Emergency services in the U.K. were disrupted after a cyberattack against managed service provider Advanced. ("Emergency Room Entrance - ER - Hospital" by weiss_paarz_photos is licensed under CC BY-SA 2.0.)

The 111 emergency services of the U.K. National Health Services were disrupted over the weekend after a cyberattack against its managed service provider, Advanced. The vendor provides the majority of patient management solutions for the United Kingdom’s health system.

The outage was confirmed by NHS, Advanced, and some of the U.K.’s ambulance services. The Wales Ambulance Services provided further details on the attack, calling it “a major outage of a computer system used to refer patients from NHS Wales to out-of-hours general practice providers.”

The impacted system is used by local health officials to coordinate those patient services, and the ongoing, “significant” outage has been “far reaching,” affecting each of the four United Kingdom nations.

In response, NHS is leveraging its business continuity incident plan to enable patient services to continue. But patients were told “the weekend will be a busier time than usual for NHS 111 Wales.” Patients were told to continue using the emergency services, but to check on its webpage to receive trusted health advice and information.

“The weekend is a high demand period and processes have been put in place to continue to provide services,” according to NHS Wales officials. “Capacity is being maximized by the Welsh Ambulance Service who answer 111 calls, and by Local Health Boards who provide the out-of-hours service. It may take longer for calls to be answered.”

US providers should review incident response plans

The ongoing outage has renewed calls from healthcare stakeholders to bolster business continuity plans to prevent major impacts to patient care and safety.

For Saif Abed, MD, director of cybersecurity advisory services for the AbedGraham Group, the outage highlights a critical lesson for healthcare delivery organizations: “It is essential to have a process for vetting the clinical workflow criticality of your suppliers.”

Supplier vetting is an essential part of a “clinical incident response plan,” which allows provider organizations to “pre-define service and support expectations from suppliers and develop their own resiliency and continuity plans according to the potential severity and scale of harm to patient safety due to a service failure,” Abed told SC Media. 

By taking a step beyond the standard technical incident response plan, providers can actively encompass “clinician engagement as a part of emergency preparedness at local and regional levels,” he added.

As seen in the many vendor-related breach reports and massive outages, like payroll vendor Kronos, third-party incidents require planned alternative measures that enable crucial business operations to be maintained in the event of an unexpected service outage.

At ViVE in March, Erik Decker, Intermountain Healthcare CISO explained that “with the convergence of health IT, we're all putting our eggs in the same basket.” As such, providers must succinctly determine the most mission-critical business processes to avoid the “Kronos effect.”

Third-party cyberattacks can lead to the disruption of medical care, which places further stress on clinicians and other frontline workers.

Erich Kron, security awareness advocate at KnowBe4, said in a statement: ”Organizations that provide time sensitive services … should ensure they have processes and procedures in place for dealing with outages, even extended ones, while still providing emergency services.”

The latest update from Advanced shows the vendor believes service disruptions may continue through this week.