Jakub Jirsák - stock.adobe.com

NHS may take a month to recover from supply chain attack

Ransomware attack victim Advanced warns its NHS customers they could be waiting until early September to fully recover their operations

NHS customers using Advanced Software’s Adastra clinical patient management platform – including the frontline 111 service – have been warned that they could face a month-long wait to fully recover their normal operations, as the supplier battles with the impact of a now-confirmed financially motivated ransomware attack.

Advanced was able to swiftly contain the attack on the morning of 4 August, which affected a number of other services besides the Adastra platform. Since then, it has detected no further incidents and its ongoing monitoring has confirmed that the attack has been contained.

However, this has come at the expense of its health and social care sector customers being able to access the infrastructure hosting products needed to run effectively. This has left many vital processes, such as ambulance dispatch, appointment booking, emergency prescriptions, out-of-hours care, and patient referrals in disarray at the affected bodies.

“We are continuing to make progress in our response to this incident. We are doing this by following a rigorous phased approach, in consultation with our customers and relevant authorities,” said Advanced chief operating officer Simon Short.

“We thank all our stakeholders for their patience and understanding as our team works around the clock to resume service as safely and securely as possible. For the latest update on our response, please go to www.oneadvanced.com for more information.”

In another update, Advanced said it was still working with the NHS and the National Cyber Security Centre (NCSC) to validate the steps taken so far, following which the NHS will be able to begin to bring services back online, with NHS 111 and other urgent care bodies starting along this path in the next few days.

For others, it said, the current view is that it will be necessary to rely on contingency plans – that is to say, pen and paper – for three to four more weeks, although it is working to bring this timeline forward.

Advanced is currently in the process of rebuilding and restoring the affected systems in a separate and secure environment. This includes implementing additional blocking rules and privileged account restrictions for its staff, scanning and patching all affected systems, resetting all credentials, deploying new endpoint detection and response agents, and implementing round-the-clock monitoring. Once done, it can start to bring its systems back online and get customers up and running again.

The firm said it was investigating the potential for data to have been affected and will issue further updates should more information about data access or exfiltration come to light.

However, according to health sector magazine HSJ, there is growing concern within multiple NHS Trusts and bodies that use Advanced’s services, that confidential patient data has been stolen in the attack. It cited an unnamed source with direct knowledge of the attack, who claimed that the attackers had made “some demands”, although they were unclear on the nature of those demands, or whether they had been made of Advanced, or of NHS bodies.

If NHS organisations are being extorted, the attack on Advanced’s systems provides further evidence that the ‘moratorium’ on cyber attacks on healthcare organisations declared by some threat actors during the early days Covid-19 pandemic is well and truly over.

Indeed, during the second quarter of 2022, newly disclosed data from data management specialist Kroll revealed that healthcare organisations saw a 90% increase in attack volumes compared to the first three months of the year, fuelled by ransomware.

Laurie Iacono, associate managing director for cyber risk at Kroll, commented: “It is concerning to see healthcare rise so dramatically up the most targeted industry list, at a time when services are undoubtedly still under pressure as they recover from the strained environment caused by Covid-19.

“Ransomware is always disruptive, but its ability to grind company operations to a halt, becomes more significant in an environment where business continuity means saving lives.

“The legacy of the pandemic can perhaps also be seen in the vulnerability of external remote services. In Q2, we saw many ransomware groups take advantage of remote environments by using security gaps in those tools to compromise networks,” said Iacono.

“All organisations – and especially those in healthcare – would do well to test the resilience of their external remote services and preparedness for ransomware in light of this latest report,” she said.

Read more about healthcare security

Read more on Data breach incident management and recovery