There was once an unwritten moral code among cyber hackers that they would never attack vulnerable businesses like health care. Well, those disingenuous hacker ethics are out the door; have been for awhile. After dealing with the hack of the UK’s NHS controlled ambulance service last week[1], malicious hackers are now holding an IT firm that supplies NHS ‘trusts’ to ransom following a cyber-attack. NHS trusts are public sector bodies established by parliamentary order through the UK Secretary of State for health to provide healthcare services to the NHS. They have a board of executive and non-executive directors and are accountable to the secretary of state. Health administrators are concerned criminals have access to confidential health records and could leak them if their demands are not met. The software company Advanced, which provides patient data to dozens of trusts and most NHS 111 providers in England, which was hacked last week.
Call handlers across 85% of the UK are still without a crucial IT system and have had to resort to using pen and paper for the past week. Agencies including the National Crime Agency and GCHQ are now investigating the data breach. A reliable source said the attackers have made 'some demands', according to the Health Service Journal, although it is not entirely clear what they are. Some analyst believe there is a theory cyber criminals are looking for payments in exchange for not leaking information and removing the malware.[2]
Advanced's Adastra software, one of the systems that was attacked and is used by NHS 111, covers 40million patients, according to the company. Affected NHS 111 call handlers currently do not have access to the GP records or NHS numbers of people ringing the non-emergency service. They are also unable to make electronic bookings with GPs or send out ambulances for patients while the Adastra software is still offline.
The criminal hackers also attacked the company's Carenotes EPR software, which holds mental health records. Affected mental health trusts warned staff are currently facing a 'pretty desperate' situation, still unable to access vital patient records. Mental health records and patients' unique NHS numbers are allegedly to have been affected in the attack.
An Advanced spokesperson said: 'With respect to potentially impacted data, our investigation is under way. 'When we have more information about potential data access or exfiltration, we will update customers as appropriate.' Affected mental health trusts warned staff are currently facing a 'pretty desperate' situation, still unable to access vital patient records. One mental health trust chief executive, who preferred to stay anonymous, told the HSJ: 'It’s really difficult and the longer it goes on, the harder it gets for staff.'
Advanced said it will bring its NHS 111 and urgent care services back online 'within the next few days.' But it could take another month before Carenotes EPR is back online. Advanced said: 'We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress.”
Carenotes EPR is used by at least nine mental health trusts, and dozens of other trusts use different software from the company that is still offline. Affected NHS 111 call handlers currently do not have access to the GP records or NHS numbers of people ringing the non-emergency service. They are also unable to make electronic bookings with GPs or send out ambulances for patients while the Adastra software is still offline.
An Advanced spokesperson said: 'We want to stress that there is nothing to suggest that our customers are at risk of malware spread and believe that early intervention from our Incident Response Team contained this issue to a small number of servers. Since our Health and Care systems were isolated at the end of last week, no further issues have been detected and our security monitoring continues to confirm that the incident is contained, allowing our recovery activities to move forward.”
The NHS attack was initially feared by experts to be from another country. Health chiefs told hospitals to shore up their system earlier this year amid fears of a Russian attack in retaliation to Western interference in the war in Ukraine. There have been widespread concerns about the technological resilience of the NHS which only last year stopped using fax machines. It was famously hacked in 2017 in the WannaCry attack, which brought the whole health service to a standstill for days and cost the UK £92million.
More than a third of UK hospital trusts had their systems crippled in the WannaCry ransomware attack in May 2017. Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers. NHS officials claimed 47 trusts were affected – but the National Audit Office (NAO) found the impact was far greater, and in fact 81 were hit by the attack. When the attack started on 12 May, it ripped traveled through the out-of-date defenses used by the NHS. More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May (2021). The virus, which spread via email, locked staff out of their computers and demanded £230 to release the files on each employee account. Hospital staff reported seeing computers go down 'one by one' as the attack took hold. Locked out medics had to rely on pen and paper, while crucial equipment such as MRI machines were also disabled by the attack. The report reveals nearly 19,500 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals even had to divert ambulances away at the peak of the crisis. Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7, that had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims. Cyber experts said the cyber-attack could have easily been prevented. Officials were warned repeatedly about the WannaCry virus beforehand.
The Department of Health said that from January 2018 hospitals will be subject to unannounced inspections of IT security. I guess it did was not enough to prevent this current attack.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://news.sky.com/story/ministers-coordinating-resilience-response-after-major-cyber-attack-hits-nhs-systems-across-uk-12666611
[2] https://www.dailymail.co.uk/health/article-11102003/NHS-cyber-attack-Hackers-issue-demands-supplier.html
Comments