What Happened?
Birmingham-based ‘Advance’ provides digital services to the NHS such as patient check-in and NHS 111. The company’s Adastra software works with 85 per cent of NHS 111 services.
Advanced reported spotting a hack at 07:00 BST on 4 August, followed by a number of outages, before confirming in a statement on August 5 that the incident was linked to a cyber-attack.
Outages
Advanced described the outages as the result of “a cybersecurity incident” caused by ransomware which caused “an issue on infrastructure hosting products used by our Health & Care customers. Those products identified as being affected are Adastra, Caresys, Carenotes, Cross Care and Staff Plan.” These services are:
Adastra – clinical patient management software with records relating to 40 million patients.
Caresys – care home management software used by over 1,000 care organisations.
Carenotes – electronic patient record software used by over 40,000 clinicians.
Crosscare – a clinical management system for hospices and private practice used by 70 adult and children’s hospices across the UK.
Staffplan – care management software used by over 1,000 care organisations.
Financially Motivated
Advanced has reported in its FAQs about the incident that, based on the intelligence it had received, the “threat actor” who carried out the ransomware was “purely financially motivated” rather than being a state sponsored attacker, for example.
Services Offline
The ransomware attack, which Advanced says was contained to “a small number of servers”, meant that affected services had to be taken offline. Customers were, therefore, unable to access their systems and had to rely upon contingency measures. An NHS England spokesperson has reported that “While Advanced has confirmed that the incident impacting their software is ransomware, the NHS has tried and tested contingency plans in place including robust defences to protect our own networks, as we work with the National Cyber Security Centre to fully understand the impact.”
Working With Other Agencies
Advanced has said that it is working with forensic partners including Mandiant and the Microsoft DART teams to conduct an investigation, and is in contact with the NHS, NCSC, other governmental entities, and has contacted the ICO.
3 to 4 Weeks
Advanced reports that for NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, services would be back online in a few days, but for its other NHS customers and Care organisations it will be “necessary to maintain existing contingency plans for at least three to four more weeks”.
Fears For Data Security
It is not clear from reports whether any ransom has been paid, with Advanced simply saying “our investigation is underway.” Bearing in mind the vast numbers of patient records and the sensitivity of that data there are now serious fears about whether data has been stolen and what the consequences could be.
Health Organisations A Target
Health services around the world are often targets for cyber-attacks, and a Kroll study has reported that the number of health organisations (globally) targeted by cyber-attacks rose by 90 per cent in the three months to 30 June compared with the first quarter of 2022. Examples of health services being targeted include:
– In 2017, North Korean attackers hit the NHS with ransomware, severely disrupting more than 80 hospital trusts and 8 percent of GP practices, costing the NHS an estimated £92m through services lost during the attack and IT costs in the aftermath.
– In October 2020, Philadelphia company eResearchTechnology (which made software used to try and develop COVID-19 vaccines and treatments) was hit by a ransomware attack. Employees were locked out of systems and the attack had a knock-on effect that was felt by IQVIA, the research organisation helping with AstraZeneca’s Covid vaccine trial, and Bristol Myers Squibb, a drug-maker involved in the development of a quick test for COVID-19.
– Emsisoft’s Brett Callow has reported that, in 2020 and 2021 in the US, there were at least 168 ransomware attacks affecting 1,763 clinics, hospitals and health care organisations.
What Does This Mean For Your Business?
It may be the case that health services are often targeted because there are many different suppliers plus services are vital, so there may be a better chance of extracting a ransom, also there is a lot of potentially valuable data to steal and health services are often playing catch-up with cybersecurity.
Ransomware attacks tend to be initiated using phishing emails, so it is important that all staff are aware of the dangers of clicking on suspicious links. This story also highlights the importance of making sure that data is regularly and securely backed up (to a secure cloud-based service) and that disaster recovery and business continuity plans have procedures for ransomware attacks built-in to them. Businesses should also note that paying the ransom is a high-risk option and certainly offers no guarantee that any files will be unlocked/returned.
Other precautions that businesses can take to guard against these ransomware attacks include keeping antivirus software and Operating Systems up to date and patched (and re-starting the computer at least once per week), using a modern and secure browser, using detection and recovery software, e.g. Microsoft 365 protection and Windows Security.