Cyber Incident Victim: South Western Ambulance Service NHS Foundation Trust

On the evening of Tuesday, July 18, 2023, a cyber attack targeted the systems of Ortivus, a Sweden-based IT supplier, severely impacting the hosted patient records system used by two major UK ambulance trusts. The South Western Ambulance Service NHS Foundation Trust and the South Central Ambulance Service NHS Foundation Trust, which together serve millions of people across a vast area of southern England, were forced to revert to manual, analogue systems to continue their operations. The affected service was identified as MobiMed ePR, an electronic patient record solution that forms part of Ortivus's modular MobiMed platform. This platform is designed to connect and enable real-time information sharing across the pre-hospital care chain and is reportedly used by over 12,000 paramedics in 2,700 ambulances. The attack specifically impacted customer systems within Ortivus's hosted datacentre environment, rendering the electronic patient records unavailable and disrupting a critical digital workflow for emergency medical services.

The nature of the cyber attack was not disclosed by Ortivus, and the group responsible for carrying it out remained unidentified at the time of the reporting. Reidar Gårdebäck, the CEO of Ortivus, confirmed that no patients were directly affected by the incident and that no other systems beyond those in the specific hosted datacentre were compromised. This suggests a targeted incident focused on a particular infrastructure segment. The attack was reported to the necessary law enforcement agencies, and Ortivus stated it was working in close collaboration with the affected customers to restore the systems and recover any lost data. The immediate operational impact was significant, as ambulance staff had to handle patient records using traditional paper-based methods, a process that is inherently slower and more prone to error than digital systems, potentially affecting the efficiency of emergency response during the outage.

Ortivus had previously announced the transition of both the South Western and South Central ambulance trusts to a new hosting environment after they renewed their contracts in 2020, which provides context for the infrastructure that was attacked. The company indicated that it had been prepared to restart the service in an interim live environment within 48 hours of the attack. However, the process of bringing the system back online was delayed because the replacement system required approval and verification to ensure it met the NHS's strict security criteria. This highlights the critical importance of regulatory and security compliance in healthcare IT, especially following a cybersecurity incident where rushed reinstatements could introduce further vulnerabilities. The time-consuming nature of this validation process was noted, with a reference to a previous incident involving a LockBit ransomware attack on a different software supplier in 2022, where affected NHS bodies took over a month to fully recover while the rebuild process was scrutinized by both the NHS and the National Cyber Security Centre.

An NHS spokesperson acknowledged the incident, stating that the NHS Cyber Security Operations Centre was working with the affected organizations to investigate the matter alongside law enforcement colleagues. The spokesperson also noted that the central team was supporting suppliers as they worked to reconnect the system. The geographical coverage of the two impacted ambulance trusts is extensive, encompassing communities from Cornwall to Buckinghamshire, including major cities and towns such as Bath, Bournemouth, Bristol, Exeter, Milton Keynes, Oxford, Plymouth, Reading, Southampton, and Swindon. The scale of this service area underscores the potential magnitude of the disruption, as a prolonged outage of the electronic patient record system could have wide-reaching implications for the coordination and delivery of emergency medical care across this populous region.

The MobiMed platform comprises several integrated modules beyond the impacted ePR system. These include MobiMed Monitor, a solution designed to measure and share patients’ vital health data, such as electrocardiogram (ECG) information, in transit; MobiMed enRoute, which assists in case management and vehicle navigation; and MobiMed Life, a line of standalone defibrillators. The fact that only the MobiMed ePR module was confirmed to be affected indicates that the attack was possibly contained within the specific servers or applications hosting the patient records database, leaving the other connected functionalities operational. This modular separation may have prevented a more catastrophic total system failure. The incident serves as a prominent example of the risks associated with relying on third-party suppliers for critical healthcare IT infrastructure and the cascading effects a supply chain attack can have on multiple end-user organizations simultaneously.

The article provides no indication that data was exfiltrated or that a ransom was demanded, focusing instead on the availability impact of the attack. The primary consequence was a loss of access to the electronic patient record system, necessitating a business continuity response that involved manual workarounds. The statement from Ortivus’s CEO emphasized that no patients were directly affected, which suggests that the emergency services were successful in mitigating the immediate clinical risks through their fallback procedures. The ongoing investigation involved close collaboration between the supplier, the NHS trusts, and law enforcement, aiming to fully understand the attack vector and restore services securely. The process of verification and approval by the NHS and potentially the National Cyber Security Centre was a critical step in ensuring that the restored systems did not contain lingering threats or vulnerabilities that could lead to a repeat incident.

This incident occurred within a broader context of cybersecurity challenges facing the UK's National Health Service, as referenced by the article's mentions of other recent security events. These include an investigation into a claim by the ALPHV/BlackCat ransomware gang that it stole data from Barts NHS Trust and the compromise of an NHS dataset at the University of Manchester. Furthermore, the government had recently laid out a new Cyber Security Strategy for Health and Adult Social Care, which plans for promoting cyber resilience in the sector by 2030. The attack on Ortivus exemplifies the very type of disruption this strategy aims to prevent, highlighting the vulnerability of healthcare supply chains and the critical need for robust security protocols across all providers that support essential health services. The reliance on manual systems for an extended period, while necessary, represents a significant step backwards in operational efficiency and underscores the modern healthcare system's dependence on digital technology for optimal patient care.