Ransomware Attack Caused NHS IT Outage, Says Vendor
Advanced Says Some Entities Could Be Disrupted for at Least a Month LongerAn ongoing disruption to the United Kingdom's National Health Service stems from a ransomware attack, confirmed a company that supplies digital services to Britain's public health system.
The disruption to some National Health Service customers and care organizations could last "at least" another three to four weeks, says Advanced, the Birmingham-based technology provider whose Adastra system underpins NHS 111 and other healthcare services.
Full service to the urgent healthcare number could be restored within days, but other services that rely on Advanced might need to maintain existing contingency plans "for at least three to four more weeks," the company says.
The company says it identified the incursion on Aug. 4 at approximately 7 a.m. "In response, we immediately took action to mitigate any further risk and isolated all of our Health and Care environments, where the incident was detected," Advanced says. The attackers' motives appear purely financial.
Simon Short, chief operating officer of Advanced, says in a statement provided to Information Security Media Group that the company is "following a rigorous phased approach, in consultation with our customers and relevant authorities," to return services to normal.
The company declined to comment on whether it paid a ransom.
The incident is the latest reminder of the threat ransomware attacks pose to healthcare sector entities, their critical third parties, as well as patients.
"This incident yet again underscores just how much of a risk ransomware represents to healthcare providers and, by extension, to patient care," says Brett Callow, a threat analyst at security firm Emsisoft.
"It also underscores the fact that providers don't only need to be concerned about their own security, but also the security of their supply chain - and, of course, they also need to plan for outages within the supply chain."
Advanced says it is in contact with the NHS, the U.K.'s National Cyber Security Center and the U.K.'s independent information rights and data privacy authority - the Information Commissioner Office. The ICO enforces the General Data Protection Regulation in the U.K.
Involvement of the ICO is an indicator that Advanced suspects data was stolen, said Alexi Drew, an information consultant, in an interview with the Guardian.
Ransomware groups often exfiltrate data before maliciously encrypting it, using the stolen data as pressure on victims to pay the ransom (see: Search Here: Ransomware Groups Refine High-Pressure Tactics).
NHS 111 Service Disruptions
Advanced says its Adastra tools are used by individuals in emergency care settings for providing patients "the correct course of treatment, whether that is a referral to their general practitioner or dispatching an ambulance to take them to hospital. It ensures records are handed off between facilities.
Since the attack began on Aug. 4, workers have resorted to using pen and paper manual processes to handle 111 calls, reportedly resulting in delays (see: Cyberattack on NHS Vendor Already Offering Critical Lessons).
Some NHS clinicians report serious challenges involving the outage. A NHS psychiatrist, who asked to remain anonymous, told the BBC the incident left his team "making clinical decisions nearly blind."
"If a new patient came to us, we weren't able to read their history or know very much about them," he told the BBC.
Emerging Lessons
Paul Prudhomme, a former U.S. Department of Defense threat analyst who is head of threat intelligence advisory at security firm Rapid7, tells ISMG that the U.K. incident illustrates the relevance of third-party risks to organizations in all industries and geographies, including U.S. healthcare organizations.
Organizations should have third-party risk programs to evaluate the security posture, practices and "general health" of their vendors, he says.
"Technology vendors in particular are a preferred attack vector for ransomware operators to infect large numbers of their customers at once," he says. The security posture of prospective vendors should be a factor in the selection process, he says.
"Contracts with vendors should specify security requirements and standards, and they should also obligate vendors to notify their customers of security incidents."
Healthcare organizations should also have contingency plans in place for using nontechnical means to service patients in the event that a ransomware incident - in their own environment or at a third-party - disrupts critical technology platforms used for clinical care.
"Having a plan already in place can minimize the disruption to clinical services," he says.