eFinancials Security Incident Updates

Status Update: 25th Aug 2022

Recovery Update

For our NHS Trusts using eFinancials we have now satisfied the assurance criteria set down by the NHS and NCSC and customers are now reconnecting via the HSCN network which was unaffected by the incident, but taken offline as a precaution.

Forensic Investigation

Our forensic investigation is progressing in line with our timeline and plan. We are now building a much clearer picture of the incident’s root-cause and will soon be in a position to confirm and share Indicators of Compromise (IOCs) with customers on request. In parallel, our third-party experts including Mandiant and Microsoft DART are well advanced in their investigation into any potential data impact as a result of the incident. We will update customers as appropriate and comply with any applicable notification obligations.

We recognise that this has been a challenging time for our customers, and we would like to thank you for your patience and understanding. 


 

Status Update: 19th Aug 2022

I am very pleased to advise that Mandiant, a global leader in threat intelligence and expertise, have concluded a sweep of both the eFinancials servers and HSCN network connection and has not identified any immediate evidence of a compromise. For a copy of the Incident Response Investigation Update provided to us by Mandiant and a System Diagram of eFinancials please contact your Account Manager.

As you know, Advanced recently experienced a disruption to our systems that we have since determined to be the result of a cybersecurity incident caused by ransomware. On August 4, 2022, at approximately 7 am, our teams identified the cybersecurity incident. In response, we immediately took action to mitigate any further risk and isolated all of our Health and Care environments, including the HSCN network which is used to access eFinancials by NHS Trusts.

We moved swiftly to engage leading third-party forensic partners, including Mandiant and Microsoft DART, to conduct an investigation and to ensure our systems can be brought back online safely and our customers who use them can feel confident in reconnecting once service is restored.

Since our Health and Care systems were isolated, no further issues have been detected and our security monitoring continues to confirm that the incident is contained, allowing our recovery activities to move forward.  At this time, we are unable to confirm the number of servers that were impacted by the malware.

With respect to our eFinancials customers connecting via a direct VPN through the HSCN secure network, there is nothing, to date, to suggest that any of our customers are at risk of malware spread. Mandiant has reviewed the eFinancials and HSCN systems and have scanned for Indicators Of Compromise (IOCs) known to date and has not identified any immediate evidence of a compromise on any system. 

eFinancials Infrastructure

The eFinancials private cloud platform is hosted by Advanced in our dedicated secure suites in two commercial Tier 3 aligned data datacentres one in Slough and the other in East London.  All of the hardware, including server, storage, network and firewall equipment is owned and operated by Advanced.  The virtualisation platform technology used is VMware.  Each customer environment is in a discrete private vLAN and has its own dedicated SAN LUN to ensure data separation from other customers.

The eFinancials hosted customer environment includes at minimum an Oracle database server (for additional security, each customer has their own Oracle database server rather than a share on a farm) and an application server, both running Red Hat Enterprise Linux operating systems. 

Storage is provided from an IBM Storewize SAN platform. Backups are encrypted and transmitted to the secondary datacentre for full location resilience.

The eFinancials hosting platform is not open to any direct Internet traffic.  Customers connect to their own vLAN via either a dedicated circuit or a VPN, which in turn can be transmitted across the HSCN network (NHS customers).

The eFinancials HSCN connection shares the HSCN circuit and a firewall pair with the Advanced Health and Care hosting platform, which is why eFinancials HSCN connection was indirectly impacted by this incident - the eFinancials hosted platform itself is completely separate from the health and care one.

Preparing to Reconnect

Mandiant has deployed HX agents (AXGT) on eFinancials and HSCN endpoints.  These agents provide real-time monitoring and provide Mandiant the capability to quarantine and isolate specific endpoints, if required.  Mandiant will conduct 24x7 monitoring of Real Time Alerts across these systems.

At this time, based on Mandiant scanning, real time monitoring and detection capabilities, we have no evidence that eFinancials customers would be at risk when they reconnect and resume normal business operations. 

We know that you will be wanting to reconnect to your Advanced services as quickly as possible, but we do recommend that you think about your reconnection process and whether a test with a small number of users would be beneficial.  Should you wish to carry out any testing with us, please raise a case via the customer Support Portal titled ‘Reconnecting to eFinancials’ and stating which users you will carry out testing with.

I would like to take this opportunity to thank you once again for your patience and understanding as we have worked through our response to this incident.


 

Status Update: 18th Aug 2022

As you are aware, our eFinancials customers who connected their service via the HSCN network lost connection to their service when, as a precautionary measure, we took the HSCN network offline on Thursday 4 August 2022.

Our leading third-party forensic partners, including Mandiant and the Microsoft DART team, are running tests on nearly 150 eFinancials servers to ensure they can be brought back online safely and our customers who use them can feel confident in reconnecting once service is restored. As you can imagine, this process takes time and we want to thank you for your patience as our teams continue to make progress.

Additionally, we remain in constructive dialogue with the NCSC and over government departments to ensure a smooth transition once customers are able to re-establish connection.


 

Status Update: 11th Aug 2022

Our eFinancials customers who connected to their service via the HSCN network lost connection to their service when, as a precautionary measure, we took the HSCN network offline on Thursday 4 August 2022.

We are working closely with the NHSE to satisfy their assurance requirements on behalf of customers in order that they can re-establish connection. 

We expect all assurances to be met and all customers to be reconnected in the coming days.  

To recap yesterday’s update, we have also implemented improved hardening of our infrastructure to provide additional assurances prior to securely bringing them online.

If you do have any specific questions please contact Advanced in the regular way either via your Account Manager or Support Team.