Following news that a cyber-attack on a major IT provider of the NHS, Advanced, has been confirmed as a ransomware attack (NHS IT supplier held to ransom by hackers – BBC News), Information Security Experts explains further about attacks on healthcare providers.

No industry is untouchable when it comes to cybercrime. Sadly, this ransomware attack on a major IT provider to the NHS is particularly concerning given the effect it can have on accessing patient information and providing care. All it takes for an attack like this to happen is for a malicious email to slip through and an unsuspecting employee to click on it.
Ransomware has become so destructive that many organisations are simply paying the ransom upfront, sometimes to the tune of thousands – if not millions – of pounds. But giving into cyber criminals only risks fuelling their practices in the long run.
To mitigate the impact of ransomware, organisations across all sectors must implement multiple security controls. Two factor authentication for all data – including that which is backed up – is a must. So too is regular data backup, preferably daily or weekly, and across different mediums, for example external hard drives, USB sticks and cloud space. But to reduce the risk of a breach occurring in the first place, technology like identity security is crucial, in order to manage who has access to what and immediately flag any suspicious behaviour within an organisation.
This should be a standard best practice for cyber security and will also reduce the risk of other malicious malware threats.
Whenever there is a vulnerability, cybercriminals will seek to exploit it and the NHS and its suppliers are sadly no exception. It’s therefore no surprise that the recent directive from NHS Digital is insisting on deploying multi-factor authentication across its services. Depending on the type of MFA used, this extra layer of protection massively reduces the chances of a credential breach, which remains the main means by which Ransomware is planted. We hope the supplier manages to resolve the situation but this example is another reason why we wholly support this new MFA initiative across the NHS. It really is mission-critical.
Advanced is taking all the correct steps in recovering from the ransomware attack. With that, my concern is that their adjustment recovery time from one week to four weeks indicates an extended ransomware spread, with more systems impacted than originally suspected. While NHS may have taken all the right steps to protect its networks and environments, Advanced was not as rigorous in its efforts.
While there has been no mention of patient data being involved in the attack, the adversaries had access to patient data based on the information available. This is evident in the comments about the ability to update patient care notes and the one-week gap in historical notes. This indicates that the database containing the care notes had to be restored, with the restoration leveraging a week-old backup copy. At a minimum, the patient care notes have only been accessed by malicious actors to encrypt them. The worst-case scenario is that this data has also been exfiltrated by the attackers and can be used for further ransom.
This attack, and its resultant impact, are a clear example of why organisations must be sensitive not just to their security posture but also to their supply chain. This is especially important when sensitive PHI is stored in the supply chain vendor.
Questions need to be asked about how the attackers got in. Are suppliers to the NHS like Advantage doing as much as they can to protect themselves and patient data – or are outsourced services a big risk to the NHS? The outsourcing of IT services begs the question – who is making sure these external businesses are doing everything they can to protect patient data and make sure the provision of services is resilient.
Cyberattacks can be carried out for a variety of reasons, including credential theft, theft of financial data like credit card numbers, or access to other sensitive files.
Ransomware, however, is unique; it specifically targets the data required for a company to continue to operate. In healthcare this targeted data is often medical records, which means that a patient who comes into the ICU and can’t provide their own medical history could be at risk or receiving the wrong treatment or medicine.
The criminals behind the ransomware use data as leverage, and keep it locked until demands are met. In many cyber attacks, the attack is over once it happens. With ransomware, the initial attack is just the beginning of a long negotiation cycle to retrieve the data required to operate.