Skip to content

Search the site

NHS software could be offline for a month after ransomware attack on Advanced

Other clients not at risk

NHS IT provider Advanced, a major British MSP, has told some health and care organisations they face waits of up to four weeks for restoration of service, as it investigates “potential data access or exfiltration” in the wake of a ransomware attack which the company detected on the morning of 4 August.

The attack brought down critical software used by the NHS, including for its 111 hotline.

In the latest update the Birmingham-based IT services provider confirmed the attack was ransomware, and said it had affected its Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan and eFinancials systems, with all others remaining operational. Adastra is a patient management system which deals with 40 million patient records, while Carenotes is used by 40,000 clinicians to access patient records. Across all its business areas Advanced has more than 25,000 customers, including 140 NHS trusts – the majority of which were unaffected by the attack

See: ‘Advanced’ hacked: Says attack contained, as NHS customers lose services

For NHS 111, urgent care customers using Adastra, and NHS trusts using eFinancials, an update from Advanced said it was validating its remediation work with the NCSC. After this is complete, it will begin to bring these services back online in phases, which it aims to start “within the next few days”.

Other customers, though, face much longer waits according to the MSP: “For other NHS customers and Care organisations our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks.”

Advanced’s statement suggested this was the worst-case scenario: “We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared.”

Advanced cyber-attack: potential data theft investigated

Regarding potential data loss, the MSP said “our investigation is underway”.

“When we have more information about potential data access or exfiltration, we will update customers as appropriate. Additionally, we will comply with applicable notification obligations.”

From this statement, it is unclear whether the investigation around data loss is a precaution, or if Advanced has cause to believe the attacker accessed or exfiltrated data during the attack. When asked for clarification by The Stack, an Advanced spokesperson referred us to the statement on the website.

Simon Short, COO of Advanced, said in an emailed statement: "We are continuing to make progress in our response to this incident. We are doing this by following a rigorous phased approach, in consultation with our customers and relevant authorities. We thank all our stakeholders for their patience and understanding as our team works around the clock to resume service as safely and securely as possible."

The company said it had contacted the ICO, among other organisations: “We remain in contact with the NHS, NCSC, and other governmental entities and are providing them with regular status updates. We have also been in contact with the ICO and will continue to be responsive to any questions they may have.”

And in a statement to The Stack, an ICO spokesperson said: “We are aware of an incident at Advanced Computer Software and we are making enquiries.”

The MSP said it had tasked Mandiant and Microsoft DART with investigating the Advanced cyber attack. It noted the investigation was still in the “early stages”, but said it was confident the immediate attack had been dealt with.

“Since our Health and Care systems were isolated at the end of last week, no further issues have been detected and our security monitoring continues to confirm that the incident is contained, allowing our recovery activities to move forward.”

Follow The Stack on LinkedIn

Martin Riley, director of managed security services at Bridewell, a cybersecurity firm, said in an emailed statement it appeared the MSP had mostly followed good practice in the wake of the Advanced cyber attack, “however, because of the NHS’ highly connected network, it will have had to disable connectivity from the supplier, meaning more manual and slower services”.

He added: “The impact of the attack only illustrates how supply chain assurance still does not have the depth required for critical systems. It’s also another reason why the NIS Regulations must incorporate key providers and MSPs.

“Incidents will happen, and the key is reducing risk and limiting impact, which in this case it looks like the NHS has done. However, it’s clear that suppliers need to up their game and put in place cyber security controls to reduce risk to their customers.”

Follow The Stack on LinkedIn