Jakub Jirsák - stock.adobe.com

NHS staff fall further behind amid ransomware attack

While some NHS bodies are now recovering their services after the ransomware attack on a crucial software supplier, others are still being forced to rely on pen and paper, and some will be waiting months to recover

Although some NHS bodies have recovered the services that were affected by the 4 August ransomware attack on the systems of software supplier Advanced, multiple products remain offline and are likely to take much longer than hoped to be restored, leaving many organisations reliant on pen and paper-based systems, to the detriment of patient care.

In the weeks since the incident, cyber forensics experts – understood to be drawn from both Mandiant and Microsoft’s Detection and Response Team (DART) – have been poring over Advanced’s systems and have gained a much clearer picture of the incident. In particular, the investigators are “well advanced” in their investigation of any potential impact on NHS data.

As of 23 August, NHS England’s incident management team had communicated its findings based on evidence from Advanced’s internal assurance activity and, as a result, a number of bodies have already been reconnected to the Adastra clinical management system – which bore the brunt of the attack and took down vital NHS 111 services for days. NHS customers using its eFinancials financial management software are now also beginning to reconnect via the Health and Social Care Network (HSCN).

However, in a statement posted to its FAQ page before the bank holiday weekend, Advanced said the recovery of some of its other products was moving more slowly.

“Over the last three weeks, we have been focused on assessing our ability to restore and provide reconnection to these services,” said the firm. “Due to a number of factors, this has been more complex than we initially anticipated.”

The most badly affected products are: Caresys, a management software for care homes; Crosscare, a clinical management software for hospice and private practice administration; and Staffplan, a care management software for domiciliary carers.

For hosted Caresys customers, Advanced now believes contingency measures could be needed for six to eight weeks, with data becoming accessible again in mid-September. Hosted Crosscare customers are likely to be waiting longer – up to eight to 12 weeks – with data expected to be available in mid- to late September. Hosted Staffplan customers, meanwhile, can expect to wait a further four to six weeks, although for these customers, Advanced is now able to make data extracts available to assist day-to-day operations.

“We understand that this timeline for restoration of your service is not ideal,” Advanced told its customers. “We take our responsibility to you very seriously and we regret and empathise with the disruption you have faced. We’d like to sincerely thank you for the patience and understanding you’ve shown us since we started responding to this cyber attack.”

However, this will be of scant comfort to clinicians and managers at multiple NHS bodies, which are already stretched close to breaking point after two years of Covid-19 and more than a decade of government funding cuts.

Speaking to the BBC this week, one doctor from a West Midlands urgent care centre said her organisation was still unable to connect to the Adastra service and that staff were having to work overtime to deal with the paperwork. She said she expected the backlog to take up to six months to process and warned that hundreds of thousands of patient records would be caught up in it.

Read more about the Advanced ransomware attack

Read more on Data breach incident management and recovery

Data Center
Data Management