Is staff at NHS outsourcer Capita locked out of computers amid cyber attack fears?

There are concerns that staff at Capita, one of the largest outsourcing firms working for the NHS, have been locked out of their computers due to suspected cyber attacks. Capita provides a range of back-office services for NHS hospitals and other organizations, including IT support, payroll, and procurement. A potential cyber attack raises fears about disruption to these critical services.

What do we know so far?

Reports indicate that Capita has shut down significant parts of its network as a precautionary measure against a possible cyber attack. It is understood that staff have been told to unplug computers and disconnect from the company’s network. Though Capita has not confirmed whether it has actually been hit by an attack, the lockdown suggests it is responding to a significant and imminent threat.

Insiders have claimed that services have been severely disrupted, with staff unable to access systems essential for operations. There are worries that if the shutdown persists, it could impact Capita’s ability to deliver key services that NHS partners rely on. There are also fears that data could be lost or compromised if systems have been breached.

What services does Capita provide to the NHS?

Capita has contracts with multiple NHS Trusts, Foundation Trusts, and other health bodies to provide important back-office support services, including:

  • Payroll management – Processing payroll for NHS employees
  • Procurement services – Managing procurement and supply chains
  • Patient record transfers – Transferring patient records securely between sites
  • Recruitment – Recruiting staff for NHS roles
  • Building/facilities management – Maintaining NHS properties
  • IT/network services – Installing and managing IT systems and networks

These services are crucial for the day-to-day running of NHS organizations. Disruption due to cyber attacks could significantly impact hospitals’ ability to operate efficiently.

What is the scale of Capita’s NHS partnerships?

Capita has contracts with a large number of NHS organizations across the UK, including:

  • 41 NHS Trusts
  • Over 50% of all Ambulance Trusts
  • Around 50% of all Clinical Commissioning Groups
  • 36 NHS Foundation Trusts

Some notable examples of major NHS organizations that outsourced services to Capita include:

  • NHS Shared Business Services – provided finance, procurement and supply chain services
  • East of England Ambulance Service NHS Trust – provided procurement, finance and recruitment services
  • Birmingham and Solihull Mental Health Foundation Trust – provided payroll and recruitment services

In 2016, Capita won a £330 million seven year contract with NHS England to manage procurement across the NHS nationally. This demonstrates the huge scale of Capita’s partnerships across the health service.

What impact could an outage have on NHS services?

A prolonged disruption to Capita services risks causing major challenges for NHS organizations, including:

  • Delayed payroll – Staff may not be paid on time if payroll systems are down
  • Procurement delays – Ordering essential medical supplies and services could be held up
  • Recruitment freezes – Hiring new staff could be blocked without access to HR systems
  • Unavailable patient records – No access to vital patient info needed for treatment
  • Property management issues – Repairs, cleaning, catering problems if facilities management affected

Ultimately, hospitals’ ability to deliver patient care could be impeded if core Capita services like IT, procurement and payroll are disrupted by a cyber attack. They may be forced to activate business continuity plans to manage without these critical back-office functions.

Have there been any confirmed impacts so far?

As Capita has yet to officially confirm it has been subject to a cyber attack, there have been no verified impacts reported so far. However, the lockdown suggests at least some disruption to services:

  • Staff locked out – On-site and remote workers unable to log into systems
  • Email issues – Reports of problems with sending/receiving emails
  • Network access problems – Difficulties connecting to Capita’s network and servers

Some NHS organizations have intimated they are experiencing service problems, but none have firmly linked these issues to the Capita shutdown. The exact effects will depend on how long Capita’s network remains offline. A prolonged outage increases the chance of significant disruption to NHS services.

What do we know about the nature of the attack?

There are limited details so far, but some reports have indicated that:

  • Ransomware suspected – Malicious software that locks systems until ransom paid
  • Possibly linked to Conti ransomware group – Believed to be behind recent high profile attacks
  • Phishing emails seen as potential vector – Malicious emails used to infect systems

Ransomware attacks have surged in recent years, with criminals deploying malware to encrypt files and systems before demanding hefty payments to decrypt them. Healthcare has been a major target. Previous major incidents disrupted hospital operations, highlighting the security risks of outsourcers like Capita holding crucial NHS data.

What should NHS bodies do to prepare for potential disruption?

If NHS organizations rely on Capita for critical services, they may wish to take steps to minimize potential disruption, including:

  • Identifying affected services – Understand dependencies on Capita for core functions
  • Enacting business continuity plans – Switch to contingency procedures to maintain operations
  • Increasing cyber vigilance – Step up monitoring to spot issues arising from the attack
  • Engaging backup suppliers – Bring in alternative providers to cover Capita services if needed
  • Communicating with patients – Manage public expectations around potential disruption

NHS leaders should urgently engage with Capita to understand timescales for resuming services in order to plan contingencies and minimize risks to patient care.

Could the shutdown have been prevented with better NHS cyber security?

Potentially, though ultimately the responsibility lies with Capita. However, experts argue that:

  • NHS should require cybersecurity standards from suppliers as part of procurement contracts
  • More rigorous supplier audits could help evaluate infosec posture
  • Tighter regulation of outsourcers handling NHS data is needed
  • Onshoring services reduces risks of relying on third parties for critical functions

But meeting modern cybersecurity standards requires significant investment – smaller suppliers may struggle to deliver this. The NHS faces difficult balancing act providing oversight without disadvantaging suppliers.

Table showing major NHS cyber attacks and outages

Date Organization Type of Incident Impact on Services
May 2017 NHS hospitals and GP surgeries across England and Scotland WannaCry ransomware attack Major IT systems disruption, appointments canceled, operations postponed
August 2019 NHS Lanarkshire (Scotland) Ransomware attack Patients turned away, appointment delays, staff unable to access email
October 2020 University Hospitals Plymouth NHS Trust Network outage Ambulances diverted, IT systems offline, staff told not to turn on computers
November 2020 NHS Greater Glasgow & Clyde Ransomware attack Patient appointment delays, staff unable to access patient records

This table illustrates some of the major cyber attacks and IT failures impacting NHS services in recent years. It demonstrates the crippling effects outages can have on hospitals’ ability to deliver care.

How does the NHS outsourcing model increase cyber risks?

Experts argue the NHS outsourcing approach causes greater cyber vulnerabilities than onshoring services, as:

  • More parties hold sensitive data – Increases points of exposure
  • Suppliers vary in cyber maturity – NHS has less control over 3rd party security
  • Network connections create vulnerabilities – Suppliers linked into NHS systems
  • Data compliance and governance issues – Who owns, protects and is liable for compromised data?

However, the NHS is heavily reliant on outsourcing to deliver core functions cost-effectively. Transitioning services in-house would require massive investment and take years to accomplish.

What lessons should the NHS learn from this incident?

This suspected attack highlights important learnings for the NHS, including:

  • Greater scrutiny needed of supplier cyber risk controls and preparedness
  • Should enhance contingency plans for disruption to outsourced services
  • Need options to take over or insource services if suppliers are compromised
  • Must impose strict data security obligations on outsourcers
  • Onshoring certain services can increase resilience against supplier cyber threats

But the complexities of NHS supply chains makes this difficult. The health service may need to accept a level of cyber risk exposure from outsourcing that onshoring could mitigate.

What financial impact could this have on Capita and the NHS?

The financial fallout could be significant for both parties:

  • Lost productivity/revenue during downtime for Capita
  • Costs of incident response, network rebuilding
  • Possible ransomware payment if they have been hit
  • Fines for data breaches under GDPR if patient info compromised
  • NHS may have to pay for contingency measures during outages
  • Disruption costs if unable to deliver patient care

Previous NHS cyber attacks and outages have come with hefty price tags, with millions spent on recovery. Both sides will likely face material financial damage if systems are down for long.

How can Capita and the NHS enhance cyber resilience in future?

Steps that could strengthen defenses against attacks disrupting vital services include:

For Capita:

  • Implement robust and extensively tested incident response plans
  • Conduct regular disaster recovery exercises and penetration testing
  • Segment networks extensively to limit lateral movement
  • Deploy cutting-edge endpoint detection and response capabilities
  • Maintain offline backups of critical data and systems

For the NHS:

  • Mandate and audit supplier cyber risk and resilience controls
  • Architect infrastructure to isolate outsourcer connections
  • Maintain up-to-date inventories of supplier-managed systems and data
  • Develop contingency plans to seamlessly switch suppliers or insource services
  • Only outsource non-essential functions to reduce reliance on vendors

But given budgets and legacy tech constraints, there are limits to how much cyber resilience can realistically be improved on both sides.

Conclusion

This suspected cyber attack targeting major NHS partner Capita raises serious questions about the information security risks of extensive health service outsourcing. With hospitals relying on Capita for vital functions like payroll and procurement, prolonged disruption could significantly impede patient care delivery. However, the complexities of NHS supply chain relationships makes it challenging to impose security standards on suppliers without disadvantages. Both the NHS and Capita will need to enhance incident response and system resilience to minimize outages from future attacks. But ultimately, outsourcing critical services necessitates accepting a degree of dependence and vulnerability to third party cyber threats.