Table of Contents
On 7 August, 2024, the Information Commissioner’s Office (ICO) announced a provisional £6 million fine for Advanced, a UK software provider for the NHS. This fine stems from initial findings that the company failed to adequately protect sensitive data, leading to major disruptions in NHS services. However, it’s important to note that these findings are still under review. The ICO has not yet made a final decision, and the fine amount could change depending on further discussions and evidence provided by Advanced.
How the Attack Disrupted NHS Services
On 4 August, 2022, a widespread outage struck the NHS, affecting crucial systems like Adastra, which helps 111 call handlers dispatch ambulances and access GP records, and CareSys, a System used in care homes. Other affected systems included Carenotes, utilised by mental health trusts for patient records, and StaffPlan, used for managing care organisations. The disruption led to numerous cancelled appointments and forced the NHS to revert to manual procedures, severely impacting healthcare delivery. According to Advanced’s most recent accounts filing at Companies House, the organisation spent £18.1m on cyber-attack remediation measures in the wake of the attack. The cause was later confirmed to be a LockBit 3.0 ransomware attack, as identified by Microsoft and Mandiant, who were hired by Advanced to investigate the breach.
The attack allowed cybercriminals to steal sensitive data, including phone numbers and medical records of 82,946 individuals. Alarmingly, the stolen data also included details on how to gain entry to the homes of 890 people receiving home care. The attackers exploited a customer account with credentials that lacked Multi-Factor Authentication (MFA) to establish a remote desktop session and deploy the ransomware. For an organisation tasked with providing managed software services to critical national infrastructure like the NHS, this was a significant failure.
Ransomware: The Silent Threat to Critical Infrastructure
Ransomware is a type of malware designed to either steal data from a System or deny access by locking users out of their data until a ransom is paid. Once deployed, software will either attempt to export or encrypt (or both) critical data, making it accessible to the attacker and inaccessible to the organisation. The cyber attackers then demand payment in exchange for the decryption key, placing the organisation in a difficult position where paying the ransom often seems like the easiest and quickest way to regain access to their data. In the case of Advanced, whether the ransom was paid or not is unknown. Recent ransomware attacks have had devastating effects on various sectors, including healthcare, where they have crippled hospitals’ ability to provide essential services and caused significant operational and financial damage.
Could This Have Been Prevented? Lessons Learned from the Attack
This attack might have been prevented through a more proactive approach to cybersecurity. Implementing Multi-Factor Authentication (MFA) on all accounts, conducting regular security audits, ensuring that all systems are up-to-date with the latest security patches, utilisation of Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) software, and having an appropriate back up procedure in place are fundamental steps that could have made a difference. The absence of these measures left Advanced vulnerable to the attack, leading to severe consequences not only for the company but also for the NHS and the patients who rely on its services.
How Cybersecurity Consultancy Can Protect Your Business?
Organisations need to have a clear understanding of the value of their own, and their stakeholders, information assets. This is achieved by conducting a Business Impact Analysis (BIA). Using an external party to conduct a BIA is a good option, even if you have the internal knowledge, skills and experience to conduct your own, as it brings in an outside view which discuss options from a different perspective. Professional information and cyber security consultants provide the expertise needed to assess an organisation’s security posture, develop and enforce security policies, and offer ongoing support to address evolving cyber threats. Such a partnership could be invaluable in preventing attacks, safeguarding sensitive data, and maintaining business continuity. Effective information security and robust business continuity planning are not just about protecting data—they are about ensuring the ongoing operational integrity and resilience of an organisation.
The fine imposed on Advanced serves as a stark reminder of the importance of cybersecurity in protecting sensitive data, especially in critical sectors like healthcare. Organisations must take proactive steps to secure their systems, and engaging with a cybersecurity consultancy can be a valuable investment in safeguarding their operations, reputation, and business continuity.