NHS software provider Advanced Computer Software Group is facing a substantial fine of over £6 million following a significant ransomware attack in 2022. The incident, which occurred in August 2022, exposed the personal data of nearly 83,000 individuals.
The Information Commissioner’s Office (ICO) has provisionally concluded that Advanced failed to implement adequate measures to protect the personal data it was entrusted with.As a principal IT provider for the NHS and other healthcare entities in England, Advanced Computer Software Group was obligated to adhere to rigorous data protection standards as a data processor. The ICO's inquiry revealed that these standards were insufficiently implemented, creating a significant vulnerability that was exploited by cybercriminals.
The ICO's decision to impose a hefty fine aims to serve as a deterrent and a wake-up call for organisations handling sensitive data. Information Commissioner John Edwards emphasised the distress caused to individuals whose data was compromised and the necessity for organisations to prioritise cybersecurity.
Edwards also said that his office decided to publicise the provisional decision to “urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
Based in Birmingham, Advanced is owned by investment firms Vista Equity Partners and BC Partners (50% each). The final penalty amount will be determined based on Advanced's response. The company will have the chance to challenge the ICO’s conclusions before the fine is officially imposed.
Topics Covered Here:
1. A Recap of the 2022 Ransomware Attack that Impacted the NHS
2. NHS and Third-Party Security
3. How to Protect Against Ransomware Disruptions
The ransomware attack on Advanced exploited a vulnerability in its systems that allowed hackers to access a customer account lacking multi-factor authentication (MFA). Multi-factor authentication is a basic yet essential security measure. This breach, caused by missing MFA, not only exposed sensitive data but also disrupted healthcare services, which can have dire consequences for patient care and safety.
Overnight, the cyber criminals managed to infiltrate crucial health and care services infrastructure. The ransomware attack on Advanced resulted in severe disruptions across NHS services. This led to significant operational challenges.
Here are some key points on the Advanced 2022 ransomware attack:
Phone numbers and medical information of 82,946 people were stolen.
The information also contained details on accessing the properties of 890 people receiving home care.
The news of the ICO’s provisional decision to fine Advanced has brought to light the struggles of the NHS with its third-party service providers. The announcement comes only a few months after the NHS suffered a level-three critical incident due to a cyber attack on its pathology service provider, Synnovis.
Till date, the ransomware attack on Synnovis has postponed more than 5,000 acute outpatient appointments. This includes hundreds of operations for cancer treatments.
Cybersecurity experts are now highlighting the need for tighter Supply Chain security at the NHS and medical institutions worldwide.
Director of critical infrastructure at Illumio, Trevor Dearing, said the fine serves as "a wakeup call" to all suppliers to fortify their cybersecurity infrastructure.
He said, as per Computing.co.uk, "Supply chain security remains a significant challenge within the NHS as shown by the recent Synnovis cyber attack. In fact, when we reached out to 213 NHS Trusts under the Freedom of Information Act 2000 in July 2023, more than a quarter of Trusts had not conducted audits on their third-party suppliers' cybersecurity measures."
Get detailed insights into the NHS disruption this year in our Synnovis and NHS Ransomware Attack Timeline.
The breach at Advanced and the subsequent news about the regulatory fine has once again highlighted critical shortcomings in cybersecurity measures, particularly in the healthcare space. It has underscored the urgent need for robust ransomware protection and cyber incident response training.
It also brings the conversation back to cybersecurity basics. Something as rudimentary as MFA, which all organisations must implement, can cost you millions of pounds. It is imperative to practise good cybersecurity hygiene. It is also critical to train your staff in cyber incident response and allow them practice for handling real-world incidents with cyber attack tabletop exercises.
Proper training can equip organisations to handle cyber threats more effectively, minimising the risk of data breaches and operational disruptions. The lack of preparedness and insufficient security protocols at Advanced significantly contributed to the severity of the attack and the subsequent fine.
Organisations must understand that without adequate ransomware protection and incident response training, their ability to withstand cyber attacks is severely compromised.
As the investigation into Advanced unfolds and the fine is finalised, stakeholders in the healthcare and data protection sectors will keenly observe the results. The cybersecurity community will also have all eyes on the steps Advanced takes to regain trust and bolster its security protocols.
Ultimately, the £6 million fine levied against Advanced Computer Software Group serves as a stark reminder of the vulnerabilities that exist within healthcare IT systems. It also underlines the devastating impact of ransomware attacks. Organisations must prioritise Ransomware mitigation measures and sensitive data protection to secure their finances and their business reputation. There’s simply no other choice today.