BCS, The Chartered Institute for IT, has raised questions over the security of NHS IT systems following the cyber incident that has caused some disruption in the health services.
This comes after confirmation that Advance, a digital services provider to the NHS, has been subject to a ransomware attack.
The company issued a statement saying: “On Thursday 4 August 2022, Advanced experienced a disruption to our systems that we have since determined to be the result of a cyber security incident caused by ransomware. We immediately took action to mitigate any further risk and isolated all of our health and care environments, where the incident was detected.
“The customer groups impacted either directly or indirectly are Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan and eFinancials.”
The company has reportedly declined to say whether any data has been stolen, but BCS has issued a statement from cyber security specialist Daniel Card expressing significant concerns.
Systems shutdown
“In terms of root causes, the provider had to shut down lots of separate systems,” he said. “That only makes sense to do if a ‘shared control plane’ (where multiple services or assets are held or run from one position) had become owned by the hackers.
“If it wasn't then it doesn't make sense to ‘self-own’ like that.
“With regards to long term impact it is very possible large volumes of healthcare records were stolen which could include mental health related data for example. Losing access to this kind of material isn't a ‘whoops’ mistake - systematic failures can often occur over long periods of time.
“The questions for me are – What assurance was conducted prior to this? How were controls tested? What was in their data security protect toolkit (DSPT) responses?”
“There are systems in place in the NHS to reduce the impact of events like this; there are manual processes and plans in place (e.g., paper records, divert to GPs etc).
“It’s very challenging to get the balance right and we don’t yet know the long term impacts.”
Protection plans
An NHS England spokesperson told the BBC: "While Advanced has confirmed that the incident impacting their software is ransomware, the NHS has tried and tested contingency plans in place including robust defences to protect our own networks, as we work with the National Cyber Security Centre to fully understand the impact.
"The public should continue to use NHS services as normal, including NHS 111 for those who are unwell, although some people will face longer waits than usual.”