13-09-2022 | By Robin Mitchell
What was initially said to be a small problem has now clearly become a serious issue, and paperwork from healthcare professionals continues to pile up. What exactly happened to NHS services, why are they facing numerous issues, and does this raise concerns for government-related services?
NHS supplier faces ransomware attack
Of all cyberattacks, by far one of the most brilliant is ransomware. Viruses of the past could have numerous abilities such as key logging, file destruction, and replication, while trojan horses would allow hackers to have backdoor access to critical systems. But while these are clever in their own way, ransomware is arguably one of the most profitable attacks thanks to its ability to leverage encryption.
Ransomware is nothing more than a simple data encryption program that encrypts all user files used by a remote hackers key (typically using the public key exchange method). Even though the program is capable of encrypting, it is not able to decrypt the data without the private key held by the attacker, and this puts the attacker in a unique position to request money in exchange for the key.
At the same time, the attacker can store the key on a private system that will self-destruct after a specified time, and this adds urgency to the victim to pay or risk losing their files. Worse, finding the hacker and obtaining their equipment is not only next to impossible to do, but may not even recover the key thus effectively destroying the encrypted data. Finally, hackers can automate the process so they don’t even get involved with the attack/ransom/release process.
In the case of the NHS, the first signs of ransomware were spotted on the 4th August whereby infrastructure critical to numerous patient care systems were found to be compromised. It is believed that a phishing attack was used to install the ransomware (typically via an email), and once executed, started to infect numerous applications manufactured by Advanced.
Services being targeted by the ransomware include Carenotes (mental health), Caresys (care homes), Crosscase (hospice), and Staffplan (organisation). Furthermore, the service has attacked Adastra which is critical for 111 services that call ambulances and provide GPs access to patient notes. Initially, it was believed that the situation would be resolved within a matter of weeks, but one month later and paper work is now starting to pile up which staff believe could take months to resolve.
Why is Advanced facing numerous issues?
Currently, there is little information being released to the public as to why it is taking the NHS a long time to restore essential services. In the case of ransomware attacks, the best solution involves having frequent server backups, wipe all currently systems, reinstall applications, and then restore files.
Assuming that the ransomware hasn’t found its way into backup systems, such a fix should be relatively easy to do as modern IT infrastructure allows for mass deployment of applications, and network-wide updates. At the same time, modern applications are moving to the cloud which would only require deployment on a single server.
While it is difficult exactly determine how the services work from a technical point of view, the Advanced website describes their services as “cloud-based” and allowing for use on mobile apps. As such, it is highly likely that software developed by the company is indeed operated in the cloud with NHS staff connecting to the service over a browser-based interface (or a form application that connects to the service over an internet connection).
Considering that the ransomware hasn’t attacked physical NHS infrastructure, getting the services back online should allow NHS staff to immediately resume normal operation. But despite being over 4 weeks into the cyberattack, questions have to be raised as to why the service is still facing issues.
One possibility is that Advanced is negotiating with the attackers to restore systems. Should this be the case, it would be another excellent demonstration to the power of ransomware. However, this also raises the question as to whether Advanced keeps reliable backups of their services and data, or if they rely on a minimal set of security standards and practices.
Does this attack raise concerns for government-run services?
It is well understood by society that governments are pretty incapable of running just about anything (they are, however, good at spending other peoples money). This is often reflected by the dependency on antiquated computer systems, inability to adapt to new technologies, totally out of touch with society, and a tendency to make mistakes on a daily basis.
A good example of this is a recent report describing how key members of the Japanese government are still using floppy disks to transfer data despite Japan being one of the most technologically advanced societies. Another example is how numerous government departments in the UK all hold their own data on citizens, but none of it is centralised or cross-platform meaning that data held by the DVLA is never shared with HMRC which is never shared with local governments.
But this recent attack was not against a government entity, but a private software company. However, even though Advanced is a private company, it is working with the NHS which guarantees a stream of revenue that will unlikely never disappear. At the same time, it is likely that the tens of thousands of NHS staff dependent on the software will be hesitant to change even if the software presents numerous challenges, and this gives Advanced a degree of flexibility in service quality.
Thus, private companies that provide solutions to government services rarely have an incentive to provide the best performance and reliability. This is why many government projects can consume millions of pounds with nothing to show for it (the green bridge in London is an excellent example which was able to spend £53m on nothing).
Considering that the government never writes its own software, it is likely that numerous government services are dependent on private industry solutions. Furthermore, it is even more likely that these providers realise the position they are in, and will likely exercise a degree of carelessness and disregard for their software reliability and resilience.
Overall, there is very little that the general public can do, and this latest ransomware attack continues to demonstrate how governments (and the suppliers they work with) are incredibly vulnerable to stupidity and laziness. In the case of the NHS, it makes one wonder if individuals should be in charge of their own records and data which they can provide remote access to by government services.