London emergency ambulance responding at night showing cyber attack on NHS 111 caused system outage

NHS 111 System Experiencing Disruption Due to Cyber Attack, System Outage May Impact Services for Several Days

A cyber attack has caused what was described as a “major” system outage at the NHS 111 non-emergency medical help line, with hosting firm Advanced saying that there may be disruptions to patient scheduling services for at least several days.

Advanced said that the cyber attack impacted a “small number of servers” but nevertheless caused issues with the patient scheduling system used by the phone service, and that the issue may not be fully resolved until next week. Government representatives from each country confirmed that the system outage was impacting Wales, Scotland and Ireland as well as England.

NHS 111 patient scheduling abilities reportedly limited due to cyber attack

NHS 111 is a non-emergency number available throughout the United Kingdom. The system is intended for those who have questions about pain or symptoms that do not constitute a clear emergency, but may be an urgent matter. NHS 111 staff help to interpret symptoms and direct callers to appropriate nearby medical resources, and can also make direct referrals and schedule appointments in certain situations; this computer booking system appears to be the aspect that has been disrupted by the cyber attack.

Details about the cyber attack are limited, but the National Crime Agency has confirmed that it was some sort of malicious action by a threat actor. Naturally, ransomware is the first suspect that springs to mind. This is not the first time the NHS has grappled with system outages due to ransomware, as it was caught up in the WannaCry outbreak of 2017 causing major disruptions at hospitals in England and Scotland. Ireland’s Health Service Executive (HSE) had another bout of ransomware in May of last year, with that attack causing system outages of up to two months.

The fallout from this case appears to be much more manageable than the outcomes of those two prior incidents, but health care providers throughout the UK have been told to expect some added difficulties due to the system outage. NHS England told family doctors in London that they could expect an increased load of patient referrals in the near term, until NHS 111 restores the ability to directly book patients into open slots for appointments. The Welsh Ambulance Service issued a statement saying that calls may take longer to answer in the near term, and that there may be issues with out-of-hours GP appointment scheduling.

The NHS 999 emergency call service does not appear to be experiencing system outages in any areas. NHS 111 Wales issued a tweet indicating that the online version of the platform was working as usual and encouraged patients to head there as a first step for calls for assistance. The National Cyber Security Centre has been engaged by Advanced to investigate the cyber attack.

System outage raises questions about another NHS ransomware incident

Additional fuel to the ransomware theory has been provided by The Guardian, which is reporting that the cyber attack was conducted by criminals rather than a nation-state hacking team.

Advanced said that only 2% of its Health & Care infrastructure was compromised by the cyber attack. The firm provides services to a variety of other high-profile clients, the London City Airport and the UK Department for Work and Pensions (DWP) among them. NHS 111 appears to be the only government client that is experiencing system outages at this time, but reportedly some 1,000 care homes around the UK that make use of the company’s Caresys software have also been negatively impacted. Caresys is used to manage worker records and daily scheduling among other items.

Though there is no sign of connection at this time, the NHS 111 incident is part of a small wave of cyber attacks on government agencies and government-adjacent organizations across Europe in recent weeks. The German Chambers of Industry and Commerce was hit by a major attack that forced a complete shutdown of its systems for a time, impacting all of its 79 chambers across the country. And the Spanish National Research Council (CSIC), a state agency that performs scientific and technical research for the Spanish Ministry of Science and Innovation, had to isolate some of its research centers from the central network for an extended period to mitigate what appeared to be a ransomware attack from a criminal group based in Russia.

Attacks on health care services have become one of the most popular methods of extorting money for ransomware gangs, as patient care facilities cannot afford anything in the way of downtime without creating actual risk to life and limb. A similar cyber attack in Germany in 2020 caused the first death attributed to ransomware, as a patient being transported by ambulance had to be re-routed to a more distant hospital due to non-functional equipment at the intended destination.

Erich Kron, security awareness advocate at KnowBe4, notes that these are also popular targets due to the amount of highly sensitive information they hold: “Even for less critical situations, medical facilities often store sensitive, and possibly embarrassing information about patients, information cybercriminals know can be used against organizations by threatening to release this information publicly. This can be used to strengthen the demand for a ransom payment. Since malware, including ransomware, is very often spread through email phishing, organizations should ensure their staff is aware of the threat and are trained on how to spot and report email phishing attacks. In addition, organizations that provide time sensitive services, such as healthcare providers, should ensure they have processes and procedures in place for dealing with outages, even extended ones, while still providing emergency services.”