Ransomware attack believed to be at root of referral system outage
Healthcare organisations are increasingly being targeted by cyber criminals
A failure of the NHS 111 telephone service last week was the work of cyber attackers, health bosses have confirmed.
Advance, a firm providing digital support for the telephone triage service, said the attack was spotted at 7am last Thursday.
It targeted the part of the 111 system used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings, and emergency prescriptions.
And, although the NHS said disruption was ‘minimal’, it has further highlighting the vulnerability of healthcare systems to online attacks.
To meet the challenge of securing the health sector, now is a good time for all organisations to review their incident response plans, updating them as needed
Advanced currently supports over 140 NHS organisations with software to help facilitate clinical management, transfer of care, and clinical decision support.
And, although only 2% of Advanced’s services went down as a result of the attack, its software is responsible for 85% of NHS 111 services. As a result, this attack had a significant impact on the NHS over the weekend, with 111 downtime likely responsible for a surge in patients arriving at A&E departments, increased waiting times, and issues related to ambulance prioritisation.
Simon Short, chief operating officer at Advanced, confirmed in a statement on Friday that the incident was linked to a cyber attack.
He said: “A security issue was identified yesterday, which resulted in loss of service on infrastructure hosting products used by our health and care customers.
“We can confirm that the incident is related to a cyber attack and as a precaution we immediately isolated all our health and care environments. We can also confirm that this action contained the attack and no further issues have been detected.
“We continue to work with the NHS and health and care bodies, as well as our technology and security partners, focused on recovery of all systems over the weekend and during the early part of next week. In the meantime those NHS impacted services will continue to operate [using contingency].”
While the National Crime Agency continues to investigate the incident, which is believed to have been a ransomware attack, cyber security companies are offering advice to healthcare organisations.
Speaking to BBH today, Matt Aldridge, principal solutions consultant for Brightcloud at OpenText Security Solutions, said: “Unfortunately, the NHS has been a common target for cyber criminals.
“As medical services are essential, and often cannot be disrupted without severe risk to patients, the industry is very much in the spotlight, and must address security in multiple ways.
“Despite the NHS supplier stating that the attack affected only a limited number of servers, putting in place a strong cyber resilience strategy to limit such an outage, and to protect the organisation’s IT systems while keeping continuity of patients care at the forefront, is key.
“To meet the challenge of securing the health sector, now is a good time for all organisations to review their incident response plans, updating them as needed.”
He added: “Organisations need to take a pro-active stance regarding cyber security and ensure adequate defences to mitigate future attacks and build cyber resilience.
Organisations need to take a pro-active stance regarding cyber security and ensure adequate defences to mitigate future attacks and build cyber resilience
“Staff training is essential for defending against phishing attacks and knowing what to look for, and regular simulations, should be run to ensure that the training has the desired effect.
“The training materials used also need to be constantly updated to reflect the latest threat trends.
“Furthermore, IT teams must implement cyber security technology, such as email filtering, anti-virus protection, and sensible password policies, to grapple with cyber security.
“And data must always be securely backed up, so systems can be restored if needed.
“Finally, multi-layered cyber security controls must be deployed to help detect, or block, anything that breaches the first line of defence – the people of the organisation.”
Ross Brewer, vice president and general manager at AttackIQ, said the health sector would continue to be a popular target for criminals and suppliers of digital solutions need to take additional steps to protect their clients.
He added: “This latest breach is yet another example of an IT supplier being used to gain access in order to bring down critical national infrastructure.
“While commentators and government officials are quick to attach this activity to the current geopolitical situation, it’s just as likely ‘hacking as usual’.
Too often not enough testing of people, processes, and technology is taking place to validate a healthcare organisation’s cyber security readiness
“There were more than 470 million global ransomware attacks last year which, according to industry experts such as Verizon, is more than the last five years combined.
“While the specific details in this case are still developing, typically compromises of suppliers are used as an entry point to gain access to the target organisation or the service a supplier may be running on their behalf.
“Regardless of the entry point, healthcare organisations should have protection and detection mechanisms to stop such intrusions developing into a catastrophic service failure that puts lives and patient data at risk.
“And, in the case of cloud services hosted by third-party suppliers, the provider should have similar protections.
“Too often not enough testing of people, processes, and technology is taking place to validate a healthcare organisation’s cyber security readiness.”
Kieran Bamber, director of strategic accounts for healthcare at Tanium, agrees. He said: "The NHS has recently developed an increased reliance on third party vendors and software to support everyday processes, meaning its IT environments are now inherently more complex – with a plethora of additional software and infrastructure that needs to be carefully managed.
"To protect against similar third-party attacks in the future, NHS organisations need to prioritise vulnerability management and patching of third-party software.
"Only by having overall visibility of the organisational network can IT teams ensure they can control, patch, and plug vulnerabilities in all third-party software being used, and confidently have the ability to respond and limit the consequences of a breach should one occur, therefore reducing the impact on patient care.”