See also our more recent story from September 9 incl. technical details on app rebuild.
NHS IT service provider Advanced's ransomware attack woes continue as it works to get systems back up and running, with the company waiting for the conclusion of an ICO investigation before providing more information about the security breach which took down seven medical software systems.
The MSP has been working to restore services since the 4 August attack, with mixed success due to the need to rebuild some platforms from scratch. The extended outage has left some NHS services in chaos, with staff unable to access clinical notes. Some affected systems may not be restored until December.
Unconfirmed conversations in the security community suggest that many of the affected applications were running on on "near or at end-of-life backends". It is not clear if backups were also compromised in the breach or they were simply not being made regularly. (Ransomware attacks often target backups, as the NCSC has been warning for years, noting in 2019 that it has "seen numerous incidents where ransomware has not only encrypted the original data on-disk, but also the connected USB and network storage drives holding data backups. Incidents involving ransomware have also compromised connected cloud storage locations…”)
See: Kronos attack: backup access targeted amid cold storage vow
“We recognise the frustration this down time has caused for many of our Health and Care customers. Please rest assured that we are continuing to work around the clock to remediate affected systems and, in some cases, have completely rebuilt them in separate and secure environments,” said Advanced in its FAQs.
The firm has confirmed the attack as ransomware - “This was a ransomware attack conducted by a threat actor that we believe, based on threat intelligence provided to us from the regulators and our expert advisors to date, is purely financially motivated" - but declined to provide any public IOCs or details on the breach vector.
Doctors and other NHS staff have warned about the affect the Advanced ransomware attack outage is having, with paperwork piling up and a backlog which could take months to clear. Given the health service’s other woes, adding additional stress to the system is definitely contra-indicated.
While NHS England has been silent on the Advanced ransomware attack and its consequences including speculation around the loss of patient data, other NHS organisations have had to respond. Oxford Health NHS Foundation Trust posted an update last week advising patients it was "continuing to experience technical issues with some of our clinical systems due to a national outage".
Its staff might have to ask additional questions, due to the lack of access to patient notes, it added.
Advanced remained silent on whether data had been breached, stating: “With respect to potentially impacted data, our investigation is underway, and when we have more information about potential data access or exfiltration, we will update customers as appropriate. Additionally, we will comply with applicable notification obligations.”
Last month an ICO spokesperson confirmed it was “making inquiries” into the Advanced ransomware attack. The Stack understands Advanced is waiting for the conclusion of the ICO’s investigation before it makes more substantial comment on the attack – although in some of its updates it has said it will share IoCs.
When will Advanced NHS services be restored?
Restoring "Adastra", the system which powers NHS 111, has been a high priority, and an update from Advanced dated 2 September 2022, states 14 customers are live, with a further four in testing, “completing the restoration for NHS 111 in England”. The MSP said it was in “ongoing discussions” regarding the restoration of Scottish NHS services, and would also be restoring access to its Odyssey system alongside Adastra.
For systems including Caresys, Crosscare and Staffplan, Advanced has worked on providing data extracts, giving organisations access to the data held within the platforms, while the platforms themselves are still out of service.
Estimates for time to rebuild the systems as of late August ranged from four to six weeks for Staffplan, six to eight weeks as for Caresys, and eight to 12 weeks for Crosscare.
According to 2 September updates, Advanced has provided Staffplan customers with a range of data, and Caresys users were due to receive extracts last week. For Crosscare, Advanced said it expected extracts to be available in the next two to three weeks, and noted it “appreciate[s] that this information may present further operational challenges to you”.
Work on restoring the Carenotes system appears to be further along, with Advanced saying it expected service to be restored for the first customers by 20 September. The MSP said its eFinancials platform had been unaffected by the Advanced ransomware attack but taken offline as a precaution – and as of late August was restoring access for customers.