{"id":73912,"date":"2022-08-25T10:13:31","date_gmt":"2022-08-25T17:13:31","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=73912"},"modified":"2025-04-16T10:01:02","modified_gmt":"2025-04-16T14:01:02","slug":"ransomware-in-healthcare-the-nhs-example-and-what-the-future-holds","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-the-nhs-example-and-what-the-future-holds\/","title":{"rendered":"Ransomware in Healthcare: The NHS Example and What the Future Holds"},"content":{"rendered":"

On August 4, 2022, Advanced \u2013 a major software provider for the UK\u2019s National Health System (NHS) and other healthcare customers \u2013 suffered a ransomware attack from a group that is still unknown to the public. The attack disrupted NHS services including ambulance dispatch, appointment bookings, patient referrals and emergency prescriptions. As of August 19, more than two weeks after the incident, most systems have only been partially recovered, and full recovery is expected to take up to four weeks in some cases.<\/p>\n

This attack impacted the NHS via a service provider, similar to what happened when REvil leveraged Kaseya VSA<\/a> to spread ransomware in 2021. However, this time the ransomware doesn\u2019t appear to have spread outside of Advanced\u2019s systems, at least in part because the software vendor disconnected some of their networks so customers could not connect to compromised servers.<\/p>\n

In this blog post, we explore the impact of this ransomware incident on the NHS, show how future ransomware attacks may exploit exposed Internet of Things (IoT) devices on healthcare providers and discuss what healthcare organizations should do<\/a> to avoid being the next victim.<\/p>\n

The impact of ransomware on the NHS<\/h2>\n

This is not the first time that health services in the region have been severely impacted by ransomware. In May 2017, the WannaCry<\/a> attack on the NHS, launched by North Korea, led to thousands of canceled appointments and a cost of nearly 100 million pounds. In May 2021, the Conti ransomware attack on Ireland\u2019s health service led to weeks of disruption and a projected cost of $100 million<\/a>.<\/p>\n

The impact on the NHS of the current attack has not yet been calculated, but it can begin to be understood by analyzing the Advanced software systems that were attacked, their function and their current status, as shown in the table below.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
Software<\/b><\/th>\nFunction<\/b><\/th>\nStatus as of Aug. 19<\/b><\/th>\n<\/tr>\n
Adastra<\/strong><\/td>\nClinical patient management, which helps emergency call handlers dispatch ambulances and doctors access patient records<\/td>\nForensic investigation advanced but 111 customers not reconnected<\/td>\n<\/tr>\n
Caresys<\/strong><\/td>\nCare home management<\/td>\nForensic investigation ongoing but recovery not started (expected in 3 to 4 weeks)<\/td>\n<\/tr>\n
Odyssey<\/strong><\/td>\nClinical decision support<\/td>\nForensic investigation ongoing but recovery not started (expected in 3 to 4 weeks)<\/td>\n<\/tr>\n
Carenotes<\/strong><\/td>\nElectronic patient record software, used by mental health trusts for patient records<\/td>\nCustomers had access to partial data, forensic investigation ongoing (expected for 3 to 4 weeks)<\/td>\n<\/tr>\n
Crosscare<\/strong><\/td>\nClinical management for hospices and private practices<\/td>\nForensic investigation ongoing but recovery not started (expected in 3 to 4 weeks)<\/td>\n<\/tr>\n
Staffplan<\/strong><\/td>\nCare management software<\/td>\nCustomers had access to partial data, forensic investigation ongoing (expected for 3 to 4 weeks)<\/td>\n<\/tr>\n
eFinancials<\/strong><\/td>\nPublic sector financial management<\/td>\nSystems back online and customers could reconnect<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

One point stands out from the response to this incident: regardless of paying a ransom to recover data or not, healthcare systems cannot simply be brought back online after an attack. They need to go through a thorough forensic investigation to ensure there is no further compromise.<\/b><\/p>\n

Advanced employed two external organizations to perform the forensic and recovery actions. For one service alone, eFinancials, those firms had to scan nearly 150 servers. In the healthcare sector, the time it takes to recover impacted systems typically leads to delayed or canceled patient care, as was the case for WannaCry in 2017 and Conti in 2021.<\/p>\n

Although the response to this incident is still ongoing, it is safe to assume that there will be a very high financial impact for Advanced, and once again several NHS patients will have appointments and treatment delayed or canceled.<\/span><\/p>\n

What the future holds for ransomware in healthcare<\/h2>\n

As the CIO of the UK\u2019s health and social care system said in a review of the WannaCry attack in 2018:<\/a> \u201cIt is not a question of ‘if’ but ‘when’ the next cyberattack strikes the health and social care system.\u201d<\/p>\n

In 2017, the impact happened because of computers running unpatched or legacy Windows operating systems at NHS trusts. In 2022, it was because of a managed service provider (MSP). MSPs are currently a great entry point for ransomware gangs because they may allow for access into many customer organizations at the same time. Even if the ransomware does not spread from the MSP to its customers, these customers are impacted by the MSP\u2019s downtime.<\/p>\n

In the future, Vedere Labs believes the impact will likely occur because of insecure IoT devices, since IoT as an entry point<\/a> is gaining relevance with ransomware gangs. That belief is echoed by the UK\u2019s National Cyber Security Centre (NCSC), which recently published a report<\/span><\/a> that concludes there is a high likelihood that enterprise IoT will be used as an “attack vector or pivot point to enable cyber actors to gain access to an enterprise’s corporate network for espionage purposes, disruption, or financial gain.”<\/span><\/p>\n

To show this threat vector in action, we recently developed R4IoT<\/a>, a proof-of-concept ransomware that gains access to an organization via exposed IoT devices and moves laterally to exfiltrate and encrypt data on IT systems. This type of attack exploits an increased IoT attack surface and is applicable in almost every organization nowadays, but especially in healthcare.<\/p>\n

A simple Shodan search for devices exposed to the internet in UK organizations with \u201cNHS\u201d in their name<\/a> returned 1,585 results on August 22. We can also see an increasing trend of devices exposed online by NHS trusts in the past few years:<\/p>\n

\"Ransomware<\/p>\n

Most of these devices are still either web servers or network infrastructure, such as VPN concentrators, firewalls and routers. However, we see a lot of interesting IoT, such as eight VoIP phones, five Zyxel WiFi routers, five Crestron conference room systems, one Honeywell NVR, one Hikvision IP camera, seven devices with exposed Telnet and 28 devices with exposed embedded SSH and FTP servers. For instance, below is a screenshot showing the Hikvision camera, which may be vulnerable to remote code execution via CVE-2021-36260<\/a>.<\/p>\n

\"Ransomware<\/p>\n

Defending healthcare networks from future attacks<\/h2>\n

In 2018, after WannaCry, the NHS\u2019s review of the incident<\/a> included this finding:<\/p>\n

\u2026most NHS trusts also need capital investment in areas such as addressing weaknesses in their infrastructure to secure networks by upgrading firewalls, improving network resilience and segmentation to minimise the risk to medical, improving device security through device replacement and automation of patch management, and improving anti-virus protection.<\/em><\/p>\n

The themes of patching<\/em>, segmenting<\/em> and automating <\/em>that were relevant in 2018 are even more important today with the increased attack surface brought by IoT.<\/p>\n

The widespread use of IoT devices, the fact that they are often exposed online and the difficulty in patching them means that every organization, particularly in the healthcare sector, needs a proactive and holistic approach to cybersecurity that prioritizes:<\/p>\n