There are concerns that patient data may have been the target of a ransomware attack on a software supplier that affected the NHS throughout the UK. This article was first published on the Heimdal Security blog.
The UK business Advanced, which was the target of the attack last week, announced that it was cooperating with law enforcement in the wake of the event, including the National Cyber Security Centre and the Information Commissioner’s Office.
Here is a summary of what we know so far and how ransomware gangs work. Details like the attacker(s)’ identity and the extent of the damage are yet unknown.
What Happened?
Widespread NHS outages were caused by the attack on August 4. Advanced, the company which develops software for several parts of the healthcare industry, was the target. Services including patient referrals, ambulance dispatch, after-hours appointment scheduling, mental health services, and emergency medications were all impacted.
Analyzing whether Advanced systems were affected either directly or indirectly will help determine the impact. These included Carenotes, which is used by mental health institutions for patient records, Caresys, which is used in nursing homes, Crosscare, which aids in running treatment centers, and Staffplan, which is used by patient care organizations. Adastra, which assists 111 call handlers in the dispatch of ambulances and assists doctors in accessing a patient’s GP records, was also mentioned.
As you know, Advanced recently experienced a disruption to our systems that we have since determined to be the result of a cybersecurity incident caused by ransomware. On August 4, 2022, at approximately 7 am, our teams identified the cybersecurity incident. In response, we immediately took action to mitigate any further risk and isolated all of our Health and Care environments, where the incident was detected. The customer groups impacted either directly or indirectly are Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan and eFinancials. All other products are unaffected.
According to The Health Service Journal, the outage has limited access to patient records for at least nine NHS mental health trusts. As per Digital Health Intelligence, 36 acute trusts or mental health trusts in England use cutting-edge technologies.
One or more NHS services, including NHS 111, certain urgent care facilities, and some mental health providers, employ software that has been taken offline, according to a leaked internal NHS England document seen by The Guardian.
In a statement released on Wednesday, Advanced made a hint that it would take weeks for some services to fully recover:
With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online. For NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, we anticipate this phased process to begin within the next few days. For other NHS customers and Care organisations our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks. We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress.
Who Is Behind the Attack?
Although the threat actor has not been identified, it has been suggested that it is more likely to be a criminal gang than a state organization.
The organization responsible for assaults utilizing the Conti malware that crippled the Costa Rican administration and the Irish healthcare sector earlier this year is the most infamous ransomware group in recent memory.
This criminal organization with ties to Russia appears to have stopped using Conti malware to strike. However, there is widespread conjecture that the same organization is responsible for the new spyware known as Black Basta. There are numerous other possible suspects, and there is no proof that the Conti/Black Basta group is responsible for the attack on the NHS.
There are numerous ransomware gangs with various types of software (the names of the malware and the groups behind them are often viewed as interchangeable). BlackCat, Quantum, Hive, and AvosLocker are some examples of malware operations whose names have been connected to healthcare attacks in recent months.
Healthcare Organizations – A Popular Target for Cybercriminals
During the Covid-19 pandemic, there had been indications that there might be a lull in assaults on medical targets, with the ransomware group Maze declaring it would not target them. But it seems that things were shifting even before the Advanced strike. For example, the attack on the Irish healthcare system occurred in May 2021.
According to the risk consultancy company Kroll, the number of health organizations attacked by cyberattacks increased by 90% in the three months leading up to June 30 in comparison to the first three months of 2022. The 3,200 events from all industries that were reported to the consultant over the previous 12 months served as the basis for this study.