NHS bodies around the UK are still restoring services after a cyber attack hit one of its suppliers before the weekend, taking out its 111 emergency advice line and causing disruption to ambulance dispatch, emergency prescriptions, out-of-hours appointments and patient referrals.
Details of the incident at Advanced Software continue to emerge, and the precise nature of the attack is unconfirmed, although it bears the hallmarks of a ransomware attack, and some sources have already claimed it as such. It is known to have begun early on the morning of Thursday 4 August.
The biggest impact seen was to Adastra, a clinical patient management software that underpins the majority of the NHS’s 111 services, but also other Advanced Software services, including its Caresys care home management service, its Carenotes patient record management service and its Crosscare clinical management service, which is used in hospices and at private practices.
“A security issue was identified which resulted in loss of service on infrastructure hosting products used by our health and care customers,” said Advanced chief operations officer Simon Short in a widely circulated statement.
“Following discovery of this incident, we immediately isolated all our health and care environments and no further issues have been detected,” he added. “Early intervention from our incident response team contained this issue to a small number of servers representing an extremely small percentage of our health and care infrastructure. The protection of services and data is paramount in the actions we have and are taking.”
Short said Advanced was continuing to work with the NHS and its own technology and security partners to recover impacted systems.
Health sector publication Pulse revealed that GPs were warned before the weekend to expect heightened volumes of patients being redirected from NHS 111 following the incident, as those staffing the service were forced to turn to pen and paper.
NHS England declined to comment on the status of its services at the time of writing, although the organisation had previously told the BBC the disruption was “minimal”. Services in Northern Ireland, Scotland and Wales were also impacted, and the NHS as a whole has been working with the National Cyber Security Centre on response.
Kieran Bamber, director of strategic accounts for the healthcare sector at Tanium, an endpoint management service, said the impact of the attack on the UK’s health services once again highlighted the risks that one must accept when engaging third parties.
“The NHS has recently developed an increased reliance on third-party vendors and software to support everyday processes, meaning its IT environments are now inherently more complex – with a plethora of additional software and infrastructure that needs to be carefully managed,” he said.
“Although only 2% of Advanced’s services went down, its software is responsible for 85% of NHS 111 services, [and] as a result, this attack had a significant impact on the NHS over the weekend – with 111 downtime likely responsible for a surge in patients arriving at A&E departments, increasing waiting times and issues related to ambulance prioritisation,” said Bamber.
Chris Butler, resilience and continuity consulting head at backup and disaster recovery specialist Databarracks, said the incident brought to mind similar attacks on the likes of Kaseya and SolarWinds.
“Technology companies provide cyber criminals with an avenue into hundreds or even thousands of organisations from a single breach; this incident did not just affect NHS 111 staff, but also services in all four home nations, the Welsh ambulance service, prescription services and a care home management system,” he said. “Securing the supply chain is becoming increasingly vital. The NHS is better prepared than most for these kinds of incidents as it is governed by the Networks & Information Systems Regulations.”
However, he added: “I’m still not convinced that many companies spend enough time assessing the true resilience of their critical suppliers and vendors – this means asking deeper, more searching questions, and completing a proper assessment of their resilience capabilities.”