Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
The risk ransomware poses to our healthcare system was highlighted in April 2021 when the Irish Health Service Executive (HSE) was struck by ransomware, this not only highlighted the impact of ransomware but also the consequence off lack of planning should an event occur.
So, What happened in the HSE Breach?
A malicious spreadsheet was downloaded providing the hackers entry to HSE Systems; this went undetected for almost 3 months before the ransomware was activated. The ransomware removed access to patient data, staff expenses, GP data and even passport information.
The recovery process took almost 4 months, the ransomware was triggered on 14th May 2021, 99% of files were recovered by September 2021.
The ransom was not paid in this instance, however this did not mitigate the disaster that unfolded as a consequence. Staff were able to keep systems running manually, coming on top of the covid-19 pandemic this avoidable event added pressure and stress to staff. The human impact to patients and staff as a consequence of this attack was significant.
The attackers provided HSE with the decryption key 3 months after their initial attack and 10 days after the ransomware was triggered. This was likely due to the high profile people they had upset within Ireland however we will never know for sure why they had a change of heart.
Why was this so bad?
- Attackers had plenty of time: Detection took up to 3 months, the third party security was ignored when they highlighted a potential breach, again showing the lack of awareness of the risk.
- Third party reports were ignored and the response was slow.
- The Malware spread widely and with ease: No segregation or restrictions on accounts, everything was on the same network, so not only did the hackers have time, they also had easy access.
- Disjointed follow up, unclear roles, inadequate plans and no rehearsal. Recovery was bumpy, with poor plans and no practice.
- People unprepared: Lack of training and awareness surrounding the threat of ransomware as well as the actions that should have been taken following an incident.
How can we mitigate the risk of ransomware?
Hackers will continue to target vulnerable organisations. Having a strong cyber security posture is important to mitigate the risk- Key learnings from the HSE attack are to:
- Reduce the attack surface: Don’t have everything on one server or allow everyone access to everything, limit the blast radius for unauthorised access and you are limiting the collateral.
- Reduce the attackers dwell time: Have detection and alert protocols
- Limit blast radius for unauthorised access
- Prepare a response and recovery plan: ‘Plan for the worst and hope for the best’ is the how the saying goes, and that rings true here
- Ensure accounts that don’t need access don’t have access: It sounds simple and it is simple, you wouldn’t give a stranger a key to your house so why would you give staff access to a door they don’t need to open
- Network segregation: The HSE attack showed us how easy it was for the hackers to take down almost every system, this was because it all sat within one network, a big lesson learnt here is to not do this!!
- Plan for recovery at scale: Know exactly who will do what should an attack or breach occur, your business has fire drills and first aid training, why wouldn’t you plan for a cyber attack too
- Training and Awareness: A large part of the HSE attack was the lack of training for staff, prevention is better than a cure, helping to educate your staff around the risks will help to prevent potential breaches
What does the HSE Attack tell us?
Although reducing patient waiting times or increasing the number of patients seen per day might seem more important, information security is the backbone of our day to day lives, without having proper plans in place there can be huge detriment to how organisations function.
The HSE attack should highlight not only to healthcare organisations but all organisations the importance of having a strong security posture as well as the importance in the makeup of this, having plans in place, providing staff with training, rehearsing and being prepared are all steps to improve your security posture and limit the opportunity for hackers.
One of the key takeaways from this attack is that the third-party security provider had indicated a possible issue, and this was deemed too small to worry about, it is a people issue in this instance.
The right people need to be aware of the threats and also be a part of the conversation so when an attack occurs the right people are in the room to help mitigate the fall out. Cyber security is becoming less of an IT person’s issue and more of an operational one, ask yourself how would my business cope without its technological infrastructure?
Fundamentally, HSE taught us that the days of ‘it won’t happen to us’ are no longer relevant when you look at the current threat landscape, when organisations are responsible for a human element their number one priority should be to protect that.
In today’s society your first defence is your cyber security posture.
How can CyberCrowd help?
CyberCrowd are subject matter experts when it comes to planning worst case scenarios and assisting organisations in mitigating the risk of an attack.
Working with our experts provides you with the opportunity to plan and walk through the events of an attack to find the best solution for you and your team should the worst happen.
If you would like to learn more about how we can help or the services we offer; please Contact Us