A key NHS IT partner that was hit by a ransomware attack last week has said it could take three to four weeks before all systems are back to normal.
Advanced runs several key systems for the health service, including clinical patient management software (Adastra) and financial management software (eFinancials).
One of its most important healthcare clients is NHS 111, a phone and online-based service designed to dispense medical advice for urgent problems.
When ransomware struck the MSP in early August 2022, the UK Government tried to play down the seriousness of the incident claiming "minimal disruption". However, reports suggested that it disrupted patient referrals, out-of-hours appointment bookings, emergency prescriptions and even ambulance dispatches.
In a lengthy update published on August 10, Advanced said it was working with Mandiant, Microsoft DART and the National Cyber Security Centre (NCSC) to investigate and remediate, with no further incidents detected and the original breach contained.
“With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online. For NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, we anticipate this phased process to begin within the next few days,” Advanced said.
“For other NHS customers and care organisations our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks. We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress.”
Other Advanced services impacted by the attack are its care home management software (Caresys), clinical decision support tool (Odyssey), patient record software (Carenotes), clinical management service (Crosscare) and care management software (Staffplan).
It is still unclear which ransomware group was responsible and whether data was exfiltrated during the attack.
Before bringing systems back online, the MSP said it is:
- Implementing extra blocking rules and further restricting privileged accounts for its own staff
- Scanning all impacted systems and ensuring they are fully patched
- Resetting credentials
- Deploying additional endpoint detection and response agents
- Conducting 24/7 monitoring