Ransomware & HSE

Chris_5339762

Back in the day where I used to work, front facing medical treatment, an upgrade from Windows XP to Windows 7 was carried out on patient treatment machines. It was delayed until the bitter end due to the disruption and the fact that we didn't have the staff to deal with it.

From "we are now going to do this" until upgrade day was six months. The amount of planning, testing and checking was phenomenal.... all of it necessary and costing a fortune in staff time. The actual upgrade was done over a bank holiday weekend and went reasonably well.

Patients didn't realise anything had happened. There was no net benefit to them. But it had as much priority as a big clinical project and took as long. Just for a Windows upgrade. This is the length of time things take in the health service. It has to be planned and delivered carefully and properly as downtime simply isn't acceptable.

Keyzer

Bear in mind chaps, a number of variants of Windows 10 are now end of life/end of support also. Windows 10 is not a panacea here.

10000maniacs

10000maniacs wrote: »

If the software developer stuck to these first principles 20 years ago or whatever, the software would still work on Windows 10 now.
Our company has enterprise wide applications that we wrote 20 years ago that still work now.

Do any of these applications interface with x-ray machines, MRI scanners, etc?

jmayo

10000maniacs wrote: »

A friend of mine is a dentist and he ran his x-ray/photo/scanning software on XP up to 2020.
He wanted my help to move to Windows 10. It took a bit of effort and coding but I helped him do it over two weekends.

There is another major issue and that is the old software that may be on the medical device has never been certified with Windows 10.
It may have been certified on Win XP or Win 7.

He might have to go out and buy a brand new medical device costing many thousands that has software compatible and certified with Win 10.

This is one of the things that eejits around here don't seem to grasp.

Medical devices and the software on them or medical software running on Windows servers/Databases has to go through certification just like avionics in an aircraft has to go through collosal certification process.
Well maybe not in Boeing's case.

You can't even in some cases slot in any old network card, or upgrade to new DB version because it can invalidate the system and the manufacturer can disavow all support if anything happens.

Queue the lawsuits if something goes wrong.

Hurrache

10000maniacs wrote: »

And people complain that some of the legacy applications can't run on Windows 10. Should not have purchased them then.
Write the software not to depend on a systems drivers.

10000maniacs wrote: »

I am a software developer, and one of the most important aspects of the system software is to make it forward platform compatible

- Hi, get Marty on the phone?
- Marty?!?
- The Back to the Future guy. We have a budget to spend on some of our applications but we want to know what operating systems will be like in 10 years. If the apps aren't compatible, no point in buying.
- Ah sure just pretend there's no need for drivers,
- Erm, our "Hello World" is failing.
- That'll be the lack of drivers for you.

10000maniacs

Keyzer wrote: »

I'd be interested to see your response to my previous question...

I see you provided an answer, of sorts...



You'd be asked to leave the room or stop talking if that was your response to a c-suite management team/board.

I would tell the c-suite management team to hire a decent IT team. And then I would suggest
1: Buy in new Windows 10 PC's.
2: Analyse which drivers the old systems were using.
3: Enumerate which drivers are still compatible with Windows 10 and which are not.
4: Figure what the non compatible drivers were doing and emulate this functionality by either tweaking their config/registry settings or a driver rewrite (the hard part).

Hurrache

It's hilarious that Windows 10 is being repeatedly pushed as the solution.

jmayo

Hurrache wrote: »

- Hi, get Marty on the phone?
- Marty?!?
- The Back to the Future guy. We have a budget to spend on some of our applications but we want to know what operating systems will be like in 10 years. If the apps aren't compatible, no point in buying.
- Ah sure just pretend there's no need for drivers,
- Erm, our "Hello World" is failing.
- That'll be the lack of drivers for you.

I once saw a HSE tender and I kid you not there was a question along the lines ...

"Can you guarantee the software system you are selling will be compatible with any future systems the hospital may implement for patient systems ?"

How the fook can you answer that?

All you can say is that if their future systems are the same version of HL7 or follow IEEE standards then it should work.

But it is so open ended a question and something there is no way anyone can guarantee.

Keyzer

10000maniacs wrote: »

Personally I would write a kernel to emulate the drivers of the particular target whether it is XP, Vista or whatever. And our company always buy new PC's with a traditional RS232 serial port. Most interfaces used this port back in the day.

10000maniacs wrote: »

I would tell the c-suite management team to hire a decent IT team. And then I would suggest
1: Buy in new Windows 10 PC's.
2: Analyse which drivers the old systems were using.
3: Enumerate which drivers are still compatible with Windows 10 and which are not.
4: Figure what the non compatible drivers were doing and emulate this functionality by either tweaking their config/registry settings or a driver rewrite (the hard part).

So you can't tell them to hire a decent IT team because that would infer the C-suite are incompetent (even if they are) - you'd be fired on the spot.

Secondly, you'd be asked have you ever done this before? Was it successful? How sure are you that this is going to work? How long will it take? How much will it cost?

You can't wave a magic wand at these issues. I'm not condoning companies and organisations who are running legacy operating systems/applications but there's a whole myriad of reasons as to why they might be and its not as simple as upgrade to Windows 10 or whatever the latest OS is.

jmayo

10000maniacs wrote: »

I would tell the c-suite management team to hire a decent IT team. And then I would suggest
1: Buy in new Windows 10 PC's.
2: Analyse which drivers the old systems were using.
3: Enumerate which drivers are still compatible with Windows 10 and which are not.
4: Figure what the non compatible drivers were doing and emulate this functionality by either tweaking their config/registry settings or a driver rewrite (the hard part).

And who is going to guarantee the new tweaked fix ?
Who is the one going to stand up in court and take the heat if something happens ?
Because I guarantee you the Siemens, Philips, GE, Medtonics of this world will go it was nothing to do with us. Good Luck.


You guys just don't get medical software or medical devices.

Do you guys know how long it takes to bring new medical product to market.

Medical is the same as aviation.
You can't just make changes and implement them.

Ever hear of the FDA ?

10000maniacs

Keyzer wrote: »

So you can't tell them to hire a decent IT team because that would infer the C-suite are incompetent (even if they are) - you'd be fired on the spot.

Secondly, you'd be asked have you ever done this before? Was it successful? How sure are you that this is going to work? How long will it take? How much will it cost?

You can't wave a magic wand at these issues. I'm not condoning companies and organisations who are running legacy operating systems/applications but there's a whole myriad of reasons as to why they might be and its not as simple as upgrade to Windows 10 or whatever the latest OS is.

The only thing is in a lot of cases, it really is that easy.

Wombatman

purplefields wrote: »

Otherwise, when does it stop? - Technology is constantly changing. By the time you write your new system, it'll already be 'obsolete'.

That's the whole point. It doesn't stop or shouldn't stop when the system is rolled out.

Thankfully system life cycle management is improving and companies aren't seeing systems as once off costs. Having the mindset of once it's rolled out it's obsolete is better that thinking roll-out = job done.

10000maniacs

jmayo wrote: »

And who is going to guarantee the new tweaked fix ?
Who is the one going to stand up in court and take the heat if something happens ?
Because I guarantee you the Siemens, Philips, GE, Medtonics of this world will go it was nothing to do with us. Good Luck.


You guys just don't get medical software or medical devices.

Do you guys know how long it takes to bring new medical product to market.

Medical is the same as aviation.
You can't just make changes and implement them.

Ever hear of the FDA ?

So the answer is to continue to use Windows XP or Vista?

Hurrache

10000maniacs wrote: »

The only thing is in a lot of cases, it really is that easy.

You seem to be taking everything from the point of view of a desktop or laptop, with little thought given to commercial setups that use more than what you can download from the Windows app store.

jmayo

10000maniacs wrote: »

So the answer is to continue to use Windows XP or Vista?

Yes until you go out and buy the new fancy replacement medical device that has been fully tested and certified with Win10 by the manufacturer with say the FDA.

This is not a fooking Lexmark desktop printer or HP scanjet we are talking about.

You can't fook about and botch together code to make the old system work with the newest or latest OS.
It invalidates the whole system.
Manufacturer will not support it, and medical insurance would not cover any issues if something were to happen.


As I said Medical and Aviation have a lot in common.
It takes time to bring devices to market and it takes time to certify changes to existing systems.

I am into aviation and I recall one of the US General Aviation manufacturers (possibly Cessna ???) were asked why they didn't roll out a glass cockpit for one of their older models.
The answer was it would cost a couple of million just to get it certified and they never saw that volume of sales to make it cost effective.

Also the hoops that has to be gone through are used as an excuse to charge higher prices for medical and aviation parts.

Keyzer

10000maniacs wrote: »

The only thing is in a lot of cases, it really is that easy.

No, its not.

Trust me, I've been in this game for a long time. If it was that easy then there wouldn't be such a huge global demand for Information Security professionals.

If you talk about a singular desktop/laptop, then fine, upgrade to whatever. When you talk about a large organisation with thousands of employee's and potentially hundreds of applications, it becomes exponentially more complex.

There are multiple layers of the stack which need to be considered in all aspects of security. In many cases, its not technically feasible to implement preventive controls so you might look to implement detective controls instead. You might not implement any controls if the cost to implement the control exceeds the potential impact.

Its highly complicated and can't be fixed with just upgrading to Windows 10.

MrMusician18

10000maniacs wrote: »

So the answer is to continue to use Windows XP or Vista?

Sadly yes or scrap completely functional machines and buy new replacement ones and then train the operators to use the new ones.

thebourke

will the hse they also have to start looking at their server versions...for example if they are running 2008..2003 versions...

notAMember

The longer term discussion is about IT investment in public sector in general. It's never popular to choose server upgrades, security investment and improved networking infrastructure over , say, 15 extra doctors and nurses. BEDS as they say. But IT is critically important. It takes an event like this to bring it to public focus, but I assume internally people have been begging for IT investment programs for years. It's not a one shot and it's done... as others have said here. It's an ongoing effort to stay ahead of technology lifecycle maintenance.


In the medium term, the technical solution is for legacy systems usually segregated networks , keep legacy systems that cannot be upgraded corralled in an ICE, in L2, away from the internet, with controlled access and locked down interface ports with layers of firewalls.


In the short term, I think they are goosed unless they pay that ransom, and even that is a poor solution. But maybe someone closer to it knows better.
I have no doubt people will be harmed, possibly with fatal outcomes in some cases here due to this outage, either with delayed results, missed treatments, misdiagnoses etc.

Nonoperational

Keyzer wrote: »

No, its not.

Trust me, I've been in this game for a long time. If it was that easy then there wouldn't be such a huge global demand for Information Security professionals.

If you talk about a singular desktop/laptop, then fine, upgrade to whatever. When you talk about a large organisation with thousands of employee's and potentially hundreds of applications, it becomes exponentially more complex.

There are multiple layers of the stack which need to be considered in all aspects of security. In many cases, its not technically feasible to implement preventive controls so you might look to implement detective controls instead. You might not implement any controls if the cost to implement the control exceeds the potential impact.

Its highly complicated and can't be fixed with just upgrading to Windows 10.

Not to mention the interaction with primitive Dos based systems, inter-hospital connections, various servers, remote access, stand alone imaging machines that sync daily etc

cnocbui

MrMusician18 wrote: »

Sadly yes or scrap completely functional machines and buy new replacement ones and then train the operators to use the new ones.

Machines that run xp or windows 7 for dedicated hardware purposes should not be connected to any network. Air gap all machines that have to be run insecure.

Infini

Keyzer wrote: »

Bear in mind chaps, a number of variants of Windows 10 are now end of life/end of support also. Windows 10 is not a panacea here.

Yeah but windows 10 also has the LTSM program which allows for essential upgrades to the OS without any extras or unwanted add ons. They provide this as a way of applying essential security updates and bug fixes as buisneses need to be able to apply these at fixed intervals without having to deal with potential conflicts etc.

Keyzer

thebourke wrote: »

will the hse they also have to start looking at their server versions...for example if they are running 2008..2003 versions...

Yes...

They need to look at everything really. I know that's quite a 50000 ft answer but they really need to look at their entire estate. Ideally, this should be carried out by a completely independent third party.

An unbiased, no holds barred assessment of the entire IT landscape is required before they can do anything. They also need senior management/ministerial support on whatever transformation program they hopefully decide to implement.

At the end of the day, senior management are responsible.

Is there a history of victims who don't pay ransomware demands being targeted again to discourage others from not paying?

joe40

Keyzer wrote: »

No, its not.

Trust me, I've been in this game for a long time. If it was that easy then there wouldn't be such a huge global demand for Information Security professionals.

If you talk about a singular desktop/laptop, then fine, upgrade to whatever. When you talk about a large organisation with thousands of employee's and potentially hundreds of applications, it becomes exponentially more complex.

There are multiple layers of the stack which need to be considered in all aspects of security. In many cases, its not technically feasible to implement preventive controls so you might look to implement detective controls instead. You might not implement any controls if the cost to implement the control exceeds the potential impact.

Its highly complicated and can't be fixed with just upgrading to Windows 10.

Are we getting to the stage where the use of technology and software has advanced at a faster speed than the ability of organisations/companies to maintain proper security.
That would mean we are very vulnerable to this sort of thing. Imagine a power grid, Air traffic control or banking just to name a view where this sort of breach could be catastrophic.

The technology involved here is totally beyond me, I'll leave others to discuss the details of this issue, but just how vulnerable are we as a society.

Flinty997

3rd party audits are a normal part of IT systems in public bodies.

magicbastarder

10000maniacs wrote: »

A friend of mine is a dentist and he ran his x-ray/photo/scanning software on XP up to 2020.
He wanted my help to move to Windows 10. It took a bit of effort and coding but I helped him do it over two weekends.

'i once upgraded a dentist so i can't understand why the HSE can't do it'.

hmmm

10000maniacs wrote: »

4: Figure what the non compatible drivers were doing and emulate this functionality by either tweaking their config/registry settings or a driver rewrite (the hard part).

"Dear Mrs O'Reilly, I'm writing to let you know that your son received a thousand times the expected radiation from the MRI machine. Apologies, but the driver for the device that was hacked together back in 2021 behaved unexpectedly when we applied the latest Microsoft Service Pack. "

I know what you're saying, and you could maybe do that in a small company, but it's not realistic for a health service.

Keyzer

joe40 wrote: »

Are we getting to the stage where the use of technology and software has advanced at a faster speed than the ability of organisations/companies to maintain proper security.
That would mean we are very vulnerable to this sort of thing. Imagine a power grid, Air traffic control or banking just to name a view where this sort of breach could be catastrophic.

The technology involved here is totally beyond me, I'll leave others to discuss the details of this issue, but just how vulnerable are we as a society.

Its a very valid point.

Sadly, like a lot of things in human nature, we leave things to the last minute, don't do something until there is impending danger or react when something bad happens. Many organisations I have seen in my time operate this way. IT and, more specifically, IT Security are seen as a cost. Cost's are, generally speaking, minimised. Until something really bad happens.

A great example of this is Maersk - they almost went out of business a couple of years ago because of NotPetya. Its a fascinating story. They had to rebuild over 4000 servers. Their entire Active Directory system (simply put, a critical system which allows you access to your Windows machine when you logon in the morning) was significantly affected. In Maersks case, because this system was down, they couldn't open the gates of their shipping ports because it was all managed through Active Directory.

They eventually found one Active Directory (domain controller, you have multiple domain controllers in a large organisation which replicate with each other) server somewhere in Africa which was offline due to an electrical storm, the guy in Africa was ordered not to turn it back on under any circumstances, to take out the hard drives, put them in a stainless steel briefcase, handcuff the briefcase to his wrist and fly to Maersk offices in London immediately. He couldn't because he didnt have a visa so Maersk flew one of their guys to Kenya, met the guy, got the brief case and prayed the hard drives were operational.

Thankfully for Maersk, they were. They rebuilt their entire Active Directory system using this one hard drive. If that drive failed, the company was gone.

But consider that for a moment, a company of the size of Maersk, a company the global economy is dependent on, almost going out of business. And they almost did.

After this fiasco, Maersk's entire approach to Information Security changed. Sometimes you have to go the edge of oblivion before you decide to make a change.

realdanbreen

Deleted User wrote: »

Head of IT Ops from the HSE on the radio now saying they believe it was a zero day exploit.

Oh right.:rolleyes: