Ransomware assault impacted major platforms for management of patients and staff, as well as the delivery of the 111 urgent care service

Credit: Pete Linforth/Pixabay

NHS bodies are facing weeks of disruption following a cyberattack on a key supplier of software systems.

A week ago, technology firm Advanced was hit with a ransomware assault that impacted a number of its products, including Adastra – a patient-management platform used to support the urgent-care treatment of up to 40 million people. 

Also affected by the attack were: the Carenotes electronic patient records system used by 40,000 doctors; the Odyssey product for supporting clinical decision-making; Staffplan, a service for managing staff rotas, as well as recruitment and payroll; the public sector-focused eFinancials system; the Caresys care home-management tool; and Crosscare, a clinical-management program for the private care providers and hospices.

The Birmingham-headquartered company claims to work with 140 NHS trusts around the country, supporting the work of more than 20,000 staff. Its technology also supports the delivery of the vast majority of enquiries to the NHS 111 service for urgent care issues.

An update on the cyberattack provided by Advanced states that “NHS 111 and other urgent care customers” can expect the firm to start a “phased process… within the next few days” of bringing services back online.

Related content

• DHSC signs £2m six-month deal to improve ability to ‘respond to recover from a cyberattack’
• DHSC finds that Serco ‘processes have been strengthened’ after contact-tracing data breach
• Department of Health seeks leader for £200m post-WannaCry cyber security push

Other NHS customers are warned that should expect to continue operating under “contingency plans for at least three to four more weeks”.  

There are already widespread reports of frontline staff at various trusts unable to access or update patient records, or having to rely on paper notes. Such difficulties now seem set to continue into the autumn.

“We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared,” Advanced said. “We will continue to provide updates as we make progress.”

Addressing the issue of why it is “taking so long to resume normal service”, the company added that it is “rebuilding and restoring impacted systems in a separate and secure environment” and is using a “defined process by which all environments will be systematically checked prior to securely bringing them online”.

On the question of whether or not it is “safe to continue doing business” with the firm in the meantime, Advanced said: “We want to stress that there is nothing to suggest that our customers are at risk of malware spread and believe that early intervention from our Incident Response Team contained this issue to a small number of servers.”

‘Potential data access or exfiltration’
The software publisher indicated that it has alerted the Information Commissioner’s Office and begun an internal investigation into whether or not any sensitive data may have been compromised as a result of the attack.

“We will continue to be responsive to any questions the ICO may have,” the firm said. “We also remain in contact with the NHS, National Cyber Security Centre, and other governmental entities and are providing them with regular status updates.”

It added: “When we have more information about potential data access or exfiltration, we will update customers as appropriate. Additionally, we will comply with applicable notification obligations.”

The cyber assault is believed to have been perpetrated by attackers who were “purely financially motivated”, according to Advanced.

After the incident was detected, the software house said that it acted immediately to isolate impacted systems and was quick to bring in external support from forensic cyber specialists such as Mandiant and Microsoft DART.

Those seeking the latest updates on the situation should visit on Advanced’s website – which now includes a dedicated page with information on the cyberattack – according to the firm’s chief operating office, Simon Short.

“We are continuing to make progress in our response to this incident,” he said. “We are doing this by following a rigorous phased approach, in consultation with our customers and relevant authorities. We thank all our stakeholders for their patience and understanding as our team works around the clock to resume service as safely and securely as possible.”

An NHS spokesperson said: “While Advanced work to resolve their software problems, thanks to our hardworking staff, NHS 111 services remain available for patients who are unwell, although some people will face longer waits than usual.  Patients may be able to find the information they need faster through 111 online, but as ever if it is an emergency, please call 999.”