DXS Worldwide, a British expertise firm whose software program is extensively used all through the Nationwide Well being Service (NHS), has disclosed a cybersecurity incident affecting its inner methods.
In a discover to the London Inventory Change, the corporate stated it detected unauthorized entry to workplace servers on December 14. DXS stated it contained the breach and that its scientific providers remained unaffected and operational all through.
At current there isn’t any affirmation whether or not NHS affected person knowledge was compromised, though the corporate stated it has notified Britain’s knowledge safety regulator, the Data Commissioner’s Workplace (ICO).
A spokesperson for NHS England didn’t instantly reply to a request for remark about whether or not affected person knowledge has been impacted.
DXS stated investigations are ongoing and that it’s working with NHS cybersecurity groups and exterior specialists “whose thorough investigations are underway to ascertain the character and extent of the incident.”
The corporate, which added that it didn’t at the moment consider the incident would have a fabric antagonistic influence on its funds, offers scientific choice help and referral administration instruments utilized by GP practices and first care networks throughout England.
Its merchandise combine with core NHS methods and, in keeping with the corporate’s personal statements, it helps round 10% of all NHS referrals in England, with its software program touching the workflows for tens of millions of registered sufferers.
The corporate isn’t a core digital well being file supplier and doesn’t maintain central medical data, nonetheless affected person knowledge is processed by a few of its methods used to supply scientific steering to healthcare suppliers.
Not an remoted incident
The incident comes amid heightened concern over assaults on well being expertise suppliers in the UK which have underscored how incidents affecting third-party methods, even when not internet hosting core data, can have operational implications.
No less than one affected person is believed to have died following a ransomware assault on pathology supplier Synnovis final 12 months, with hundreds of operations and appointments additionally cancelled.
One other ransomware assault impacting software program provider Superior again in 2022 led to the non permanent shutdown of the NHS 111 essential service used to triage non-emergency however pressing medical calls.
In that incident, docs, nurses and different workers have been compelled to resort to pen and paper to finish their jobs as a result of influence on IT methods — upsetting a disaster administration COBR assembly within the British authorities as officers feared the influence the assault may have on affected person care. Superior was subsequently fined £3 million by the ICO for its safety failings.
Britain’s present rules for cybersecurity don’t routinely embody third-party well being IT suppliers like DXS inside their provisions requiring them to fulfill particular safety requirements.
The federal government final month launched its landmark Cyber Safety and Resilience Invoice to Parliament, threatening massive fines for corporations that fail to guard themselves from cyberattacks. Underneath the invoice, corporations that present managed IT providers to essential sectors, together with healthcare, could possibly be introduced underneath the regulation.
Recorded Future
Intelligence Cloud.
Be taught extra.
