a cautionary tale what the advanced health and care case tells us about cyber resilience banner

A Cautionary Tale: What the Advanced Health and Care Case Tells Us About Cyber Resilience

At the end of March, Advanced Computer Software Group was fined just over £3m by the UK’s data protection regulator. Multiple security failures at the IT service provider led to the compromise of personal information on nearly 80,000 people and put vulnerable individuals’ physical safety at risk.

The subsidiary in question, Advanced Health and Care (AHC), should have known better. But its failings are not uncommon. It was simply unlucky enough to be found out after ransomware actors targeted the NHS supplier. The question is how other organisations can avoid the same fate. Fortunately, many of the answers lie in the detailed penalty notice recently published by the Information Commissioner’s Office (ICO).

What Went Wrong?

AHC offers various critical services to healthcare clients including the national health service, including software for patient management, electronic patient records, clinical decision support, care planning and workforce management. It also supports the NHS 111 service for urgent healthcare advice.

Although some of the information in the ICO’s penalty notice has been redacted, we can piece together a rough timeline for the ransomware attack.

  1. On 2 August 2022, a threat actor logged into AHC’s Staffplan system via a Citrix account using a compromised password/username combo. It’s unclear how these credentials were obtained.
  2. Once inside, they executed a file to exploit the two-year-old “ZeroLogon” vulnerability which had not been patched. Doing so enabled them to escalate privileges up to a domain administrator account.
  3. The threat actor then used those privileges to move laterally through domains, turn off Anti-virus protection and perform additional reconnaissance. They also moved to AHC’s cloud storage and file hosting services and downloaded “Infrastructure management utilities” to enable data exfiltration.
  4. The adversaries deployed ransomware across 395 endpoints and exfiltrated 19GB of data, forcing Advanced to take nine key software offerings offline—three of which as a precaution.

The Key Security Gaps

The three main security failings unearthed by the ICO’s investigation were as follows:

Vulnerability scanning: The ICO found no evidence that AHC was conducting regular vulnerability scans—as it should have been given the sensitivity of the services and data it managed and the fact that the health sector is classed as critical national infrastructure (CNI) by the government. The firm had previously purchased vulnerability scanning, web app scanning and policy compliance tools but had only conducted two scans at the time of the breach.

AHC did carry out pen testing but did not follow up on the results, as the threat actors later exploited vulnerabilities uncovered by tests, the ICO said. As per the GDPR, the ICO assessed that this evidence proved AHC failed to “implement appropriate technical and organisational measures to ensure the ongoing confidentiality integrity, availability and resilience of processing systems and services.”

Patch management: AHC did patch ZeroLogon but not across all systems because it did not have a “mature patch validation process in place.” In fact, the company couldn’t even validate whether the bug was patched on the impacted server because it had no accurate records to reference.

Risk management (MFA): No multifactor authentication (MFA) was in place for the Staffplan Citrix environment. In the whole AHC environment, users only had MFA as an option for logging into two apps (Adastra and Carenotes). The firm had an MFA solution, tested in 2021, but had not rolled it out because of plans to replace certain legacy products to which Citrix provided access. The ICO said AHC cited customer unwillingness to adopt the solution as another barrier.

What Was the Impact?

There’s a reason why the ICO imposed such a sizeable fine, which was knocked down from an even higher £6.1m after Advanced’s “proactive engagement” with the authorities and its agreeing to a voluntary settlement. Put simply, the breach imperilled the digital and physical safety of many blameless data subjects and took key services offline for weeks on end. Specifically:

  • Threat actors exfiltrated data on 79,404 individuals, almost half of whom had special category data taken. This included medical records, NI numbers, information on religious beliefs, employment, and demographic details.
  • This special category data included details on how to gain entry to the homes of 890 data subjects who were receiving home care.
  • A subsequent service outage impacted 658 customers including the NHS, with some services unavailable for up to 284 days. According to widespread reports at the time, there was major disruption to the critical NHS 111 service, and GP surgeries were forced to use pen and paper.

Avoiding the Same Fate

“Today’s decision is a stark reminder that organisations risk becoming the next target without robust security measures in place,” said Information Commissioner John Edwards at the time the fine was announced. So, what counts as “robust” in the ICO’s opinion? The penalty notice cites NCSC advice, Cyber Essentials and ISO 27002 – the latter providing key guidance on implementing the controls required by ISO 27001.

Specifically, it cites ISO 27002:2017 as stating that: “information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”

The NCSC urges vulnerability scans at least once a month, which Advanced apparently did in its corporate environment. The ICO was also at pains to point out that penetration testing alone is not enough, especially when performed in an ad hoc manner like AHC.

Additionally, ISO 27001:2022 explicitly recommends MFA in its Annex A to achieve secure authentication, depending on the “type and sensitivity of the data and network.”

All of this points to ISO 27001 as a good place to start for organisations looking to reassure regulators they have their customers’ best interests at heart and security by design as a guiding principle. In fact, it goes far beyond the three areas highlighted above, which led to the AHC breach.

Critically, it enables companies to dispense with ad hoc measures and take a systemic approach to managing information security risk at all levels of an organisation. That’s good news for any organisation wanting to avoid becoming the next Advanced itself, or taking on a supplier like AHC with a sub-par security posture. The standard helps to establish clear information security obligations to mitigate supply chain risks.

In a world of mounting risk and supply chain complexity, this could be invaluable.

Author

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

View all posts by Phil Muncaster

Related Posts

SOC 2 is here! Strengthen your security and build customer trust with our powerful compliance solution today!