Ransomware & HSE

Keyzer

Gael23 wrote: »

Lawyers getting ready to strike. https://www.thejournal.ie/several-weeks-before-hse-system-is-back-5442378-May2021/?fbclid=IwAR3fieg4hnhKJHpUHMjCfXYSGVbhpDN8cLy91W3JWzsOK3Qd0HkSI7CxErQ

I heard him talking about this on the radio this morning, I'm not a fan of Donnelly but I agree with him on this. Its disgusting behavior from the law firms in question.

Similar to the criminals behind this attack, their only interest is money.

Gael23

Keyzer wrote: »

I heard him talking about this on the radio this morning, I'm not a fan of Donnelly but I agree with him on this. Its disgusting behavior from the law firms in question.

Similar to the criminals behind this attack, their only interest is money.

Is it though? The HSE have a duty of care to protect confidential patient information and left that vulnerable due to using obsolete IT systems

giles lynchwood

Keyzer wrote: »

Jesus wept - so the HSE are to blame for people robbing equipment from hospitals and other staff committing fraud?

Heads might roll on this, at the moment they are in recovery mode, I'd expect a detailed investigation to be carried out to find out why this happened.

But the solution is sack everyone right?

Well the present system is not working and yes cut the head off the snake or keep throwing tax payers money at a system which goes from one problem to another. Moral is at an all time low with medical staff.Our health service is a shambles and until they address the waste and theft extra funding will have no effect.Hse admin are not doing their job and when somebody is failing in their duties they are to blame.Most, not all,of the irish civil servent's would not last a week in the private sector.
It would be intresting to see how up to date their security was on the system.

plodder

Gael23 wrote: »

Is it though? The HSE have a duty of care to protect confidential patient information and left that vulnerable due to using obsolete IT systems

That argument on its own wouldn't win a case imo. Windows 7 might be obsolete in some sense, but they were paying to keep their systems patched up to date and there could be legitimate reasons for not updating some systems.

whippet

Gael23 wrote: »

Is it though? The HSE have a duty of care to protect confidential patient information and left that vulnerable due to using obsolete IT systems

pure nonsense

Keyzer

Gael23 wrote: »

Is it though? The HSE have a duty of care to protect confidential patient information and left that vulnerable due to using obsolete IT systems

If you think these law firms have the interests of citizens and patients at heart, then you're either sorely mistaken or delusional. They don't give two sh1ts about the people affected by this. They see dollar signs, its that simple, whether you want to believe it or not.

As I said before, we don't know all the details, we only have bits and pieces of information. Until a thorough examination of the HSE's IT systems and approach to cyber security is carried out by a reputable and completely independent third party, there won't be any legal cases.

You need evidence to form a legal case, not hearsay or speculation.

whippet

you can be sure that the HSE are not running the recovery project - there are very specialized companies who do this day in day out .

Dempo1

whippet wrote: »

pure nonsense

If you wanted to hear pure Nonsense, that clown Paul Reid just on Claire Byrne show, just breath taking his expertise on Deflection.

10000maniacs

whippet wrote: »

pure nonsense

No it's actually true.
GDPR rules insist that systems must uphold customers data based on the three core principles, Integrity, Confidentiality and Availability.
They need to go back to the drawing board and get the most up to date hardware and OS software they can. Then bullet-proof it. Then pay off all the inevitable law suits and fines for what has happened.

notAMember

Keyzer wrote: »

The Minister for Health has been very vocal on this issue - he was on radio this morning. Its reported daily through the mainstream channels. Updates are being provided if you care to look for them.

You've no idea the amount of effort required to recover from a situation like this and bring critical systems back online. Point the finger of blame when the dust settles and a report is issued detailing the events that led to this situation.

In the meantime, you should just give them a break and let them fix the issue.

First of all, you've actually missed my point by defensively jumping to a conclusion... There should be no blame whatsoever, that is pointless. The focus should be on remediation, as soon as possible. Medical records are now being missed.

Apologies for not listening to the radio. The last official update I see on the gov.ie site is from 4 days ago.
https://www.gov.ie/en/press-release/22f88-update-on-cyber-attack-on-hse/
The last one from NCSC is also from the 16th.
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

Point me in the right direction of the frequent updates?


I probably do have some idea of the amount of effort? :pac::pac: Just my decades of experience in this particular sector and industry, so don't be so presumptuous.


I am hyper-aware of prevention and we frequently devise new programs to build user awareness of this, such as phishing email test runs to see who recognises them.

It's true, I've only ever seen one breach where they needed to rebuild in my career. That occasion was someone bringing in a USB stick to a lab benchtop instrument, manually disconnecting the USB barcode scanner and infecting that network segment. The USB port had to be active to function, so was not locked down as per usual policy. Luckily, not connected to the internet or email and we had it well locked down, but lost about a week's worth of analysis data and had to rebuild that whole lab.

However, I know well to impact and what it takes to reinstate at scale. The biggest impact isn't the lost data or the cost of equipment, it is the amount of time that the systems will be down to rebuild and requalify. The validation and certification of equipment for use is the most time-consuming and expensive part in healthcare IT. That's where the money will be spent/lost.

Large scale healthcare will have approved SOPs in place to ensure that it is possible to expedite rebuild and release for use "at risk" in DR scenarios. A bank of cloned drives in safe storage, ready for rebuild of legacy devices, and large scale DR sites ready to be spun up for enterprise level DR.

I doubt, given the miniscule budget of the HSE , that they were in any way prepared for this.


And that's why I wonder about timeline expectations, how long they will be down. This could easily take years to recover from.

crossman47

Keyzer wrote: »

I heard him talking about this on the radio this morning, I'm not a fan of Donnelly but I agree with him on this. Its disgusting behavior from the law firms in question.

Similar to the criminals behind this attack, their only interest is money.

Parasites. Always have been.

seamus

Cluedo Monopoly wrote: »

I really think Paul Reid does way too much media. It's 11am and he is on Claire Byrne. He seems to be always on the radio. I would much rather him attending and prioritising internal meetings during office hours especially. He should be able to delegate media work to other managers or PR people during crisis situations.

It's funny that on the same page, we see one person accusing the HSE of too much secrecy and not saying enough, and another person complaining that the head of the HSE spends too much time talking in the media.

I'm no fan of Reid, but during these kinds of times, acting as the frontman for the organisation is exactly where he should be. All of the other non-media work can be delegated to others. He is an expert neither in health or in IT, so he has no place getting directly involved in either crisis. His day-to-day should consist of getting a status update from everyone, finding out if anyone is being impeded, making decisions that require his approval, and then pushing relevant information up the line to Donnelly and the public.

Gael23 wrote: »

Is it though? The HSE have a duty of care to protect confidential patient information and left that vulnerable due to using obsolete IT systems

The first part of your statement is correct, the second is unproven.

Anyone that sued the HSE for the data breach would need to prove that the HSE failed to take all reasonable steps to maintain the security of the data. "They were running Windows 7" proves nothing. A Windows 10 machine connected directly to the internet is several times less secure than a windows 7 machine behind a secured and properly architected network.
A data breach does not by itself prove that the organisation was not taking all reasonable precautions.

The solicitors are sitting around waiting for more information to come out to decide whether it'll be an easy win. Nobody wants to be the one who had to spend tens of thousands of euro hiring security experts to give evidence that the HSE materially failed in its duty to keep the data secure.

whippet

10000maniacs wrote: »

No it's actually true.
GDPR rules insist that systems must uphold customers data based on the three core principles, Integrity, Confidentiality and Availability.
They need to go back to the drawing board and get the most up to date hardware and OS software they can. Then bullet-proof it. Then pay off all the inevitable law suits and fines for what has happened.

Simple as that is it - tell me what area of enterprise cyber security are you involved in ?

Turtwig

You can find solicitors to take on any case. The worst I've seen are the vultures that prey on people who had issues in a hospital during pregnancy. These ones are despicable.

VinLieger

Anyone else suddenly getting robocalls this week? The wife and I having never had any have gotten several. Timing is very conspicuous.

fly_agaric

eastie17 wrote: »

The public are apathetic about this as well, we dont expect any better. The majority of people arent engaged with the health service at this time time so dont see how bad it now is. When they do, they are probably too sick to worry about anything else except getting better, and rightly so. so arent going to be going around shaking trees and making alot of noise.

Nope would not completely agree with that.

With PR-STV system/responsiveness of politicians to local issues + the political input into the health boards that predated the HSE, the public in Ireland have a great deal to do with state of the health service over multiple generations.
Just look at the bunfight over where to site the Childrens hospital where major thing joe public was worried about was the car parking facilities and the hospital being in centre of Dublin. So that became a key issue for the politicians and (IMO) contributed to the ridiculous rows about it & decades long delays.
For a long time money was an issue of course as regards improving the Health service (Ireland was a low/mid income country) but that has not been the case since the late 90s and its been other things since then.
One of them IMO is the fact that the Irish public & politicians have so much direct input into the nuts and bolts of the health service and maybe they are not the best people to be making some of the decisions.

randd1

Outside of the obvious chaos regarding appointments/patient data, are we over-reacting?

Fair enough, no-one wants to have their medical history exposed to the world, but I seriously doubt anyone wants to know about my previous chest infection, or Mary from Letterkenny's in-grown toenail, or John from Carlow's bladder infection.

Wombatman

I expect a similar toolkit was used by the HSE attackers. Still unclear as to the initial access route?

VinLieger

VinLieger wrote: »

Anyone else suddenly getting robocalls this week? The wife and I having never had any have gotten several. Timing is very conspicuous.

Social services allegedly phoning me in an automated American accent needing a few extra details like bank account and that

There's always the gullible.

ednwireland

randd1 wrote: »

Outside of the obvious chaos regarding appointments/patient data, are we over-reacting?

Fair enough, no-one wants to have their medical history exposed to the world, but I seriously doubt anyone wants to know about my previous chest infection, or Mary from Letterkenny's in-grown toenail, or John from Carlow's bladder infection.

i was thinking the same my dicky knee or the 8 days i spent in hospital with a random internal bleed aint going to make headlines. although i guess there will be more sensitive information that people would prefer not to be in the public domain.

kippy

Keyzer wrote: »

Don't mean to sound dismissive but you don't have a clue what you're talking about.



External consultants will assess a situation, provide advice and potentially run a program to implement suggested improvements. They are not decision makers. If a senior management team chooses to ignore the advice given to them, that's not the consultants fault.



Too early to be talking about sacking anyone. I don't even know if the HSE has a CISO but, like my point above, if the CISO recommends a certain initiative/course of action and the senior management team don't support it, its not the CISO's fault.

Too often, the CISO becomes the scapegoat in these instances. The CEO is fully accountable for all facets of the organisation/business, including cyber security. If they don't know anything about cyber security, then they must hire someone who does and listen to what they are saying.



Its actually not that expensive in the grand scheme of things.



Again, more nonsense. You're taking a very singular view of this situation. There could be 100's of applications & systems with dependencies on each other. Upgrade one, 99 stop working.

You don't know the situation but yet you keep coming up with "silver bullet" proposals to fix the issue. There is no silver bullet, no magic wand.



This is very true. If I were to give any organisation advice on what they should focus on protecting first it would be their privileged admin accounts. If you get hacked but the attacker cannot elevate their privileges to cause maximum damage because you've got your admin/privileged accounts under lock and key with moniitoring and alerting in place, then you're in a good spot.



Agreed 100%



Very true. I mentioned before that I was involved in one of these situations (not in Ireland) a couple of years ago. It was a nightmare from start to finish, trying to unravel decades of negligence that led to the incident occurring. Its an experience I hope I never have to go through again. After weeks of work, we upgraded to Windows 10 and that fixed everything :P:P:P

In the grand scheme of things is may not be "that expensive" but it is an expense. While the HSE are known to spend and waste on many things - it's not always easy justify expense in most organisation.

10000maniacs

whippet wrote: »

Simple as that is it - tell me what area of enterprise cyber security are you involved in ?

The fundamental rule number one in my organization is every employee who uses a computer is involved in enterprise cyber security and is trained to do the right thing.
Everybody is trained on every aspect of enterprise cyber security.
= First failsafe.
Second failsafe is every executable or script that is run on our servers is gridlocked using specialized security software and is not run if it is not recognised. You cannot run or install ANYTHING from the web or disc.
Discs, floppy's and USBs are disabled.
The software that we use is obtained solely from the organizations software repository.
The entire drive on every computer is encrypted. etc...etc.

Cuddlesworth

Wombatman wrote: »

I expect a similar toolkit was used by the HSE attackers. Still unclear as to the initial access route?

Its probably going to be traced back to a email with a hyperlink. There are plenty of people in every org that will open anything sent and click yes to anything that comes up, training or no training. For attackers its just a matter of finding them.

kippy

10000maniacs wrote: »

The fundamental rule number one in my organization is every employee who uses a computer is involved in enterprise cyber security and is trained to do the right thing.
Everybody is trained on every aspect of enterprise cyber security.
= First failsafe.
Second failsafe is every executable or script that is run on our servers is gridlocked using specialized security software and is not run if it is not recognised. You cannot run or install ANYTHING from the web or disc.
Discs, floppy's and USBs are disabled.
The software that we use is obtained solely from the organizations software repository.
The entire drive on every computer is encrypted. etc...etc.

Great.
I have no idea what your organisation is or does but fair play.

10000maniacs

kippy wrote: »

Great.
I have no idea what your organisation is or does but fair play.

US Multinational based in Ireland. The funny thing is these principles have been in place in the 17 years I have been an employee.
It's not new technology or concepts by any means.

kippy

10000maniacs wrote: »

US Multinational based in Ireland. The funny thing is these principles have been in place in the 17 years I have been an employee.

Nothing funny about it.

If possible, many organisations have been implementing a lot of that over the past few decades.
But it's not always possible for a multitude of reasons.


The biggest challenge is actually user education.

Seth Brundle

ineedeuro wrote: »

People are suing the HSE. The government out complaining. The reason people are suing is because we are sick of incompetence.
Maybe if enough people sue we might actually get the truth from the HSE and not this waffle about zero day etc

On what grounds are people suing the HSE? Surely they were quick off the mark to get a claim in?
Anyhow, ok so sue the organisation and there is less money to go towards running it? Good idea :rolleyes:

Hibernicis

10000maniacs wrote: »

Everybody is trained on every aspect of enterprise cyber security.

What on earth does a statement like that even mean? The receptionists, the cleaners, the janitor all trained on every aspect of enterprise cyber security ????

You response does nothing to directly answer the question you were asked - "what area of enterprise cyber security are you involved in ?". Indirectly your response answers the question very very clearly.

10000maniacs

kippy wrote: »

Nothing funny about it.

If possible, many organisations have been implementing a lot of that over the past few decades.
But it's not always possible for a multitude of reasons.


The biggest challenge is actually user education.

Going forward, it has to be done in the HSE. Simple as. They will be forced to do it if there is no initiative to do it off their own bat.

Seth Brundle

Cluedo Monopoly wrote: »

I really think Paul Reid does way too much media. It's 11am and he is on Claire Byrne. He seems to be always on the radio. I would much rather him attending and prioritising internal meetings during office hours especially. He should be able to delegate media work to other managers or PR people during crisis situations.

If he wasn't out talking to the media then the numpties would be complaining that he is off hiding. He can't win :rolleyes: