Cyberattack on NHS Vendor Already Offering Critical LessonsIncident Spotlights Vendor Risk and Criticality of Business Continuity Plans
The U.K. urgent healthcare helpline is in its fourth day of degraded service following a Thursday cyberattack against a key service provider.
The outage stems from Birmingham software vendor Advanced, which contracts with the British government to provide digital services for the NHS 111. The outage is expected to last at least until Tuesday at the earliest, reports U.K. news site Metro.
The incident, which forced the NHS to fall back on deploying its various business continuity processes, serves as a reminder for the healthcare sector to be prepared to deal with its own cybersecurity surprises and also with highly disruptive incidents involving critical third parties (see: Reports: NHS Dealing with IT Outages Due to Cyber Incident).
"Know your vendors. Know their vendors. Communicate with all of them regularly. Train side by side for emergencies," says attorney Erik Weinick, co-founder of New York-based law firm Otterbourg's privacy and cybersecurity practice.
"Ultimately, you are part of the same 'network' and what impacts one, impacts the others. Check your agreements. Understand who is responsible for what both [during] an emergency and in trying to prevent one."
Advanced Chief Operating Office Simon Short in an interview with the BBC late last week confirmed the issue causing the disruption to the NHS involved a cyberattack.
As a precaution, Advanced immediately isolated all its healthcare environments, he said. "Early intervention from our incident response team contained this issue to a small number of servers representing 2% of our health and care infrastructure," he said.
As of Monday, several local NHS units across the United Kingdom had notices posted on their websites or on Twitter alerting patients of potential disruptions or delays in days to come involving 111 services linked to the incident.
The Welsh ambulance service warns the public of "a major outage" of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours general practitioners, or GP providers.
"The ongoing outage is significant and has been far reaching, impacting each of the four nations in the UK," the notice says.
In a similar statement, the NHS's Oxford Health warns the public of a "software problem" affecting 111 calls, requiring a fallback to slower, manual processes.
"Oxford Health is asking people calling 111 for an appointment at a minor injury unit or the out of hours GP service to be patient while an ongoing software problem affecting NHS services nationally is resolved," the notice says.
Neither the NHS nor Advanced immediately responded to multiple requests by Information Security Media Group for comment and details about the incident.
Blunting the Impact
"Healthcare providers that fail to mitigate not only their own vulnerabilities, but those of their critical vendors, put patients at risk," says Weinick, who also serves on the U.S. Secret Service's New York Field Office's Cyber Fraud Task Force Steering Committee. Having a solid, well-thought-out business continuity plan ready to deploy quickly in such an incident is critical, he says.
"While it may be too much to expect complete protection against intentional attacks or inadvertent outages, it is not too much to expect that healthcare organizations have prepared robust contingencies to continue patient care and communication in a seamless manner in the event of an outage," he adds.
Lessons to Learn
The NHS situation is already offering several important lessons to other healthcare entities and their vendors, some experts say.
"It is critical that an organization ensure that vendors that have network access or connectivity ensure that they have proper cyber hygiene protections in place," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.
It is also critical to audit and ensure that the protections a vendor claims to have in place are verifiable and subject to testing to ensure the controls work appropriately, he adds.
"One option is to require IT vendors to have established and proven cybersecurity frameworks in place such as ISO 27001, zero trust architecture or the National Institute of Standards and Technology's Cybersecurity Framework, just to name a few options," he says.
In the meantime, threats, such as ransomware as a service, that are available to cyberthreat actors have greatly expanded the scope of potential threats that healthcare sector entities and their vendors face, he says.
"These types of criminal cyberthreat … put more pressure on the healthcare sector entitles to ensure that their networks and cyber defenses are as strong as possible," he says.