Ransomware & HSE

Anita Blow

I work in a children's hospital and have to say this attack has severely compromised our ability to care for this kids appropriately and safely. Having to make medical decisions essentially completely blind overnight for very unwell babies without any access to prior investigations and having to admit our most vulnerable cohort of chronic disease kids presenting with emergencies without any of their medical notes to know what their medical history actually is.

ineedeuro

gctest50 wrote: »

This is a good thing overall, the 100million total cost is the only thing that will make the HSE tidy up security

And already people getting offers of better healthcare abroad

https://m.independent.ie/irish-news/patients-have-already-received-unsolicited-approaches-after-data-leaked-by-hse-hackers-dail-told-40444900.html

One question to ask yourself

The HSE pays external consultants to advise them what to do, like all government agencies. This is for security and everything

When the poo hit the fan take a stab who the HSE brought in? I am 99% sure it the same lads who have advised them all along

Now are they going to admit they done a shoddy job or just cover this up, which the HSE will also cover up because it suits them

Nothing will change, they will blow millions now trying to resolve this, will lose patients data. Weeks of operations etc. Not a single person will lose a job and next year they will have The same consultants in as before telling them the same things

That’s the joy of ireland....we don’t sack people for incompetence, we give them more money

saabsaab

Maybe it'stime to go back to the old manual systems?

10000maniacs

jmayo wrote: »

And who is going to guarantee the new tweaked fix ?
Who is the one going to stand up in court and take the heat if something happens ?
Because I guarantee you the Siemens, Philips, GE, Medtonics of this world will go it was nothing to do with us. Good Luck.


You guys just don't get medical software or medical devices.

Do you guys know how long it takes to bring new medical product to market.

Medical is the same as aviation.
You can't just make changes and implement them.

Ever hear of the FDA ?

Sorry I missed your answer.
You would get in the company who originally carried out the installation to certify that the conversions were done correctly. Simples.

Seth Brundle

ineedeuro wrote: »

One question to ask yourself

The HSE pays external consultants to advise them what to do, like all government agencies. This is for security and everything

When the poo hit the fan take a stab who the HSE brought in? I am 99% sure it the same lads who have advised them all along

Now are they going to admit they done a shoddy job or just cover this up, which the HSE will also cover up because it suits them

Nothing will change, they will blow millions now trying to resolve this, will lose patients data. Weeks of operations etc. Not a single person will lose a job and next year they will have The same consultants in as before telling them the same things

That’s the joy of ireland....we don’t sack people for incompetence, we give them more money

Care to tell us how you would have prevented this and what steps you would take to ensure that the HSE is not successfully attacked in the future?
Who would you sack?
:rolleyes:

runawaybishop

10000maniacs wrote: »

Sorry I missed your answer.
You would get in the company who originally carried out the installation to certify that the conversions were done correctly. Simples.

Please, just stop.

Galwayguy35

Galwayguy35 wrote: »

Hospital rang me today to say my appointment for tomorrow was still on, guess I'm one of the lucky ones.

Thought the staff did an amazing job today when I was there considering what they have to cope with over the last few days.

kippy

ineedeuro wrote: »

One question to ask yourself

The HSE pays external consultants to advise them what to do, like all government agencies. This is for security and everything

When the poo hit the fan take a stab who the HSE brought in? I am 99% sure it the same lads who have advised them all along

Now are they going to admit they done a shoddy job or just cover this up, which the HSE will also cover up because it suits them

Nothing will change, they will blow millions now trying to resolve this, will lose patients data. Weeks of operations etc. Not a single person will lose a job and next year they will have The same consultants in as before telling them the same things

That’s the joy of ireland....we don’t sack people for incompetence, we give them more money

There are literally a finite number of players in the game when it comes to this type of consultancy and the stringent requirements that must be met when tendering.

If there was gross negligence here then people need to be held to account but these thing happen - sometimes you just need to learn the lessons.

Cuddlesworth

mohawk wrote: »

Problem for the public sector is that it is tied into grades and has unions to deal with. Certain roles therefore are under paid compared to what they can get in private sector. IT already in some areas already has a skills shortage. A private company can offer more money if they can’t get the best people for the job but public sector can’t.

Sad part is they overpay for low level low skill IT positions. But to get the really skilled staff in specific specialized positions, they are well off the market prices. I've never seen or applied to the HSE but other areas were so off base it was painful.

And to be honest, with the "new" contracts for staff they would need to be better then private to justify the move because high paid technical roles get serious financial perks outside of base pay. Meanwhile public service gives a pension levee that doesn't even go to you.

Cuddlesworth

10000maniacs wrote: »

Sorry I missed your answer.
You would get in the company who originally carried out the installation to certify that the conversions were done correctly. Simples.

What installation? This wasn't a single failure to get to this point. This would have to have been multiple failures across many disciplines of IT.

Roger_007

saabsaab wrote: »

Maybe it'stime to go back to the old manual systems?

I worked in the HSE for a short time about 20 years ago, ( not in any IT capacity), and at that time the Health Boards as they were then were installing patient administration systems. At the time there was a lot of pushback from the medical consultants about putting their patient notes on computer. They claimed that it was not secure enough for such confidential data as they never knew who might have access.
I don’t know what happened afterwards but at the time the paper files continued as before and the computer system just held the bare bones of patient data, just enough to identify the person and dates of admission/discharge etc. There wasn’t even a common identifier for patients between Health Boards.

AndrewJRenko

Cuddlesworth wrote: »

Sad part is they overpay for low level low skill IT positions. .

What kinds / grades of positions are they overpaying for?

flask_fan

Cuddlesworth wrote: »

Sad part is they overpay for low level low skill IT positions. But to get the really skilled staff in specific specialized positions, they are well off the market prices. I've never seen or applied to the HSE but other areas were so off base it was painful.

And to be honest, with the "new" contracts for staff they would need to be better then private to justify the move because high paid technical roles get serious financial perks outside of base pay. Meanwhile public service gives a pension levee that doesn't even go to you.

I don't think that's correct.

kippy

Theres no such thing as "low skill" IT positions.
There might be "Low Paid" or "Individuals who shouldnt be doing that job" positions, but no "low skill".

salonfire

kippy wrote: »

Theres no such thing as "low skill" IT positions.
There might be "Low Paid" or "Individuals who shouldnt be doing that job" positions, but no "low skill".

There most certainly is. Why do you think the biggest question and answer site on the web is named after a programing error? Skilled people don't go running to the web to have others do their work for them.

Cuddlesworth

kippy wrote: »

Theres no such thing as "low skill" IT positions.
There might be "Low Paid" or "Individuals who shouldnt be doing that job" positions, but no "low skill".

Did you take that a bit personally?

kippy

Cuddlesworth wrote: »

Did you take that a bit personally?

Relative to the many other jobs and careers out there, any level of IT is a skilled role.
To suggest otherwise is to have very little perception of the world out there.

Galwayguy35

oops wrong thread

salonfire

salonfire wrote: »

There most certainly is. Why do you think the biggest question and answer site on the web is named after a programing error? Skilled people don't go running to the web to have others do their work for them.

You obviously don't work on I.T.

ineedeuro

Seth Brundle wrote: »

Care to tell us how you would have prevented this and what steps you would take to ensure that the HSE is not successfully attacked in the future?
Who would you sack?
:rolleyes:

I don't know the HSE setup so I can't comment. The hackers stayed in the HSE environment for weeks without detection. That's more than a "oppsie"

Who would I sack? the CISO/head of security for a start. How many CISO's would last in a company after such a failure as this? most would already have handed in notice.
Then if as I suggested they have a Security Assessment with a strategic plan, if this was blocked by another member of the HSE which resulted in underfunding of the Security department they should walk.

What is your plan? give them a pat on the back and tell them well done?

hmmm

ineedeuro wrote: »

Who would you sack? the CISO/head of security for a start. How many CISO's would last in a company after such a failure as this? most would already have handed in notice.

You fire all the security people who have been involved in an incident you'll have no-one left.

Security people don't exist in a vacuum where they have unlimited funds and the ability to dictate every decision. It's senior management who decide where the balance between security and everything else lies - if they get it wrong they are the ones being paid 400k a year to get it right.

We need to change the model so that security has a higher prominence when it comes to making decisions. Want to allow everyone receive email from anywhere in the world? Security people would be more than happy to say "no", but they don't get to make that decision.

sporina

are private hospitals affected?

ineedeuro

hmmm wrote: »

You fire all the security people who have been involved in an incident you'll have no-one left.

Security people don't exist in a vacuum where they have unlimited funds and the ability to dictate every decision. It's senior management who decide where the balance between security and everything else lies - if they get it wrong they are the ones being paid 400k a year to get it right.

We need to change the model so that security has a higher prominence when it comes to making decisions. Want to allow everyone receive email from anywhere in the world? Security people would be more than happy to say "no", but they don't get to make that decision.

I didn't say to fire all the security people. I said to fire the CISO/Head of Security, that would be senior management.

As I said before the HSE should have a Security Assessment. This is the basic of the basic for any large company
https://www.upguard.com/blog/what-are-security-ratings#:~:text=Security%20ratings%20provide%20a%20continuous,to%20have%20deep%20technical%20expertise.&text=This%20allows%20you%20to%20monitor,management%20program%2C%20and%20reduce%20risk.

This gives management the information on which decisions they should/shouldnt make and also the information to figure out what risk they have if they don't invest.

Corruptedmorals

sporina wrote: »

are private hospitals affected?

No. They don't have any connection to any HSE network. They will be accommodating priority and oncology scans and presumably radiation. This is the biggest problem that the public hospitals are facing, not being able to carry out or view scans.

irishgeo

ineedeuro wrote: »

I don't know the HSE setup so I can't comment. The hackers stayed in the HSE environment for weeks without detection. That's more than a "oppsie"

Who would I sack? the CISO/head of security for a start. How many CISO's would last in a company after such a failure as this? most would already have handed in notice.
Then if as I suggested they have a Security Assessment with a strategic plan, if this was blocked by another member of the HSE which resulted in underfunding of the Security department they should walk.

What is your plan? give them a pat on the back and tell them well done?

hackers were in solarwinds and half the US government for months and no one noticed either.

Blowfish

ineedeuro wrote: »

I said to fire the CISO/Head of Security, that would be senior management.

How do you know that the CISO/Head of Security is to blame? What if they've been jumping up and down yelling about the risk of ransomware all this time, but have been ignored or not given the budget to defend against it?

This is the issue on this thread, there's an incredible amount of jumping to conclusions on what caused the breach, who is to blame and what the (overly simplistic) solutions are, despite us having next to no information about what actually happened or why.

10000maniacs

runawaybishop wrote: »

Please, just stop.

All you have said to add to the constructive debate is "paying up in no way guarantees you will get your data back" and "disgruntled employees are going to press dodgy links anyway". Very constructive. No solutions offered by you whatsoever.
Bet you didn't know that there is software to stop ransomware being triggered even if disgruntled employees press the dodgy email links. Bet the HSE technical staff didn't know that either.

salonfire

DubInMeath wrote: »

You obviously don't work on I.T.

I do actually.

And I'm in a position to ask some very awkward questions if I wanted to to show me if code copied from stack overflow does not contravene copyright and licensing policies.

hmmm

ineedeuro wrote: »

I didn't say to fire all the security people. I said to fire the CISO/Head of Security, that would be senior management.

Great. Now you can't hire a replacement who is qualified because no-one is going to take the risk, and the person you do hire is going to be underqualified.

Like Blowfish says, if the Head of Security has been asking for extra budget, resources or influence and doesn't get it, what is the purpose of firing them other than to look for a scapegoat? That might make you feel better, but it doesn't help you prevent another attack.

I've known very good security people who suffered a security incident, because well **** happens and no-one working in security has the resources to close every door. I'd hire them in a heartbeat.

It's ultimately a senior management decision (and in the HSE case that's the Minister and the HSE Board) as to how much resource is allocated to Security.

Seth Brundle

ineedeuro wrote: »

I didn't say to fire all the security people. I said to fire the CISO/Head of Security, that would be senior management.

As I said before the HSE should have a Security Assessment. This is the basic of the basic for any large company
https://www.upguard.com/blog/what-are-security-ratings#:~:text=Security%20ratings%20provide%20a%20continuous,to%20have%20deep%20technical%20expertise.&text=This%20allows%20you%20to%20monitor,management%20program%2C%20and%20reduce%20risk.

This gives management the information on which decisions they should/shouldnt make and also the information to figure out what risk they have if they don't invest.

So you're suggesting to sack the head of IT Security without knowing if they are in any way responsible. Given that kind of knee jerk sacking, how many applicants will want to fill the role, do you think?

As for a security assessment, how do you know one has not been done and all the measures possible within the finite budget available have been implemented?