Hampshire-based outsourcing firm, Serco has confirmed that parts of its infrastructure in mainland Europe have experienced a double extortion ransomware attack from cybercriminals operating the Babuk group.
The ransomware encrypts a victim’s network and files after hackers have stolen data. It then proceeds to inform the victim of the breach by creating a note which asks the victim to negotiate an extortion payment to prevent stolen data from being released.
WHY IT MATTERS
Although the Department of Health and Social Care told Healthcare IT News that the NHS Test and Trace programme was unaffected by the attack, experts have warned that the vulnerabilities in Serco’s wider systems are of concern as the attack has exposed potential weaknesses.
As the UK government continues to implement test and trace technology and more personal data collation is required, a premium must be placed on security in order to effectively deal with ransom threats.
THE LARGER CONTEXT
Serco won the NHS Test and Trace contract via a procurement system that came under fire from the public spending watchdog over concerns it lacked a competitive process.
Since then, Serco’s involvement in the programme has been controversial due to its involvement in a series of high-profile failures. In October 2020, as the COVID-19 case numbers surged, the outsourcing firm announced that it expected 20% higher profits after securing an extension to its Test and Trace contract. Rachel Reeves, UK Labour politician labelled the announcement “grim beyond belief” and called on ministers to ditch the outsourcing company.
During the pandemic, concerns have been raised about the transparency of the NHS COVID-19 tracing app, with health charity, the Health Foundation calling for results of trials to be released. Since its launch, the scheme has been critisiced over failings to provide COVID-19 test results and trace contacts who need to self-isolate.
Despite these criticisms, in January, a UK government press release revealed that more than 550,000 contacts were reached by NHS Test and Trace and told to isolate in the week before Christmas.
Consultancy firm, Deloitte was hired by the government to help run the NHS Test and Trace programme, by selling separate contact-tracing services to health officials in the UK. Defending her reliance on consultancies, Dido Harding, head of NHS Test and Trace told MPs: “I think it is appropriate to build a service in extreme emergency circumstances using short-term contingent labour and consultants for some of those roles.”
ON THE RECORD
Dr Saif Abed, director of cybersecurity advisory services at the AbedGraham Group said: “This attack demonstrates once more the fragility of healthcare supply chains as a disruptive attack on a single supplier can escalate to impact a vast array of organisations. While ‘Test and Trace’ appears unaffected at this stage we cannot dispute the risks that such a complex programme faces due to the number of suppliers it is dependent on to function.”
“We need to ensure that suppliers irrespective of size have clear clinical and operational risk assessments in place, appropriately trained leadership teams and updated incident response plans precisely for these types of eventualities. This needs to be enshrined as a part of both government agency and local healthcare provider procurement requirements.”