Hackers holding NHS IT to ransom
The attacker has made demands but Advanced has remained silent on its level of cooperation
Birmingham-based NHS IT supplier Advanced has confirmed that ransomware was the cause of last week's cybersecurity incident, which disrupted its customers' IT systems.
The security issue was discovered on the 4th August, and has directly or indirectly impacted a number of customer services. For the NHS these include Adastra, Carenotes, Caresys, Crosscare, Odyssey, Staffplan and eFinancials.
Adastra is used to refer patients for care, including ambulance dispatch, scheduling after-hours appointments, and issuing emergency prescriptions. Carenotes gives clinicians immediate access to patient records for both adult and youth mental healthcare services.
Advanced is currently working to restore services for its customers, but disruption could continue for 'at least' three to four more weeks.
The company says it will notify customers when any new information about possible data access or exfiltration are available.
A source told HSJ the attackers had made "some demands" following the attack, although details are not available. The company remained mum about any ransom payments.
Advanced says there was 'nothing to suggest that our customers are at risk of malware spread and believe that early intervention from our incident response team contained this issue to a small number of servers.'
A number of government agencies, including the National Crime Agency and GCHQ, are working together to determine the level of damage the attack may have caused.
Since the attack was discovered, NHS 111 employees have had to resort to using pen and paper and other manual processes to manage calls, resulting in delays.
Leaders of impacted mental health Trusts - of which there are at least nine, according to HSJ - have warned that the lack of staff access to crucial patient information has created a "pretty desperate" situation.
The Oxford Health NHS Foundation Trust has told staff it is putting emergency procedures in place to address issues arising as a result of the outage.
CEO Nick Broughton said the attackers targeted both the Trust's financial system and the system used to refer patients for treatment.
"We have now been advised that we should prepare for a system outage that could continue for two weeks for Adastra and possibly longer than three weeks for Carenotes," he said.
Advanced is receiving assistance from the National Cyber Security Centre in its recovery.
An NCSC spokesperson said: "Ransomware is the key cyber-threat facing the UK, and all organisations should take immediate steps to limit risk by following our advice on how to put in place robust defences to protect their networks."
Saif Abed, of cyber security advisory firm The AbedGraham Group, said an incident of this sort would need an extensive investigation to determine how long an attacker has been into the system, how they've infiltrated it, and how entrenched they are within the system.
"Based on that you wouldn't necessarily bring back systems online without ensuring all relevant vulnerabilities are mitigated across all critical infrastructure underpinning key clinical applications," he added.