On August 4th, British software services provider, Advanced experienced a disruption to their systems that they have determined to be the result of a ransomware attack. It just so happens Advanced provides 85% of 111 services for the National Health Service in the United Kingdom. UK citizens use NHS 111 services and systems to refer patients for medical care, dispatch ambulances, create appointment bookings, and fulfill emergency prescriptions. All these functions are critical to the health and safety of the UK public. This event highlights the urgency of the third-party financial impact and responsibility question we are seeing more and more from our clients. Are third parties like Advanced liable for cyber events? And, if so, for how much? Knowing the answers to these questions before events like this happen means organizations can prepare for physical consequences and ensure survival.
Advanced hinted in a statement that a full recovery for some services could take weeks. Apart from work to get 111 back on track, contingency plans would have to be in place “for at least three to four more weeks.” NHS England said some 111 callers may face longer waits than usual. Impacts include using pen and paper for certain processes and patient scheduling delays.
It’s unsurprising to learn the incident was a financially motivated ransomware attack. In the past two years, deploying ransomware has been the modus operandi for cybercriminals. Advanced would not say if NHS data was stolen or whether the company negotiated with the hackers or agreed to pay a ransom. But the impacts are physical, as patients can no longer get expedited care.
Cyber events which lead to tangible physical impacts are an increasing trend. Hospital systems should be particularly vigilant and understand their unique risks and tangible impacts. If we were to model a ransomware scenario for a hospital system, one of the impacts we would consider is the inability to access medical records. Imagine if the radiology department can’t image because their systems are compromised. What happens if there’s a stroke situation and time is of the essence? Energy and manufacturing industries have dealt with these kinds of questions for a long time, and they’ve begun popping up more frequently across the board. Today, physical impacts caused by cyber threats are important considerations for any industry.
The NHS attack also highlights the importance of understanding your third-party risk. Nowadays, most businesses rely on digital connectivity and integration with external parties. The complex network of relationships include more data sharing and an agreed level of trust. We’ve dealt with many clients looking at their third parties, and not just from a security and maturity perspective but from a business operations perspective. Data breach consequences can impede critical functions. Clients want to know what the financial impacts of such disruptions are and if restitution can be recovered from the third party. Conversely, a limited liability clause may prevent the ability to claim third-party responsibility.
Financial impacts are the core tenet of third-party risk conversations these days. And the answer is often not in black and white. Beyond looking at compliance with PCI and NIST CSF scores, our clients want to know how much an event could impact them financially and if they have the means to recover.
If you are interested in learning how we answer financial impact questions through our cyber risk quantification tool, please feel free to contact us for a demo.