NHS 111 cyberattack is a sign of the 'new normal'

A hospital sign in London, giving directions towards the emergency department.

A cyberattack that has disrupted the NHS 111 medical advice service since late last week is indicative of the ‘new normal’, a cybersecurity expert has told Tech Monitor, in which NHS institutions are subjected to a constant barrage of attacks.

Update: The incident now been confirmed as a ransomware attack. Managed service provider Advanced has confirmed that it was hit by a ransomware attack at 7am on August 4th.

It says the recovery process for NHS 111 and other urgent care providers will last a few days, while other services will take three to four weeks to return to full functionality.

The NHS has been subject to heighten cybercriminal activity since April, according to one cybersecurity provider (Image by georgeclerk / iStock)

“There is a new normal in terms of the threat activity that NHS Trusts and organisations are seeing,” said Andy Norton, European cyber risk officer at Armis.

Armis monitors a number of NHS Trusts’s networks for evidence of suspicious activity, including port scans or exploit attempts, connections to the dark web, and drive-by attacks. Since April this year, Norton says, it has seen consistent heightened activity.

Norton observes that the start of this activity coincided with prime minister Boris Johnson’s first visit to Ukraine, although there is ‘no concrete evidence’ to link the two. “Often cyber events follow things that are happening in the real world,” he says.

NHS 111 cyberattack: ‘hallmarks of ransomware’

On Friday last week, the Welsh Ambulance service reported a “major outage” of a system that refers patients from the NHS 111 service to out-of-hours GPs.

Plans are in place due to a system outage impacting 111 and GP out-of-hour services across Wales.

The public can still call 111 but your call may take longer than usual to be answered.

If it's not urgent, head to https://t.co/EDEUp8Z93Y

Read more here: https://t.co/O3kjVk1dqv pic.twitter.com/KEzYWcFxH1
— Welsh Ambulance (@WelshAmbulance) August 5, 2022

It later emerged that Advanced, an MSP whose customers include 36 NHS institutions, had suffered a cyberattack. Applications hosted by Advanced were unavailable to the NHS 111 service, with staff resorting to pen and paper, according to a report by The Register.

Advanced told customers that it had “identified an issue on infrastructure hosting products used by our health and care customers.

“Whilst the investigation is carried out Advanced has isolated all services and taken them offline to mitigate the risk of further impact,” it said. “This means that customers will not be able to access their systems and should revert to contingency measures.”

Armis’ Norton says that the incident bears the hallmarks of a ransomware attack. “If it was a [personally identifiable information] data breach, a disruption would not have been noticed because that attack is about stealthy longevity,” he says.

“When disruptive payloads like ransomware get deployed in an environment, that’s when we start to see a disruption of services.”

In the face of heightened cyberattacks, it is becoming increasingly important for NHS Trusts not only to invest in cybersecurity but also to “demonstrate publicly that you’ve [taken] all the security requirements that are appropriate and proportionate,” says Norton.

“That is really where we see a lot of Trusts going now, which is more of an investment in demonstrating that they’ve taken the appropriate measures.”