Weak link in the chain

Supply chain attacks disrupt emergency services communications

A supply chain attack rendered two ambulance trusts incapable of accessing electronic patient records in the UK. The two services, which operate in a region of 12 million people, were not targeted directly. Instead, the attack was aimed at a third-party technology provider used by both the South Central Ambulance Service (SCAS) and the South Western Ambulance Service (SWASFT).

According to reports, the systems were attacked sometime on the evening of July 18, impacting “customer systems within its hosted datacentre environment”.

The targeted organisation, Ortivus, has the following to say in a statement regarding the attack:

The electronic patient records are currently unavailable and are until further notice handled using manual systems. No patients have been directly affected. No other systems have been attacked and no customers outside of those in the hosted datacenter have been affected. 

Ortivus are currently working in close collaboration with the affected customers to restore the systems and recover data. The affected customers are the ones using MobiMed ePR, electronic patient record systems in a hosted environment. 

The organization behind the cyber-attack is not known at this stage and the incident has been reported to the authorities as a crime. 

The targeted platform is called MobiMed. This is a “modular platform that connects and enable(s) real-time information sharing throughout the prehospital care chain”. It is claimed to be used by “over 12,000 paramedics in over 2,700 emergency vehicles”.

To lose access to patient record data under these conditions is clearly far from ideal. The Register reports that healthcare workers are having to resort to pen and paper, alongside staff being warned of the potential for phishing attacks.

While there is a backup system able to take MobiMed’s place “within 24 hours” of an attack, integration with other systems is not 100%. Until a full analysis of the attack has taken place, the backup system will remain in place.

Regular readers of the blog will know of the chaos that accompanies attacks on healthcare providers. If crucial systems are compromised, people’s lives are put at risk. It’s something of a hot-button issue for ransomware authors, to the extent that some of them will apologise and offer up free decryption tools. They have calculated that it is simply not worth the press heat and possibility of angering law enforcement. Much better to blame an affiliate (whether an affiliate is responsible or not) and try to salvage some good PR from the situation.

Supply chain attacks are another large wrinkle on top of the original problem. Whether the attacker knows their target is used for medical work or something else altogether, it impacts organisations along the supply chain either way. Everything from healthcare to fuel suppliers are at risk when the supply chain attacks come to town.

Securing your supply chain

Here’s how you can protect your organization from risks your suppliers might pose:

  1. Know who your vendors are. Knowing this allows you to look for risks and vulnerabilities in the chain that threat actors might exploit.
  2. Use EDR or MDR. Invest in an effective endpoint detection and response (EDR) system, or managed detection response (MDR) if you don’t have the expert staff to monitor EDR 24/7.
  3. Segment your network. This limits attackers ability to move laterally, either stopping them or forcing them into actions your monitoring is more likely to pick up.
  4. Develop an incident response (IR) plan. If you don’t know what framework to build on, check out this incident handling guide from the National Institute of Standards and Technology. Include transparent and timely communication between your stakeholders and customers when something happens, so your business can provide steps to mitigate the problem if needed.
  5. Have a plan for patching. Patching in an organisation of any size is difficult: You need a systematic way to understand what hardware you have, what software it’s running, what patches that software needs, how important they are, and what the risks of deploying them are.
  6. Create and test offline backups. Speaking of backups, never assume they work, test them.
  7. Apply the principle of least privilege. Give suppliers the access they actually need and nothing more.
  8. Make multi-factor authentication (MFA) a norm. Supply chain attackers have been known to use stolen credentials to compromise systems. They know business systems trust credentials, regardless of who uses them.
  9. Train your employees. Gaps in security hygiene practices can open up opportunities for attackers. It’s important to keep employees and partners aware of the possible risks and red flags associated with supply chain attacks.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.