Ransomware & HSE

Alexa111

Didn't this happen to the HSE about 3 years ago? I wonder what lessons they learned from it?

kippy

Alexa111 wrote: »

Didn't this happen to the HSE about 3 years ago? I wonder what lessons they learned from it?

NHS got caught 3 years ago.
Didnt think the HSE did at the time but could be wrong.

Hotblack Desiato

Gregor Samsa wrote: »

Emsisoft themselves say their tool (the one the HSE is using), does about 180GB an hour on mechanical disks. At a rough calculation, if 700TB of data was stolen, and we assume that much was encrypted, it would therefore take 3,982 hours to decrypt it which is 165 days.

This is nonsensical, there are thousands of servers in the HSE so the decryption process is massively parallelized

JP Liz V1

https://www.irishexaminer.com/news/munster/arid-40305392.html

Cancer Patients Suffer

Corruptedmorals

It's desperate at this point. Cancer patients are getting their appointments and care same as usual although I'm sure scans are delayed. It's the less important things that are building...charts in storage can't be retrieved so they are all being cancelled. New patients with no MRN or a 'fake' one being generated. Making appointments manually is a complete and utter nightmare by hand. Not being able to see beyond a few days away and having clinics run out of patients and needing to be filled manually also...it is a horrorshow. We are managing but the strain and backlog is just ridiculous.

ineedeuro

kippy wrote: »

Again, if the HSE were THAT leaky, wouldn't you think they'd have succumbed years ago?


These organisations are the subject of multiple attack vectors daily, more than most private sector organisations would deal with.
The bad actors need to get lucky once - the organisation needs to do it all the time - which isn't possible.

Again, there should be more done to punish those responsible - it is only a matter of time before another life or death act of cyber terrorism takes place.

So you are saying HSE are attacked more daily than BOI/AIB/PTSB & PP?

If that was true. Even if the hackers got past the initial defence why did they roam around for weeks without anyone knowing they had access? how did they jump from HSE and around all the hospitals without a single warning?
Also how was it so easy for the HSA to identify it? why haven't we seen other companies hit by this "zero day" attack?

None of that adds up does it?

Yes the hackers should be punished but the HSE has to answer some questions.

ineedeuro

ineedeuro wrote: »

So you are saying HSE are attacked more daily than BOI/AIB/PTSB & PP?

If that was true. Even if the hackers got past the initial defence why did they roam around for weeks without anyone knowing they had access? how did they jump from HSE and around all the hospitals without a single warning?
Also how was it so easy for the HSA to identify it? why haven't we seen other companies hit by this "zero day" attack?

None of that adds up does it?

Yes the hackers should be punished but the HSE has to answer some questions.

Look up two way trust

Lewis_Benson

kippy wrote: »

Noone to blame only themselves?
Really?
You don't blame those that actually infiltrated the network or carried out the crime?

Not condoning the second part of your post mind, that's one of the challenges security has in large scale and complex environments but that does not absolve the perpetrators of the majority of blame.

Of course the perpetrators have blame.
But the HSE need to take some responsibility for their lack of security.

ineedeuro

Lewis_Benson wrote: »

Of course the perpetrators have blame.
But the HSE need to take some responsibility for their lack of security.

Seemingly not if you listen to people here. People that are hired and paid by the HSE to provide Cyber Security don't have to do their job, they have zero accountability.

VelaSupernova

How about the user who clicked on the link then to start this attack, using your logic they should be held accountable too.

Wombatman

VelaSupernova wrote: »

How about the user who clicked on the link then to start this attack, using your logic they should be held accountable too.

Determined hackers and feckless users are always going to be part of the equation.

The only variable is the cybersecurity capability of an organization. Some posters don't appear to get this.

Like locking up a group of hackers = no hackers ever again. Pure nonsense.

In this case, for whatever reason, the HSE failed in their duty to protect their IT systems and data. This is a fact, not a matter of opinion.

The cause of the failure and level of negligence is unknown at this point.

BattleCorp

"There are only two types of companies: those that have been hacked, and those that will be."

Robert Mueller - FBI Director, 2012.

kathleen37

Wombatman wrote: »

Determined hackers and feckless users are always going to be part of the equation.

The only variable is the cybersecurity capability of an organization. Some posters don't appear to get this.

Like locking up a group of hackers = no hackers ever again. Pure nonsense.

In this case, for whatever reason, the HSE failed in their duty to protect their IT systems and data. This is a fact, not a matter of opinion.

The cause of the failure and level of negligence is unknown at this point.

All of this.

The most basic role of any IT department is to keep it's systems and data safe. And to have a contingency plan.

Shame on the heads of department for seemingly having no recovery plan in place. I really feel for the folk on the ground having to deal with this nightmare. I can't believe it wouldn't have been quicker to scrap everything and rebuild/reimage and then restore from backup. (if there are any backups...)

swampgas

kathleen37 wrote: »

All of this.

The most basic role of any IT department is to keep it's systems and data safe. And to have a contingency plan.

Shame on the heads of department for allowing this to happen and having no recovery plan in place for when it did. I really feel for the folk on the ground having to deal with this nightmare.

“Security is always seen as too much until the day it’s not enough.” -- William H. Webster, former FBI Director.

To be fair, we simply don't have the facts yet to be passing judgement. It's extremely unlikely that the HSE had no recovery plans nor contingency plans. Those plans may not have been sufficient, but after any disaster like this lessons get learnt.

IT departments have finite budgets and staff, and it's often the case that those resources are far below what's needed. Risk is hard to measure. There are many demands on an IT budget, and cyber security is only one element (a critical element of course) competing for attention. There may well be incompetence and negligence, but that's not a given, and jumping to condemn the IT teams before the facts emerge is unfair to those involved.

ixoy

kathleen37 wrote: »

The most basic role of any IT department is to keep it's systems and data safe. And to have a contingency plan.

There is nothing basic about IT system security these days unfortunately. Take a look here for example about an exploit in the wild that also details many other exploits from this year. Keeping on top if it is a challenge and then there's active exploits in code libraries, etc. That's why other big organisations have got caught up in ransomware.

I can't believe it wouldn't have been quicker to scrap everything and rebuild/reimage and then restore from backup. (if there are any backups...)

It's still unclear about backups. If you restore, what backup do you restore - one from a week ago, where the ransomware is still lurking? Do you run that risk? Or try and purge completely - which is what they seem to be doing, re-building from the ground up.

Obviously, the HSE systems and set up are far from the best which is likely due to a lack of investment but it's also not as simple as "restore" or "put it in the cloud" or "windows 7!!" as some (not saying you) seem to think.

If nothing else from this, government organisations will hopefully treat IT, and IT security, as something they need to invest in even if it means cuts elsewhere or more borrowing.

ineedeuro

ixoy wrote: »

There is nothing basic about IT system security these days unfortunately. Take a look here for example about an exploit in the wild that also details many other exploits from this year. Keeping on top if it is a challenge and then there's active exploits in code libraries, etc. That's why other big organisations have got caught up in ransomware.


It's still unclear about backups. If you restore, what backup do you restore - one from a week ago, where the ransomware is still lurking? Do you run that risk? Or try and purge completely - which is what they seem to be doing, re-building from the ground up.

Obviously, the HSE systems and set up are far from the best which is likely due to a lack of investment but it's also not as simple as "restore" or "put it in the cloud" or "windows 7!!" as some (not saying you) seem to think.

If nothing else from this, government organisations will hopefully treat IT, and IT security, as something they need to invest in even if it means cuts elsewhere or more borrowing.

The "lack of investment" line is coming from who/where? has anything been provided to back that up?

cadaliac

This thread should be renamed to the "HSE conjecture" thread.

The amount of people starting the reply's with "I think" or "I Believe" or " I heard"

FFS, illusions and guesswork is strong here.

mrjoneill

kathleen37 wrote: »

All of this.

The most basic role of any IT department is to keep it's systems and data safe. And to have a contingency plan.

Shame on the heads of department for seemingly having no recovery plan in place. I really feel for the folk on the ground having to deal with this nightmare. I can't believe it wouldn't have been quicker to scrap everything and rebuild/reimage and then restore from backup. (if there are any backups...)

I would imagine what was the most important function of an IT dep was to keep its system up and running and functional. Backup sys were seen to be for restoring a systems failure than a systems hacking. I imagine a new component has been added to it that of security. While banks and financial institutions have been foremost in this in minding their moneys from being stolen the systematic hacking and corruption of company data for ransom demands now adds a new more important dimension to designing and managing an IT sys.

ineedeuro

ineedeuro wrote: »

The "lack of investment" line is coming from who/where? has anything been provided to back that up?

https://www.irishtimes.com/news/politics/investment-in-national-cybersecurity-centre-less-than-14m-over-10-years-1.4568764

Have you one for your claim that the majority of hospitals world wide are using SSO?
What content are they using SSO?

Given the main private enterprise development company that writes and supplies the majority of general health related software in Ireland doesn't use it as a form of authentication, how are hospitals, pharmacies and gps supposed to use SSO?
SSO is actually very easy to bypass by the way and it's use can be very beneficial to a hacker.

ineedeuro

cadaliac wrote: »

This thread should be renamed to the "HSE conjecture" thread.

The amount of people starting the reply's with "I think" or "I Believe" or " I heard"

FFS, illusions and guesswork is strong here.

Well the line is “HSE has lack of investment but nobody knows”
Then it was “they can’t hire anyone in security” but no jobs available in the HSE

The problem the HSE has is that other government department stopped this and they didn’t so that means it wasn’t a zero day and why could another “under funded” government department stop it yet the HSE couldn’t?

The lack of information of answers from the HSE, how quickly the government got RTÉ etc to push the story off the main news is telling it own story.

swampgas

ineedeuro wrote: »

Well the line is “HSE has lack of investment but nobody knows”
Then it was “they can’t hire anyone in security” but no jobs available in the HSE

The problem the HSE has is that other government department stopped this and they didn’t so that means it wasn’t a zero day and why could another “under funded” government department stop it yet the HSE couldn’t?

The lack of information of answers from the HSE, how quickly the government got RTÉ etc to push the story off the main news is telling it own story.

It sounds like you've already made your mind up - and a lack of data isn't going to stop you assuming the worst of the people involved. Your dislike of anything public sector seems to be colouring your judgement.

ineedeuro

swampgas wrote: »

It sounds like you've already made your mind up - and a lack of data isn't going to stop you assuming the worst of the people involved. Your dislike of anything public sector seems to be colouring your judgement.

I haven’t made up my mind. I want questions answered, not shoved under the carpet till next time which seems to be the motto of a few

Again I have no problem with public sector. I just know what goes on in it, the “it’s not what you know, it’s who you know” is rife and normally the reason why we have problems like this

It seems a lot of people just want to accept incompetent in government department and if anyone questions it they become the target, not the people who made the mistake

What is the problem with asking questions and looking for answers? Do you think the government or HSE have provided any proper answers yet?

swampgas

ineedeuro wrote: »

I haven’t made up my mind. I want questions answered, not shoved under the carpet till next time which seems to be the motto of a few

Again I have no problem with public sector. I just know what goes on in it, the “it’s not what you know, it’s who you know” is rife and normally the reason why we have problems like this

It seems a lot of people just want to accept incompetent in government department and if anyone questions it they become the target, not the people who made the mistake

What is the problem with asking questions and looking for answers? Do you think the government or HSE have provided any proper answers yet?

I'm assuming the priority is to get the HSE up and running first, then look at drawing up a comprehensive report, and reporting that back to the government in due course. I don't assume that a lack of reporting at this point must mean that things are being swept under the carpet.

And, IMO, it's not just about "the people who made the mistake" - that seems simplistic to me. This is about more than any one person. There are systemic issues that have developed over decades in the HSE, and the way IT is handled will be part of that.

Sometimes it takes a crisis for an organisation to understand where changes need to be made.

ineedeuro

swampgas wrote: »

I'm assuming the priority is to get the HSE up and running first, then look at drawing up a comprehensive report, and reporting that back to the government in due course. I don't assume that a lack of reporting at this point must mean that things are being swept under the carpet.

And, IMO, it's not just about "the people who made the mistake" - that seems simplistic to me. This is about more than any one person. There are systemic issues that have developed over decades in the HSE, and the way IT is handled will be part of that.

Sometimes it takes a crisis for an organisation to understand where changes need to be made.

The HSE should have a security assessment which is reviewed if not annually then close to it, it should have a security rating, what other similar organisations have as their rating, if they are low on rating the projects they have to do to get to the rating

This should be a live document and if project are closed down and not done then reason why, so they know the gaps and why they are not at it . No sogn this exists?

If it wasn’t been swept under the carpet then why has zero info come out? It took a week for them to admit the patient files was floating around the web

swampgas

ineedeuro wrote: »

The HSE should have a security assessment which is reviewed if not annually then close to it, it should have a security rating, what other similar organisations have as their rating, if they are low on rating the projects they have to do to get to the rating

This should be a live document and if project are closed down and not done then reason why, so they know the gaps and why they are not at it . No sogn this exists?

If it wasn’t been swept under the carpet then why has zero info come out? It took a week for them to admit the patient files was floating around the web

Have you considered that making your own security assessment public might not be a good idea? We (the general public) are not getting to see what's happening behind the scenes right now. It's going to be a while before (and if) we get the details of what happened.

ineedeuro

swampgas wrote: »

Have you considered that making your own security assessment public might not be a good idea? We (the general public) are not getting to see what's happening behind the scenes right now. It's going to be a while before (and if) we get the details of what happened.

As I said, you might accept it but some people won't.
I can tell you waht will happen if you wait, nothing. It will be swept away and we will get told a review will be done and then it will never arrive. Standard practise in Ireland and loads of people just accept that. It's crazy. But people are changing and this can only be good.

We cannot continue to accept incompetence and give people a round of applause for doing it.

swampgas

ineedeuro wrote: »

As I said, you might accept it but some people won't.
I can tell you waht will happen if you wait, nothing. It will be swept away and we will get told a review will be done and then it will never arrive. Standard practise in Ireland and loads of people just accept that. It's crazy. But people are changing and this can only be good.

We cannot continue to accept incompetence and give people a round of applause for doing it.

What's your priority here? To have a functional HSE with better IT security? Or to "punish" all the people you assume are incompetent working in the HSE, who you suspect got their jobs through corrupt practices? Because it's starting to sound like the latter.

I'm not ignoring anything, or accepting anything. But as a guy in his 50's who has worked for multiple huge organisations, maybe I'm just realistic about how long it takes for reports like this to be produced, and who has some idea how difficult it is to make major structural changes to IT systems.

ineedeuro

swampgas wrote: »

What's your priority here? To have a functional HSE with better IT security? Or to "punish" all the people you assume are incompetent working in the HSE, who you suspect got their jobs through corrupt practices? Because it's starting to sound like the latter.

I'm not ignoring anything, or accepting anything. But as a guy in his 50's who has worked for multiple huge organisations, maybe I'm just realistic about how long it takes for reports like this to be produced, and who has some idea how difficult it is to make major structural changes to IT systems.

With the companies that are in the HSE do you not think at this stage they will be able to tell the HSE the majority of what happened? we are now with them over 3 weeks on site. These are experts who do this type of work every day of their lives.

This will cost 100m to fix. Do you not think we should ask if the staff in the hSE are competent? do they need retraining? or would you like to spend millions upgrading the system, hand it back to the HSE and hope they know how to use them?

ineedeuro

Anyway we agree to disagree.
As I said people in the past have been more acceptable to just rolling over and not asking questions, for the better of Ireland this is changing now.
Hopefully this doesn't get brushed under the carpet but it already has all the marking for it

swampgas

ineedeuro wrote: »

With the companies that are in the HSE do you not think at this stage they will be able to tell the HSE the majority of what happened? we are now with them over 3 weeks on site.

This will cost 100m to fix. Do you not think we should ask if the staff in the hSE are competent? do they need retraining? or would you like to spend millions upgrading the system, hand it back to the HSE and hope they know how to use them?

Absolutely, those are all excellent questions. However I think it will take some time to answer them. The HSE is huge, there is not one homogenous "staff", or a single "IT system", or a single HSE "IT Team". Three weeks is barely enough time for a decent root cause analysis, given the scope of the IT environments involved. Working out the best way forward is going to take time.