Ransomware & HSE

Corruptedmorals

kathleen37 wrote: »

Yes. This is the real issue. Horrific impact on patients.

Yes. Potentially the worst affected are the children's hospitals...they are what, 2-3 weeks at least if not the whole time with all outpatient clinics and non-emergency surgeries cancelled with some clinics like oncology and fracture clinics working normally. That's an absolute nightmare for services recovering from the second wave of covid.

My hospital is still in the dark. Most major hospitals do have some systems..they are more independent of the HSE and therefore not as impacted. We have nothing except for 2 workarounds that can give us a chart number and address and another that shows patients booked before 14th May. This enables us to keep running clinics but my god it is appalling to work solely on paper. Soul destroying.

AndrewJRenko

Dempo1 wrote: »

I'm no IT expert but I've felt from the outset this attack far far worse than being let on about.

They were absolutely clear from the outset that this attack was hugely damaging right across all HSE and hospital systems. What did they not 'let on about'?

ineedeuro wrote: »

No, the system for the vaccinations is not run by the HSE.

Wrong.

SPDUB

Dempo1 wrote: »

.. I'm required to get specific blood tests done in advance and due to cyber attack, my GP can not do and send bloods for analysis, nor can the Hospital were endocrinologist based do bloods for analysis. Thankfully I'm certainly not critical but blood work seriously important and must be having a serious impact on patient's with more serious illnesses than I.

That seems to be an issue with individual GP's and hospital .

I know someone who had bloods taken by a GP and sent to the usual testing site ( which as I understand is one of the major hospitals in Dublin ) within the last 2 weeks .

Other than being told the results wouldn't be quite as fast coming back there wasn't a major issue getting the tests done

skimpydoo

I saw earlier on the news that the HSE has said they have installed the key into 30% of all their I.T. systems and that it is painstakingly slow. God knows when things will be back to normal.

crazy 88

HSE may have to replace 30,000 laptops as a result of cyber attack https://jrnl.ie/5463583

This makes no sense. Why don't they just format/wipe the drives and reinstall the OS on the 30,000 laptops

riclad

Maybe the laptops are a few years old, running Windows 7,
Its cheaper to buy new windows 10 laptops, have everyone trained to use Windows 10
Windows 10 is more secure and easier to support in future
Rather than upgrading them in a few years
I hope they erase the drives and maybe give the laptops to charity if it's safe to do so
Rather than throwing 1000s of laptops in a skip
They said all pcs were switched off and they were going to
a process of checking all them for malware
obviously isolated from all networks
and gradually restoring backup data
I hope their security and backup procedures are improved
to prevent another hack in the future

mrjoneill

riclad wrote: »

Maybe the laptops are a few years old, running Windows 7,
Its cheaper to buy new windows 10 laptops, have everyone trained to use Windows 10
Windows 10 is more secure and easier to support in future
Rather than upgrading them in a few years
I hope they erase the drives and maybe give the laptops to charity if it's safe to do so
Rather than throwing 1000s of laptops in a skip
They said all pcs were switched off and they were going to
a process of checking all them for malware
obviously isolated from all networks
and gradually restoring backup data
I hope their security and backup procedures are improved
to prevent another hack in the future

Not as easy as that, data recovery software can recover files on HDD that have been repeatedly formatted.

Can they not just get MacGyver in to sort this mess?

Cuddlesworth

mrjoneill wrote: »

Not as easy as that, data recovery software can recover files on HDD that have been repeatedly formatted.

You can recover drives with multiple full format wipes?

cadaliac

Hotblack Desiato wrote: »

Talk of a media blackout is laughably paranoid and delusional

What do you expect them to be reporting on, exactly?



The media haven't got a clue about technology and the public don't care. It's not as if HSE waiting lists weren't there already... everyone knows this and nobody really cares as long as their taxes don't go up and they're not personally affected.




.

I don't expect them to be holding front news about it - perhaps media blackout was the wrong term to use.

People could die from this. They will not report that.

ineedeuro

Hotblack Desiato wrote: »

Talk of a media blackout is laughably paranoid and delusional

What do you expect them to be reporting on, exactly?

"Day 29, as thousands continue to battle the IT meltdown, here's Bridie from Ballymote talking about her bunions"

The media haven't got a clue about technology and the public don't care. It's not as if HSE waiting lists weren't there already... everyone knows this and nobody really cares as long as their taxes don't go up and they're not personally affected.




Can people stop going on and on about Windows 7?

It was publicly announced when it went out of mainstream support that the HSE were buying extended support.

RTE ran a news story about knocking down a power station in the UK yesterday, I would think some updates on the HSE system still not operational was more important than a power station falling over? Do you not think?

Also as I pointed out they ran a story on ransomware, in the middle of story had link and discussion about the US attack. Not a single word in story about HSE.

ineedeuro

mrjoneill wrote: »

Not as easy as that, data recovery software can recover files on HDD that have been repeatedly formatted.

Are you saying the hackers are going to be able to get access back into the HSE network, back onto the devices agains. Use complex data recovery software on those laptops to recover deleted files, then find the correct files for the ransomware, recover it and reactivate it?

Would you not think if they can get back onto the laptop in the first place why wouldn't they just put new ransomware onto it? without the bother of trying to recover the files from a formatted HDD?

crazy 88 wrote: »

HSE may have to replace 30,000 laptops as a result of cyber attack https://jrnl.ie/5463583

This makes no sense. Why don't they just format/wipe the drives and reinstall the OS on the 30,000 laptops

HSE I expect has an unlimited budget to fix the problem. Looks better now if they replace as much as possible, then blame the older equipment. of course all of this is done outside the standard tender process so no fully expect the HSE to pay twice the normal price of a laptop.

ineedeuro

ineedeuro wrote: »

Are you saying the hackers are going to be able to get access back into the HSE network, back onto the devices agains. Use complex data recovery software on those laptops to recover deleted files, then find the correct files for the ransomware, recover it and reactivate it?

Would you not think if they can get back onto the laptop in the first place why wouldn't they just put new ransomware onto it? without the bother of trying to recover the files from a formatted HDD?



HSE I expect has an unlimited budget to fix the problem. Looks better now if they replace as much as possible, then blame the older equipment. of course all of this is done outside the standard tender process so no fully expect the HSE to pay twice the normal price of a laptop.

Where did you hear that the new laptops will be purchased outside the normal tender process and cost twice the normal price?

crazy 88

riclad wrote: »

Maybe the laptops are a few years old, running Windows 7,

If that's the case they should just come out and say it and then explain why they had such a vast of amount of IT equipment using an outdated and insecure operating system. Paul Reid is implying that 30,000 laptops are permanently unusable because of the hack and for no other reason, which makes no sense.

ineedeuro

crazy 88 wrote: »

If that's the case they should just come out and say it and then explain why they had such a vast of amount of IT equipment using an outdated and insecure operating system. Paul Reid is implying that 30,000 laptops are permanently unusable because of the hack and for no other reason, which makes no sense.

Majority of the public will believe this is true and not ask any questions. Hence why he is putting it out like that.

mandrake04

There is a light wrote: »

Can they not just get MacGyver in to sort this mess?

Penknife and paperclip?

is_that_so

crazy 88 wrote: »

If that's the case they should just come out and say it and then explain why they had such a vast of amount of IT equipment using an outdated and insecure operating system. Paul Reid is implying that 30,000 laptops are permanently unusable because of the hack and for no other reason, which makes no sense.

More likely, as some HSE employees pointed out to me, they are using this opportunity and the cash to replace a whole pile of them that should be junked anyway. The ransomware attack is a convenient explanation. The last thing they want to do is say how many Windows 7 machines they still have and I believe they have a "few".

mandrake04

I'm not surprised this hasn't been sorted by now, its typical. I used to work in medical diagnostics in Ireland back in the early noughties and things were always done on the cheap or half arsed its just the way things are. I remember a hosp lab over in the west of Ireland obtaining a piece of equipment it looked a real piece of crap, turns out when I contacted an ex colleague over in the UK it was a freebie out of the NHS skip and he thought it went to a developing country like India or Africa.

ineedeuro

is_that_so wrote: »

More likely, as some HSE employees pointed out to me, they are using this opportunity and the cash to replace a whole pile of them that should be junked anyway. The ransomware attack is a convenient explanation. The last thing they want to do is say how many Windows 7 machines they still have and I believe they have a "few".

As I said, the HSE have an open book now. Expect all sort of equipment getting replaced under the "ransomware" budget.

The problem I see is, ok they roll out 30k new laptops, but if they had issues with patching prior to the attack have they fixed the issue around the patching. It doesn't matter if you have 30k new laptops and the first vulnerability comes out and they have no way to mass roll out a patch. Just an expensive laptop to hack instead of a piece of "junk" to hack. It does mean the hackers will be able to roll out faster with the new devices :-)

Edit: will bold a certain word for some of our posters.

ineedeuro

ineedeuro wrote: »

As I said, the HSE have an open book now. Expect all sort of equipment getting replaced under the "ransomware" budget.

The problem I see is, ok they roll out 30k new laptops, but if they had issues with patching prior to the attack have they fixed the issue around the patching. It doesn't matter if you have 30k new laptops and the first vulnerability comes out and they have no way to mass roll out a patch. Just an expensive laptop to hack instead of a piece of "junk" to hack. It does mean the hackers will be able to roll out faster with the new devices :-)

How do you know that they don't have a way to manage patch roll out?

Is it the same way you know that the laptops are being purchased without going through the normal tender process and will cost twice as much as normal?

crazy 88

is_that_so wrote: »

More likely, as some HSE employees pointed out to me, they are using this opportunity and the cash to replace a whole pile of them that should be junked anyway. The ransomware attack is a convenient explanation. The last thing they want to do is say how many Windows 7 machines they still have and I believe they have a "few".

That's the point I'm making. They shoud be upfront about the reason and explain why the junk was left in place for so many years.

ineedeuro

crazy 88 wrote: »

That's the point I'm making. They shoud be upfront about the reason and explain why the junk was left in place for so many years.

How do you know it is junk? they have according to this thread extended support. At the moment a quick google and 1.5billion windows 7 still in operation.

These laptops could be for staff who are running Outlook, spreadsheet and a Word document. Hardly need the latest and greatest laptop.

crazy 88

ineedeuro wrote: »

How do you know it is junk? they have according to this thread extended support. At the moment a quick google and 1.5billion windows 7 still in operation.

These laptops could be for staff who are running Outlook, spreadsheet and a Word document. Hardly need the latest and greatest laptop.

Did you read the previous comments?
https://jrnl.ie/5463583

carveone

ineedeuro wrote: »

HSE I expect has an unlimited budget to fix the problem. Looks better now if they replace as much as possible, then blame the older equipment. of course all of this is done outside the standard tender process so no fully expect the HSE to pay twice the normal price of a laptop.

Well put

If the politicians/media have got it into their heads that Windows 7 was the issue, as opposed to something else, and have got it in their heads that piles-of-money might fix that, then might as well leverage that to get a pile of new equipment. And at "inflated due to Covid supply problems" prices - prices of all new tech hardware is higher than normal at the moment. Same with cars, timber, steel, microcontrollers etc.

(I'm sure this has been done to death earlier in the thread but I found it irksome that the media decided that Win7 was "unsupported" because support for non-enterprise ended in Jan 2020. As ineedeuro points out, support for enterprise continues. Most recent security patches was June 8 2021. Just wanted to point out how recent the patches are for W7 - I mean "2 days ago" doesn't strike me as "ancient and out of support" ).

carveone

DubInMeath wrote: »

How do you know that they don't have a way to manage patch roll out?

He did say "if" which leads me to believe that the hope/assumption is they do. In my own experience, it doesn't prevent managers from sauntering in with a Windows 10 laptop with malware dripping out the usb ports. Although in my opinion the public sector has strict processes in place for this type of thing.

Of course, it's more than Windows. All the VPN, firewall, router hardware needs to be checked all the time and, these days, very quickly.

And I'd say there is plenty of stand alone hardware running things like Windows XP. If I saw, say, a radiotherapy machine running XP, you couldn't pay me enough to go anywhere near something that can kill people if messed with.

I'd be quite interested in a post-analysis of the HSE attack. It's probably similar to others that Sophos has documented - initial breach, elevate privilege, drop cobolt strike, move around until you get to the domain controllers.

I've been following the twitter feed of "SwiftOnSecurity" for a while now and it's just 24/7 attacks and probes. The newspapers says things like "social welfare was probed in May". Nonsense. My brother tells me it's all the time from everywhere.

carveone

carveone wrote: »

He did say "if" which leads me to believe that the hope/assumption is they do. In my own experience, it doesn't prevent managers from sauntering in with a Windows 10 laptop with malware dripping out the usb ports. Although in my opinion the public sector has strict processes in place for this type of thing.

Of course, it's more than Windows. All the VPN, firewall, router hardware needs to be checked all the time and, these days, very quickly.

And I'd say there is plenty of stand alone hardware running things like Windows XP. If I saw, say, a radiotherapy machine running XP, you couldn't pay me enough to go anywhere near something that can kill people if messed with.

I'd be quite interested in a post-analysis of the HSE attack. It's probably similar to others that Sophos has documented - initial breach, elevate privilege, drop cobolt strike, move around until you get to the domain controllers.

I've been following the twitter feed of "SwiftOnSecurity" for a while now and it's just 24/7 attacks and probes. The newspapers says things like "social welfare was probed in May". Nonsense. My brother tells me it's all the time from everywhere.

Same as most CS and PS departments.

The post analysis will be interesting. I'd imagine that the two way trusts that they had in place lead to the spread that was seen. But until I've seen the report I'm only going by what I've seen possible in previous breaches like this.

AndrewJRenko

Wombatman wrote: »

How about they spend enough and do it right? Yes it's going to be a massive, massive challenge, but if it needs to be done it needs to be done. How about starting with opportunities and enablers instead of firing out a list of potential difficulties?

Fully agree, though the money has to come from somewhere. And when HSE cut back on disability services or mental health services or cardiac services to fund this, you'll have the usual suspects here banging their drums to make a fuss.

ineedeuro wrote: »

RTE ran a news story about knocking down a power station in the UK yesterday, I would think some updates on the HSE system still not operational was more important than a power station falling over? Do you not think?

Also as I pointed out they ran a story on ransomware, in the middle of story had link and discussion about the US attack. Not a single word in story about HSE.

Do you know what the 'new' in 'news' means? It means it is new. You don't report week old news, if there is no news to report. That's how news works, the world over.

ineedeuro

DubInMeath wrote: »

Same as most CS and PS departments.

The post analysis will be interesting. I'd imagine that the two way trusts that they had in place lead to the spread that was seen. But until I've seen the report I'm only going by what I've seen possible in previous breaches like this.

This post would suggest you have worked on previous breeches of similar size? any we know of?

ineedeuro

ineedeuro wrote: »

This post would suggest you have worked on previous breeches of similar size? any we know of?

Sure as soon as you can provide answers to my previous questions.

ineedeuro

AndrewJRenko wrote: »

Do you know what the 'new' in 'news' means? It means it is new. You don't report week old news, if there is no news to report. That's how news works, the world over.

Did you read the post?
In the article about the ransomeware attack they made a reference and link to the ransomware attack in the US, nothing about the HSE.

The US attack was older than the HSE one. So if "new" and "news" the HSE is more relevant would you not think?