Last week, UK National Health Service (NHS) service provider Advanced experienced a ransomware attack. The attack affected the NHS’ 111 service and the Caresys and Carenotes software used for patient notes and visitor booking.
The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) are working with Advanced to understand the impact of the attack. Advanced refused to comment on whether patient data had been stolen, but ICO involvement suggests that there is a significant risk to personal data.
In 2022, ransomware attacks on large organisations with distributed operations are almost inevitable. The NHS and their data processors must implement better data security measures to protect their most sensitive asset—patient data. This means that if attacks occur, data is protected, the rewards for malicious actors are limited, and operations are less disrupted.
Patient data theft is a possibility
Following the recent attack on Advanced, patient data loss has not been ruled out. Ransomware attacks work by infiltrating computer servers using malicious software and encrypting data. The malicious actors will demand a ransom fee to decrypt the data, but there is no guarantee that this will be done once the ransom is received.
The ransomware attack on Advanced affected the Carenotes electronic patient records, causing a ‘system outage’ that could last up to three weeks, leaving nine mental health trusts without access to patient data. Similarly, the attack hit the Advanced Adastra system that is used by 111 employees to dispatch ambulances, which could cause potentially dangerous delays.
There is a risk that if the ransom is not paid, the malicious actors behind the attack could release confidential patient data on public forums in exchange for money.
Cyberattacks are devastating for public services
The NHS is no stranger to ransomware cyberattacks, having suffered a widescale attack in 2017 called ‘WannaCry’. The attack had a detrimental effect on the NHS, affecting hospitals and GP services across the UK. It was estimated that 80 trusts, 603 primary care departments and almost 600 GP practices were affected.
Appointments and operations were cancelled as staff were unable to access patients’ historical medical records. Staff resorted to using paper and pens and personal mobile phones to record patient details.
Data security services are the solution
Between 2020 and 2025, GlobalData forecasts that cybersecurity spending by healthcare providers and payors will grow at a compound annual growth rate (CAGR) of 8.1% from $4.59bn to $6.77bn. Given its history, the NHS needs to make strong data security a strategic priority. This preventative cybersecurity measure protects data at rest and in transit, even if a bad actor does infiltrate the system.
This week, data security and data loss prevention start-up Nightfall AI raised $40m in series B financing. The company monitors data flows in and out of applications, using machine learning algorithms to classify whether data is sensitive or personally identifiable information (PII). The dashboard supports automated workflows and automatic responses to potential breaches. This service is essential, as cyberattacks increase in their scale and ferocity.
While cyberattack attempts are somewhat inevitable, full-scale disruption, infiltration, data loss and service loss are not. The NHS and other public services should have a full-stack cybersecurity strategy with both reactive and preventative measures, and should deploy data security measures as an absolute priority to protect the swathes of PII and sensitive health information that they process.