Ransomware & HSE

ClosedAccountFuzzy

The reality of the situation is that hackers are becoming more aggressive and more sophisticated and systems are going to have to be hardened and simplified, even if that costs a lot of money to do.

The alternative is either frequent hacks and disruption, or you’ll have organisations avoiding using IT at all.

There has been a huge spate of these ransomware attacks including several very high profile ones ongoing in the USA at the moment.

IT costs are going to increase and organisations are going to have to take these risks far more seriously.

The other side of it is we also may need to put a ceiling on some of the very ambitious eHealth projects and start doing cost / benefit analysis and a process of derisking and limitation of risk in design.

The rather grim facts of the situation are that this will happen again in organisations and it will keep happening. There is no silver bullet.

Wombatman

FuzzyThinking wrote: »

The reality of the situation is that hackers are becoming more aggressive and more sophisticated and systems are going to have to be hardened and simplified, even if that costs a lot of money to do.

The alternative is either frequent hacks and disruption, or you’ll have organisations avoiding using IT at all.

There has been a huge spate of these ransomware attacks including several very high profile ones ongoing in the USA at the moment.

IT costs are going to increase and organisations are going to have to take these risks far more seriously.

The other side of it is we also may need to put a ceiling on some of the very ambitious eHealth projects and start doing cost / benefit analysis and a process of derisking and limitation of risk in design.

The rather grim facts of the situation are that this will happen again in organisations and it will keep happening. There is no silver bullet.

Why isn't it happening to every bank in the country? Surely a more lucrative target for hackers right?

How come the Dept. of Health managed to detect and stop the attack?

There may be no silver bullet, but there is a world of difference between a high scoring and low scoring cyber-security posture assessment.

To reiterate, the most vulnerable are the most likely victims of a successful attack.

ineedeuro

FuzzyThinking wrote: »

The reality of the situation is that hackers are becoming more aggressive and more sophisticated and systems are going to have to be hardened and simplified, even if that costs a lot of money to do.

The alternative is either frequent hacks and disruption, or you’ll have organisations avoiding using IT at all.

There has been a huge spate of these ransomware attacks including several very high profile ones ongoing in the USA at the moment.

IT costs are going to increase and organisations are going to have to take these risks far more seriously.

The other side of it is we also may need to put a ceiling on some of the very ambitious eHealth projects and start doing cost / benefit analysis and a process of derisking and limitation of risk in design.

The rather grim facts of the situation are that this will happen again in organisations and it will keep happening. There is no silver bullet.

If you don't do the basic then no point spending millions on security. The HSE could go out now, spend millions to implement loads of fancy new systems, then han back to the HSE who don't bother their ass to patch anything and the hackers walk back in 12 months later.

ClosedAccountFuzzy

Banks never have issues:

https://www.thejournal.ie/ulster-bank-fined-over-it-problems-1775333-Nov2014/

This wasn’t a hack apparently but does everyone forget the absolute meltdown at RBS / Ulster Bank?

Stories of them having to go back to paper ledgers and guess what was in accounts based on payslips etc ..

The scale of ransomware attacks in the USA is triggering national security concerns: https://www.cnn.com/2021/06/03/tech/ransomware-cyberattack-jbs-colonial-pipeline/index.html

The HSE happens to probably be one of the most likely systems to be struggling here, but you’d also have to question whether it was targeted because it was assumed that a public health care system in the middle of a pandemic would immediately pay up to make the problem go away?

Ireland isn’t exactly lacking in ability to find money.

ineedeuro

FuzzyThinking wrote: »

Banks never have issues:

https://www.thejournal.ie/ulster-bank-fined-over-it-problems-1775333-Nov2014/

This wasn’t a hack apparently but does everyone forget the absolute meltdown at RBS / Ulster Bank?

Stories of them having to go back to paper ledgers and guess what was in accounts based on payslips etc ..

Nobody said they dont have issues and you can find plenty of fines for Banks over the year.
That was an internal error when upgrading software.

ClosedAccountFuzzy

ineedeuro wrote: »

RBS/Ulsterbank wasn't a hack. That was someone applying a firmware at the wrong time if I remember correctly.

I pointed out it wasn’t a hack but it’s an example of a clapped out IT system in the middle of a major piece of financial infrastructure.

The point I’m making is there are plenty of old systems hanging around running infrastructure like take for example old landline phone networks, often still running on 1990s era systems in many countries and many no longer even have vendor support, where there’s been foot dragging on upgrades by penny pinching telcos as they see the networks as to be replaced by fibre etc

There are old systems all over the place working away and not being paid attention to as all that matters is quarter to quarter results and keeping overheads or capital expenditure low.

Costs of new IT are often seen as overheads and if systems work they get kept in service.

Getting middle and senior managers to understand risks isn’t easy.

ineedeuro

FuzzyThinking wrote: »

I pointed out it wasn’t a hack but it’s an example of a clapped out IT system in the middle of a major piece of financial infrastructure.

Sorry I updated answer

It wasn't a clapped out IT system. It was a mainframe. Every system needs software/firmware updates. The big problem in the HSE is they didn't bother to do them

if RBS didn't do firmware upgrades they would be in bigger problems. This was down to human error and nothing else.

Joe Don Dante

ClosedAccountFuzzy

ineedeuro wrote: »

Sorry I updated answer

It wasn't a clapped out IT system. It was a mainframe. Every system needs software/firmware updates. The big problem in the HSE is they didn't bother to do them

if RBS didn't do firmware upgrades they would be in bigger problems. This was down to human error and nothing else.

Well some of their own former staffers put it down to lack of investment

https://www.reuters.com/article/uk-rbs-technology-idUKBRE9B10YB20131203

I’ve seen plenty of examples of people in organisations being unable to even comprehend that say a 15 year old IT system that’s working fine needs urgent attention and is becoming a huge risk.

The attitude can often be “but we spent €1m on that” and it’s then pointed out, yes we did … in 1997.

These systems work and often work very well, and the endless patching and upgrading just gets seen as unnecessary spend.

I mean I know this is going back a long time now, but look at the PPARS debacle. They were planning to spend just €9m to integrate a hugely complex system involving 57 organisations and at least 67,000 direct employees with probably one of the most complex purchasing and payments requirements of any I can think of.

Then the management, politicians and media spun up total outage over the ballooning costs.

The whole thing was unrealistically low budget to begin with, but it sums up an attitude that’s well meaning but misses the point entirely.

These systems, done right, facilitate enormous cost savings and efficiency, but you can’t do them on shoestring budgets or avoid upgrading them to avoid training costs/disruption or minor inconvenience.

We’re going to have to get a bit more realistic about the risks, the threats and the actual costs of these systems and also understand their benefits too.

ineedeuro

FuzzyThinking wrote: »

Well some of their own former staffers put it down to lack of investment

https://www.reuters.com/article/uk-rbs-technology-idUKBRE9B10YB20131203

The fact a firmware brought the bank down would suggest they didn't have a proper DR/failover. Not that the primary was "clapped out".

Also not sure what relevance an internal firmware issue has to do with hackers in the HSE? they are completely different issues.

I am sure you could have found a link with a bank hacked instead which would be somewhat relevant.

ineedeuro

FuzzyThinking wrote: »

Well some of their own former staffers put it down to lack of investment

https://www.reuters.com/article/uk-rbs-technology-idUKBRE9B10YB20131203

I’ve seen plenty of examples of people in organisations being unable to even comprehend that say a 15 year old IT system that’s working fine needs urgent attention and is becoming a huge risk.

The attitude can often be “but we spent €1m on that” and it’s then pointed out, yes we did … in 1997.

These systems work and often work very well, and the endless patching and upgrading just gets seen as unnecessary spend.

I mean I know this is going back a long time now, but look at the PPARS debacle. They are planning to spend just €9m to integrate a hugely complex system involving 57 organisations and at least 67,000 direct employees with probably one of the most complex purchasing and payments requirements of any I can think of.

Then the management, politicians and media spun up total outage over the ballooning costs.

The whole thing was unrealistically low budget to begin with.

If RBS was applying firmware etc that means the system was still in warranty/etc. If they couldn't upgrade the system it would point to them not investing.

PPARs again has zero relevance to hacking. It would seem you are just picking random projects to use as a reference.
Strangely enough one of the few systems still up and running is payroll.

ClosedAccountFuzzy

ineedeuro wrote: »

The fact a firmware brought the bank down would suggest they didn't have a proper DR/failover. Not that the primary was "clapped out".

Also not sure what relevance an internal firmware issue has to do with hackers in the HSE? they are completely different issues.

I am sure you could have found a link with a bank hacked instead which would be somewhat relevant.

My point is that poorly designed or under invested in IT systems can fall over spectacularly with dire consequences for organisations and businesses and the public that depend on them.

People, including management, politicians and those commenting in media often are very quick to pour scorn on spending in this area, yet will also jump on an organisation that is impacted.

I picked the example because it’s one that hit Irish customers in the recent past.

The reality is if we don’t have serious risk audits of key infrastructural IT systems and if we’re unwilling to spend, this isn’t a once in a blue moon incident. It’ll be something else next but it will happen. It’s just inevitable.

It’s an intangible risk that suddenly becomes very real when it does go catastrophically wrong.

We’re grossly underestimating the strategic risk too. It’s very unlikely that attack on the HSE wasn’t picked because of the pandemic. Given the attacks on key infrastructure elsewhere, it’s fairly obvious that they saw an opportunity to extort money at a time of serious crisis where a government or organisation might quickly pay up to make it go away quickly.

The US tends to automatically attribute these things to state actors an cyber warfare, but I think the commentary is often just underestimating the simpler, apolitical motivation of criminals who just want large payments in Bitcoin.

ineedeuro

FuzzyThinking wrote: »

My point is that poorly designed or under invested in IT systems can fall over spectacularly with dire consequences for organisations and businesses and the public that depend on them.

People, including management, politicians and those commenting in media often are very quick to pour scorn on spending in this area, yet will also jump on an organisation that is impacted.

I picked the example because it’s one that hit Irish customers in the recent past.

The reality is if we don’t have serious risk audits of key infrastructural IT systems and if we’re unwilling to spend, this isn’t a once in a blue moon incident. It’ll be something else next but it will happen. It’s just inevitable.

It’s an intangible risk that suddenly becomes very real when it does go catastrophically wrong.

We’re grossly underestimating the strategic risk too. It’s very unlikely that attack on the HSE wasn’t picked because of the pandemic. Given the attacks on key infrastructure elsewhere, it’s fairly obvious that they saw an opportunity to extort money at a time of serious crisis where a government or organisation might quickly pay up to make it go away quickly.

How do you know the HSE was "picked"? it could have been a random email which was sent out to a private account. Click on, and then the hacker more or less found every door unlocked.

The problem at the moment I see is the government spend millions on the hSE security, everything is good but they don't bother their ass to patch, 12 months later it is a complete waste of money. If they haven't patched till now what would suggest they will in the future? what is to suggest they even know how to?

Also the hSE should be aware of what can happen, the main one been the NHS. If they haven't reached out and discussed since wannacry then that is a failure on the HSE.

Also no excuse for why they dont know the importance of IT: https://www.dublinlive.ie/news/health/mater-hospital-forced-turn-patients-13462603

Anita Blow

ineedeuro wrote: »

The poster said that when they log onto the PC everything they need is loaded up for them. That is why it takes 5 mins. They never said anything about then having to log in with a different user id & password. Unless I am reading it incorrectly?

I meant like files/documents etc. NIMIS/EPR/Lab applications still require their own individual logins after you log in to your desktop account!

ClosedAccountFuzzy

I don’t know the HSE was picked, but you can certainly surmise based for example on attacks on Spanish hospitals at the height of their crisis, there have been attacks on french hospitals, a NZ health region, multiple US healthcare rather and based on a massive upswing in COVID related phishing attacks etc etc it’s fairly obvious it’s not random.

They’re opportunists and basically don’t care about the consequences. The pandemic from their point of view is an opportunity. We’re weak. We have money. We got mugged. Simple.

It’s like parking your shiny BMW in a high crime area, leaving bags of cash in the back seat and thinking it’s complexly ok to just not bother locking the doors.

Hibernicis

ineedeuro wrote: »

Every system needs software/firmware updates. The big problem in the HSE is they didn't bother to do them.

Do you have a source for this ?

ClosedAccountFuzzy

ineedeuro wrote: »

If RBS was applying firmware etc that means the system was still in warranty/etc. If they couldn't upgrade the system it would point to them not investing.

PPARs again has zero relevance to hacking. It would seem you are just picking random projects to use as a reference.
Strangely enough one of the few systems still up and running is payroll.

Both are relevant.

The RBS issue shows very clearly the risk of a key system going down.

And PPARS, while a few years ago, illustrates what happens when a public IT project becomes complex and big budget, and also shows why there could be a sense of huge political scrutiny about making big spend IT decisions across many public bodies.

The commentary around this area hasn’t just emerged in the last few months.

Most commentators don’t value IT spending and will look on in horror if there’s a big budget.

The impression I get is that they’re dammed if they do and damned if they don’t.

We could definitely do with a more developed public IT strategy to ensure we’re getting value for money through scale but, also to ensure we’re not underinvesting too.

There’s a balance to be struck and it’s often, especially in areas like health, driven by trying to trim costs out of budgets anywhere that can be trimmed.

KildareP

ineedeuro wrote: »

How do you know the HSE was "picked"? it could have been a random email which was sent out to a private account. Click on, and then the hacker more or less found every door unlocked.

The problem at the moment I see is the government spend millions on the hSE security, everything is good but they don't bother their ass to patch, 12 months later it is a complete waste of money. If they haven't patched till now what would suggest they will in the future? what is to suggest they even know how to?

Also the hSE should be aware of what can happen, the main one been the NHS. If they haven't reached out and discussed since wannacry then that is a failure on the HSE.

Also no excuse for why they dont know the importance of IT: https://www.dublinlive.ie/news/health/mater-hospital-forced-turn-patients-13462603

While I agree on your first point that this may well have been an opportunistic attack that has managed to strike it gold, on your later point:

(1) How do you know they didn't patch their systems? They paid Microsoft to continue to provide security updates for Windows 7. If they don't patch their systems they needn't have bothered.

(2) This particular attack is reported to have been a zero-day exploit so even a 100% patched system would have been just as susceptible to the attack as a completely unpatched one.

davetherave

ineedeuro wrote: »

. They never said anything about then having to log in with a different user id & password. Unless I am reading it incorrectly?

That's exactly what they did say.

Computers have a generic login which has no user privileges, no documents/data saved or external drive access on those generic accounts in clinic rooms or open areas. It just provides access to online labs/radiology/EPR all of which require an individual username/password.

Hibernicis

ineedeuro wrote: »

The poster said that when they log onto the PC everything they need is loaded up for them. That is why it takes 5 mins. They never said anything about then having to log in with a different user id & password. Unless I am reading it incorrectly?

Try reading it again:

Anita Blow wrote: »

Computers have a generic login which has no user privileges, no documents/data saved or external drive access on those generic accounts in clinic rooms or open areas. It just provides access to online labs/radiology/EPR all of which require an individual username/password.

ineedeuro

Hibernicis wrote: »

Try reading it again:

davetherave wrote: »

That's exactly what they did say.

Computers have a generic login which has no user privileges, no documents/data saved or external drive access on those generic accounts in clinic rooms or open areas. It just provides access to online labs/radiology/EPR all of which require an individual username/password.

If you read the post it is talking about two completely different thing. The first is a user logging in which based on information provided afterward doesn't actually log them into other systems. So they are not using SSO and I wonder why it takes 5 mins to load.

The bit you quoted is about them not logging into the system at all. The computer just has a generic login.

ineedeuro

KildareP wrote: »

While I agree on your first point that this may well have been an opportunistic attack that has managed to strike it gold, on your later point:

(1) How do you know they didn't patch their systems? They paid Microsoft to continue to provide security updates for Windows 7. If they don't patch their systems they needn't have bothered.

(2) This particular attack is reported to have been a zero-day exploit so even a 100% patched system would have been just as susceptible to the attack as a completely unpatched one.

Plenty of people and experts have mentioned lack of patching

Ok, if it was a zero day how did the HSA stop it? i found at least one international media questioning if it was a zero day. It was linked earlier in thread.

If you have a zero day why just hit the HSE? why not take down loads of people and get loads of money like Wannacry? unless everyone else stopped it

ClosedAccountFuzzy

There are also some very specific issues in healthcare too where you’ve IT systems associated with specific equipment. Some of that just isn’t being adequately supported by vendors.

A lot of that needs to be dealt with at a global level in terms of eHealth security standards.

kippy

FuzzyThinking wrote: »

There are also some very specific issues in healthcare too where you’ve IT systems associated with specific equipment. Some of that just isn’t being adequately supported by vendors.

A lot of that needs to be dealt with at a global level in terms of eHealth security standards.

The easiest thing to deal with on a global level is the level of sanctions available and actually useable against these bad actors and/or the states that don't go after them as they should.

This is a cyber terrorism event in every sense of the term and as we have seen has brought a nations health service to it's knees. The people that carry out these attacks SHOULD be in fear of their freedom if they are caught but this isn't the case.

Other nations should (and I hope have been) looking at this incident and other recent ones and bee rightfully in fear of what could happen to them - there should be a global response available in situations such as this.

ClosedAccountFuzzy

Easier said that done.

In some cases you’re talking about very powerful states and it’s water off a ducks back, in others - the likes of North Korea being the main example, sanctions would be almost totally meaningless as it has no normal trade or diplomatic relationships with anyone.

Then you’ve a load of countries that may not be even capable of dealing with cyber crime and it may not be something that’s state driven.

If it were easy it would be done by now.

kippy

FuzzyThinking wrote: »

Easier said that done.

In some cases you’re talking about very powerful states and it’s water off a ducks back, in others - the likes of North Korea being the main example, sanctions would be almost totally meaningless as it has no normal trade or diplomatic relationships with anyone.

Then you’ve a load of countries that may not be even capable of dealing with cyber crime and it may not be something that’s state driven.

If it were easy it would be done by now.

As would completely secure systems.........

ClosedAccountFuzzy

kippy wrote: »

As would completely secure systems.........

There is no such thing. It’s an ongoing battle in most systems. They can be best efforts though.

ineedeuro

kippy wrote: »

As would completely secure systems.........

Nobody can get a completely secure system. But what they can do is not leave the door open with no idea who is coming in or out of it

ClosedAccountFuzzy

I’m a bit concerned that this is looking like what happened in Finland:

Strange emails targeting individuals :

https://www.rte.ie/news/ireland/2021/0604/1226034-cyber-attack-tusla/

Finland - hack and extortion targeting clients of mental health services:
[url] https://www.theguardian.com/world/2020/oct/26/tens-of-thousands-psychotherapy-records-hacked-in-finland[/url]

It’s about as low as a hacker could possibly go and absolutely horrible, but I suspect that’s the kind of people you’re dealing with.

kippy

ineedeuro wrote: »

Nobody can get a completely secure system. But what they can do is not leave the door open with no idea who is coming in or out of it

Again, if the HSE were THAT leaky, wouldn't you think they'd have succumbed years ago?


These organisations are the subject of multiple attack vectors daily, more than most private sector organisations would deal with.
The bad actors need to get lucky once - the organisation needs to do it all the time - which isn't possible.

Again, there should be more done to punish those responsible - it is only a matter of time before another life or death act of cyber terrorism takes place.