NHS supplier DXS International confirms cyber attack – here’s what we know so far

NHS software supplier DXS International has disclosed a cyber attack on its internal systems.

The company provides clinical support solutions for clinical commissioning groups, doctors, nurses and pharmacists as part of their workflow and during patient consultations.

Its products integrate with core NHS systems, and in some cases are hosted on the NHS’ Health and Social Care Network (HSCN).

The company says it supports around 10% of all NHS referrals in England. Its ExpertCare solution, for example, helps clinicians quickly understand prescription needs for cardiovascular diseases, and is used by around 2,000 GPs, overseeing the care of around 17 million patients.

In a filing with the London Stock Exchange, DXS International said it had discovered a security incident affecting its office servers in the early hours of Sunday, 14 December.

"Once discovered, the data security breach was immediately contained by means of a joint effort by DXS’s internal IT security teams in close cooperation with NHS England," said the firm.

"The Board has appointed an external cyber security specialist agency whose thorough investigations are underway to establish the nature and extent of the incident."

The company said there's been "minimal" impact on its services, with front-line clinical services unaffected and operational.

DXS has notified the relevant regulators, authorities, and law enforcement agencies, including the Information Commissioner's Office (ICO), and is fully cooperating with their investigations. It's also working with various NHS bodies

“We, along with the National Cyber Security Centre and law enforcement partners, are working with an NHS supplier who is investigating a cyber incident," an NHS England spokesperson told ITPro. “We are not aware of any patient services being impacted.”

DXS International the latest NHS supplier hit

Attacks on NHS suppliers are becoming increasingly common, with threat actors viewing third-party providers as a potentially lucrative source of data.

Earlier this year, Birmingham-based software provider Advanced Computer Software Group was handed a £3 million fine by the Information Commissioner's Office (ICO) for security failings that led to a ransomware attack on the NHS.

In another example, thousands of procedures were canceled at London hospitals after an attack on blood testing company Synnovis. The attack was claimed by Russian-speaking ransomware group Qilin.

Last month, the government proposed new laws to strengthen cybersecurity in public services, including the NHS.

Medium and large companies providing services like IT management, IT help desk support, and cybersecurity will be regulated for the first time, required to report incidents promptly, and implement more robust recovery plans.

As a result, critical suppliers such as those providing healthcare diagnostics to the NHS will have to meet tighter security requirements, and enforcement will be toughened up.

"The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers," said national chief information security officer for health and care at the Department of Health and Social Care, Phil Huggins.

"Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.