Attack highlights supply chain risks for the NHS

Martin Riley, director of managed security services at UK cybersecurity firm Bridewell, tells CSO the incident highlights the risks posed to the NHS by its extensive supply chains. “The supply chain is only as strong as its weakest link and because of the highly connected NHS network, there will always be a risk that any connected organisation can be a point of lateral movement across the environment. There are controls in place to limit this, but vulnerabilities exist, and the next zero day could pose a greater risk if the response wasn’t swift enough to limit the impact.”

The NHS operates the Health and Social Care Networks (HSCN), which is a private network that connects central NHS services and trusts to its digital service partners and managed service providers (MSPs), he adds. “The HSCN has a Code of Connect, which outlines the supplier’s security requirements in the Data Security and Protection Toolkit. In order to establish a connection, the supplier, and any NHS service, must demonstrate compliance.”

However, Riley says the bar needs reviewing to ensure its high enough and the audit and review process should be increased to ensure compliance to these higher levels – which will be costly. “If we look at how the NIS regulations and how authorities such as the Civil Aviation Authority (CAA) have taken the charge in securing the aviation industry, it doesn’t have to be a financial or admin burden on the NHS itself,” he adds.