Cyber Attack Strikes UK Ambulance Services in Latest NHS Hack

Several UK NHS ambulance trusts have struggled to record patient data and pass it on to other healthcare providers after a cyber attack hit the health software firm Ortivus. 

South Central Ambulance Service (SCAS) and South Western Ambulance Service (SWASFT), which service a population of over 12 million people in southern England, are both being affected by the attack. 

In a statement, Ortivus said it was subject to a cyber-attack on July 18 which hit UK customer systems within its hosted data centre environment.

“The electronic patient records are currently unavailable and are until further notice handled using manual systems,” the statement reads. 

 “No patients have been directly affected. No other systems have been attacked and no customers outside of those in the hosted datacenter have been affected.”

The Sweden-headquartered software vendor added that it was working “in close collaboration” with the NHS and other affected customers to restore its systems and recover data. 

Speaking on behalf of the two affected Trusts, an NHS spokesperson said: “We are aware of an incident affecting a small number of ambulance services.”

“Our Cyber Security Operations Centre is working with affected organisations to investigate, alongside law enforcement colleagues, and supporting suppliers as they work to reconnect the system."

It is not yet known who is behind the attack at this stage. 

'This is ongoing as we speak'

According to Otravia, only customers using its MoviMed ePR electronic patient record systems are thought to be affected by the breach. 

MoviMed ePR is designed to help monitor and keep records in pre-hospital care as well as share crucial information with other care providers. 

On July 21, Ortivus said it was ready to relaunch MobiMed ePR for the hosted environment customers, but was waiting on "final approval by NHS authorities before the ambulance trusts can reconnect."

However, Ortivus CEO Reidar Gårdebäck told the tech publication The Register he was unable to confirm when the third-party forensic analysis would be complete. 

"That is ongoing as we speak, so to give an exact timeline is not possible at the moment because that depends on the forensic analysis of the incident itself," he said.

The CEO added that an alternative system was ready within 24 hours of the attack. A backup system was available for viewing patient records, but the cyber-attack "impacted integrations to other systems."

“Our focus now is just to restore the services and we're doing everything we can, with all our resources, to get the system up and running again. The discussion regarding compensation will be done later on," he said.

Attack on NHS

This attack is just the latest attack on the NHS in recent months. At the end of June, the data of over a million NHS patients was stolen in an attack on the University of Manchester, with the stolen data dating back to as early as 2012. 

Meanwhile, in August last year, a large-scale ransomware campaign on the health service saw hackers steal 5.5 million patient records across Scotland, England and Wales, leaving NHS systems paralysed for months. 

In that attack, Medical staff were reportedly forced to keep patient files on pieces of paper and email for months as systems remained offline until mid-October. 

“The healthcare industry is one of the few sectors where cyberattacks can fatally impact human life, therefore cyber criminals know hitting patient services is the most effective way to cause disruption and for victims to comply with their demands,” Simon Chassar, CRO at Claroty told EM360. 

Healthcare organisations are adding more cyber-physical devices such as OT systems and IoMTs, to their networks, and exposing themselves to new cyber threats and vulnerabilities which can impact patient services, and ultimately human life. 

"It’s important to implement network segmentation so unnecessary connectivity and the movement of malware can be restricted, as well as real-time monitoring and analysis to identify anomalies and potential intrusions quickly.”