Ransomware & HSE

AndrewJRenko

Tow wrote: »

Each Health Board has their own systems, more often than not from different providers. Under the HSE these are/were supposed to be consolidated, but that is another story... SAP is used by some HBs

Health boards haven't existed for about 15 years. The HSE did indeed inherit different systems in different areas, and has been working to consolidate these, like the SAP payroll service.

Flinty997 wrote: »

It's not theory. Any IT person working in a similar environment with recognise those examples.

So you don't have any actual examples then. That's a pity. Isn't it funny how 'everyone knows' that this happens, but no-one can give actual, verifiable examples.

Flinty997 wrote: »

Ah the GDPR perennial. Data governance existed pre GDPR. How? You audit it and in the public sector you will be audited, and any third party systems will be part of that. You may be asked to change a system to address issues raised in an audit.

I'm not quite getting any rational point here. We live under GDPR, which places particular obligations for data controllers to know where their data lives - what country and what legal system it lives under. This issue is at the heart of a major case in the Irish courts about Facebook transferring data from the EU to the US.
https://www.rte.ie/news/business/2021/0514/1221665-facebook-loses-challenge-to-data-regulator-inquiry/
It is a huge issue. You need to know where your data lives, as it is near impossible to comply with GDPR requirements if your data lives under other legal systems.

Flinty997 wrote: »

Unions won't let an organisation use contractors to circumvent existing agreements.

Tell that to all the hospitals that have outsourced security, catering, cleaning over the past 10-30 years or so.
https://irl.eu-supply.com/ctm/Supplier/PublicPurchase/157739/0/0?returnUrl=&b=ETENDERS_SIMPLE
https://irl.eu-supply.com/app/rfq/publicpurchase.asp?PID=168286&PS=2
https://irl.eu-supply.com/ctm/Supplier/PublicPurchase/144728/0/0?returnUrl=&b=ETENDERS_SIMPLE
https://irl.eu-supply.com/ctm/Supplier/PublicPurchase/157734/0/0?returnUrl=transactions.asp&b=ETENDERS_SIMPLE
https://irl.eu-supply.com/app/rfq/publicpurchase.asp?PID=151396&PS=2
https://irl.eu-supply.com/ctm/Supplier/PublicPurchase/77309/1/0
https://irl.eu-supply.com/ctm/Supplier/PublicPurchase/161197/0/0?returnUrl=transactions.asp&b=
https://irl.eu-supply.com/ctm/Supplier/PublicPurchase/76693/0/0?returnUrl=&b=ETENDERS_SIMPLE

Flinty997 wrote: »

Unions blocking new systems is very common. Also happens in non union places people can be unhappy if they think a new system will make them redundant or similar.

It's not that unions are bad, it's just that is how unions negotiate terms for their members. It's part of the process in a unionised environment.

Again, it would be great if you could present any specific examples to back up your theories.

Badly fukt wrote: »

Not outsourced in the 3 hospitals in the West I deal with for work, security are direct employees. Naming them would name my employer so won't be doing that!

No-one mentioned your employer. No-one knows your relationship with these hospitals from anything you've said so far. That's the great thing about public services - all their tenders, and procurement can be dug out using FOI or other methods.

Ash.J.Williams wrote: »

I do recall they paid Microsoft for out of service support for XP a while back

A good few years back.
https://www.pfh.ie/success/type/security/story/hse-western-europe-s-largest-microsoft-it-project-puts-hse-in-good-health/

Ash.J.Williams

Flinty997 wrote: »

Exactly.

One of the projects I'm currently working on its replacing a system because an audit was was of the opinion its framework is obsolete and no longer secure. Generally you can't replace or retire them instantly so you are given a time window in which to do it.

Also having specialist companies run penetration tests and similar even phishing tests against your users is more common now. If a system fails or a user repeatedly fails it has to be addressed.

Even if you are admin. You would be expected to only use the account appropriate to the task its for.

Yes so instead of leaving legacy systems vulnerable you need to make the environment they sit in more secure, it’s a battle

RoamingDoc

AndrewJRenko wrote: »

Health boards haven't existed for about 15 years. The HSE did indeed inherit different systems in different areas, and has been working to consolidate these, like the SAP payroll service.

But has not been resourced to do this. I've moved around a lot and every time I go to a new region - it's a whole new setup. The domain names on the logins are actually still the HB regions! It's only recently that I got a national login but when I was redeployed for COVID, I was given a new regional one.

Pandiculation

So 16 years later they still haven’t integrated the IT?!

AndrewJRenko

Pandiculation wrote: »

So 16 years later they still haven’t integrated the IT?!

16 years of mostly broke Governments, with HSE in survival mode trying to keep their heads above water, and yes, they still haven't spent the tens or hundreds of millions that would be required to integrate the entire IT infrastructure.

riclad

Being siloed is not good,
but at least it means hackers may not have acess to all medical data on every person who has ever gone to a doctor or a hospital,
having a person name adress ,birth date, phone no etc makes the data valuable in terms of id theft ,or maybe getting acess to someones bank account in the future.
we need a national cyber crime security centre as now crime involving hacking malware ransomware is getting worse and more serious.
they will probably have to change all passwords ,login details etc
imagine having to reinstall windows 10 on 1000s of computers and setting up new logins and servers .
its a complex job to do.
A legacy system connected to a network is just waiting for hackers to
gain acess as its well nigh impossible to secure an old os against hackers

HalfAndHalf

[Deleted User] wrote: »

Here, some in the industry aren't much better. On a teams call this morning to brief folks in case questions were asked from customers about our/their level of security there was some banter and discussion about the situation and one of the 2nd level support guys commented very seriously "sure they can just restore the backups" and I watched the heads collectively shake from side to side on screen.

Someone asked if he got is Cisco certification free in the cornflakes

EDIT: His role means he isn't anywhere near network infrastructure thankfully.

Still waiting to hear what all the ‘expert’ laughing boys came up with as a solution, or is the lack of response because the measly 2nd Line guy was correct?

Ash.J.Williams

The minister mentioned the backups may have been compromised

Although he’s not an expert

Tow

AndrewJRenko wrote: »

16 years of mostly broke Governments, with HSE in survival mode trying to keep their heads above water, and yes, they still haven't spent the tens or hundreds of millions that would be required to integrate the entire IT infrastructure.

Andrew you have attacked posts, which have discussed well know general IT and HSE specific IT issues, yet have also posted the above. I don't know how much experience you have with these system. But to answer one of your questions, the Garda Pulse system is a well published example of staff resistance to use a new system and other such issues... The HSE spent well over a 100 million (some reports.over 200m) on PPARS and we all know what became of that. There also spent 10s of millions to support the writing of other new systems which I am not shure ever saw the light of day.

For example. BOI have so far spent over 1.4 billion updating their IT systems in the last few years, twice the initial budget and climbing. Banking systems hold nowhere near as much data or are as complex as those running a countries health system.

CiDeRmAn

Can I ask the likely outcome for all those staff accounts that are now encrypted, as they were logged on at the time of the attack?
I understand a solution will be found for the shared servers and major systems, but an awful lot of work is stored in the local, networked devices, and staff didn't always log off their own PCs at days end.

Montage of Feck

Maybe I'm a bit clueless when it comes to networking. But why can't big organisations and governments operate a closed network insulated from the www.

Montage of Feck

Montage of Feck wrote: »

Maybe I'm a bit clueless when it comes to networking. But why can't big organisations and governments operate a closed network insulated from the www.

They already do

Ash.J.Williams

CiDeRmAn wrote: »

Can I ask the likely outcome for all those staff accounts that are now encrypted, as they were logged on at the time of the attack?
I understand a solution will be found for the shared servers and major systems, but an awful lot of work is stored in the local, networked devices, and staff didn't always log off their own PCs at days end.

Doesn’t matter if they log in or not if it’s saved on a network device then it’s there

shesty

Pandiculation wrote: »

So 16 years later they still haven’t integrated the IT?!

To put this in perspective....I had my first baby in 2014 in the Rotunda.Registered with their semi-private clinic (on the same grounds.using the same files) for a 12 week appointment.Had to go in earlier to the A&E to get checked out.Told them at the A&E I was already in their system, because I had booked my 12 week appointment.Was calmly told no sorry, the semi private clinic's IT system doesn't talk to ours in the main building, we will have to set up a new file for you. Every day the semi-private clinic would pick up a bundle of paper files for patients on the list for that day. The doctors worked their way through them.If you had an outpatient appointment for a baby, there were literally shelves and shelves of paper files behind the desk there, with your informatiom in them.Honestly, there were people in that hospital whose job appeared to be to cart paper files from area to area all day long.You were given your file to bring home around week 37, so it was to hand for the doctor if you went into labour, you brought it in with you.

That was 2014.2016 was the same.By 2018, my third baby, everything was computerised...sometime towards the end of 2017, so mid-pregnancy.No more file carrying.But I believe many things (like ultrasounds) have to be printed and scanned into the system to be added to your file.Or at least they had to be in 2018, maybe that has now changed.

It took one hospital that long to mostly integrate its own IT system, so God knows what other areas of the HSE are like.Never mind hospitals systems being integrated with each other....

Montage of Feck

Montage of Feck wrote: »

Maybe I'm a bit clueless when it comes to networking. But why can't big organisations and governments operate a closed network insulated from the www.

Short answer: they could.

Longer answer: the problem is the costs. I wouldn't like to put a number on it but it would be in the billions. Also, there's no guarantee that a closed network would have prevented this attack. A malicious USB stick dropped somewhere could have facilitated this attack, even if it was closed.

HalfAndHalf

Montage of Feck wrote: »

Maybe I'm a bit clueless when it comes to networking. But why can't big organisations and governments operate a closed network insulated from the www.

A network is closed off from the internet, well, unless you’re a complete moron then no LAN (secure internal network) is internet facing.

You only allow routes from the LAN through the external facing firewalls for general internet access.

You’ll have rules for anything LAN side to servers in the DMZ (internet facing servers) for things such as web services, external email services etc.

The problem is suppliers are constantly having to patch server software and operating systems for vulnerabilities they don’t pick up in testing, they don’t act particularly fast in this regard so any company using that system have a possible hole into their network.

Then there’s the user based vulnerability which is even harder to ‘patch’.

Ash.J.Williams

HalfAndHalf wrote: »

A network is closed off from the internet, well, unless you’re a complete moron then no LAN (secure internal network) is internet facing.

You only allow routes from the LAN through the external facing firewalls for general internet access.

You’ll have rules for anything LAN side to servers in the DMZ (internet facing servers) for things such as web services, external email services etc.

The problem is suppliers are constantly having to patch server software and operating systems for vulnerabilities they don’t pick up in testing, they don’t act particularly fast in this regard so any company using that system have a possible hole into their network.

Then there’s the user based vulnerability which is even harder to ‘patch’.

Also servers that run systems that will stop working with a latest patch , segregation is key .

nj27

I worked with some guys involved with an unnamed hacker group. If you know who Frank Hassle is imagine that in terms of hacking. And it’s actually not as hard as it seems to catch them if you are a Mountain Dew guy. I am not involved with that culture but I had issues with these maniacs before. The likes of the HSE are a perfect target for them, and they should pay out. Autism is a weapon I have used in more conventional ways and it will work out for them too.

Flinty997

nj27 wrote: »

I.... but I had issues with these maniacs before. The likes of the HSE are a perfect target for them, and they should pay out. Autism is a weapon I have used in more conventional ways and it will work out for them too.

If the HSE have unencrypted backups. They won't need to unencrypt it. Depends how long the encryption ran for.

Regardless if you pay them they will release the data anyway. Assuming they got any.

I expect that's what they are analysing now to see how much trouble they are in..

Ash.J.Williams

Flinty997 wrote: »

If the HSE have unencrypted backups. They won't need to unencrypt it. Depends how long the encryption ran for.

Regardless if you pay them they will release the data anyway. Assuming they got any.

I expect that's what they are analysing now to see how much trouble they are in..

Released data is the least of their worries, getting back up is the issue

Burgo

Flinty997 wrote: »

If the HSE have unencrypted backups. They won't need to unencrypt it. Depends how long the encryption ran for.

Regardless if you pay them they will release the data anyway. Assuming they got any.

I expect that's what they are analysing now to see how much trouble they are in..

Thats a bold assumption to make. Also paying would be an open invitation on any other public/civil service that the government will pay out on a ransomware attack.

Flinty997

Burgo wrote: »

Thats a bold assumption to make. Also paying would be an open invitation on any other public/civil service that the government will pay out on a ransomware attack.

That's what's tended to happen in other attacks. This one is hardly likely to be different. Once you attack a hospital you can't claim to have ethics.

ressem

Montage of Feck wrote: »

Maybe I'm a bit clueless when it comes to networking. But why can't big organisations and governments operate a closed network insulated from the www.

Lots of independent organisations have to deal with the HSE people. There's lots of internet portals for getting data up and down, to doctor's surgeries, suppliers, communicating with other health organisations worldwide (identified virus sequences being the topical one).

Some orgs that must verify no possibility of file transfer might give these employees 2 machines, marked "safer" or "unsafe".

Most IT people will work to create safe boundaries.
Some will have VLANs with routing rules to control what can talk to what, based on type of device, departments, servers, sensitive machinery.
(Macro-segmentation is what some vendors call it)

Others will try more complicated network segmentation. (Micro-segmentation) Trying to get this to work well in an environment with diverse software and services is complicated to get right and involves lots of pricey add-ons, needing specialised training. Kind-of in a half-baked state still I think.

We can hope that the petabytes of hard-to-replace medical imagery and medical record archives are archived on cold tape or similar hard-to-corrupt form in a HSE datacenter.
But there has to be some path from the customer facing personnel to the customers stored medical record. Despite this week, it's probably safer there than carried around in our wallets.

HalfAndHalf

Ash.J.Williams wrote: »

Also servers that run systems that will stop working with a latest patch , segregation is key .

?? Why would a system stop working with a latest patch? This is an unknown of patching so you have test servers of patch out of hours and if there’s an issue rollback. These servers should be vlan’d and behind firewalls regardless.

HalfAndHalf

nj27 wrote: »

I worked with some guys involved with an unnamed hacker group. If you know who Frank Hassle is imagine that in terms of hacking. And it’s actually not as hard as it seems to catch them if you are a Mountain Dew guy. I am not involved with that culture but I had issues with these maniacs before. The likes of the HSE are a perfect target for them, and they should pay out. Autism is a weapon I have used in more conventional ways and it will work out for them too.

Have absolutely no idea what this is supposed to say?

Paying out is NOT an option, ever!

Galwayguy35

Easy way to make a living, for every company that doesn't pay up someone else probably does.

Junglejoe

HalfAndHalf wrote: »

Have absolutely no idea what this is supposed to say?

Paying out is NOT an option, ever!

It's always an option

Blowfish

HalfAndHalf wrote: »

?? Why would a system stop working with a latest patch? This is an unknown of patching so you have test servers of patch out of hours and if there’s an issue rollback. These servers should be vlan’d and behind firewalls regardless.

How do you have test patching of an MRI machine? How do you patch out of hours in an ER that's 24/7?

AndrewJRenko

Montage of Feck wrote: »

Maybe I'm a bit clueless when it comes to networking. But why can't big organisations and governments operate a closed network insulated from the www.

So no email to GPs or consultants or anyone outside?

whippet

HalfAndHalf wrote: »

Have absolutely no idea what this is supposed to say?

Paying out is NOT an option, ever!

Sometimes it’s the only option.

I have no idea what state the HSE’s backups are in … but I personally know of three Irish companies of various sizes who had no option but to pay a ransom in the last 6 months.

Despite getting keys from the hackers it still took weeks and weeks to get all core systems back running properly.