After the Cyber Attack is Over

How to describe the last two years – a time of, if not fully black, at least grey swans.  A global pandemic followed by a Cyber Attack – certainly not in the 2019-2021 plan.  If you google quotes on the unexpected, one of the top hits will be, “The best things happen unexpectedly”, followed by “There is some sort of magic in the unexpected”.  Well I would have to say ..  not always!!

The Health Service Executive, having weathered the storm which was COVID-19 was “unexpectedly” subject to a significant Cyber-attack which culminated on May the 14th with significant corruption of the IT estate.   I say “unexpectedly”, but organisations should always expect Cyber Attacks and countries should always expect global pandemics, and to be fair as an organisation the HSE do.  We plan, we simulate, we imagine, we practice, but reality tops all of this – As another quote would say … “There is no undo in real life”.

The HSE Cyber Attack – What actually happened?

The technical root cause of the ransomware attack in the HSE occurred 8 weeks prior to the actual incident, when a laptop was breached as the result of a phishing email with a malicious Excel document attachment. This initial threat was the entry point for more sophisticated threats including credential harvesting and human operated ransomware. This enabled the execution of reconnaissance tooling that was used to collect data to support the final ransomware attack which resulted in the encryption of 80% of the HSE server and device estate severely impacting the delivery of clinical services across the health service.

Where did it leave the HSE?

The attack resulted in the HSE being unable to provide clinical teams and patients with even basic ICT services which had a massive impact on the Healthcare service.  Key foundations for the delivery of a modern health service were unavailable - access to patient documents and results, limited communication tools and critical diagnostic equipment capacity reduced.  This caused multiple impacts on our services including significant service delivery delays and reduced capacity to provide services, leading to patient cancellations across a range of services.

As risk of harm began to accumulate, the healthcare staff worked around the clock to restore services in a manner which focused on the restoration of services while also reducing the potential for further disruption from the cyber criminals.

“Never waste a crisis”, they say and how right that is.  The Cyber Attack provided opportunities to drive through some of the security improvement initiatives which had been proceeding at a measured pace aligned to the organisation’s capacity for “pain”.  This was a reasonable position given the nature of the crisis being faced by global healthcare providers in 2020 and early 2021.  However, in the midst of the roaring fire of Cyber Attack, these changes were deemed mandatory and immediate.  There was the view that the “pain” wouldn’t register in light of all the other discomfort.  So the pace was increased – configurations were hardened, accounts were locked down, password complexity increased, trusts between domains and computers broken, remote access consolidated and locked down, external vendor access tightened.  The dial had been moved, never to be moved back. 

However, as the “pain” of Cyber diminished, the “newly” inflicted wounds of Cyber Control started to twinge and many services were not happy. The balance between easy options and cyber control has moved strongly in favour of cyber control. Cyber control means the ‘easy’ options were no longer available, which was not a major challenge for modern applications but heavily impacted some of the HSE legacy applications which either died on the operating table or needed life support for the foreseeable future.  This was further exasperated by the additional “pain” brought about by enhanced Cyber protection controls in the immediate aftermath of the attack, which placed load on legacy systems, with limited capacity to support, resulting in performance challenges and service impacts.   The HSE continues to enhance the Cyber Security maturity through modernisation initiatives, segregation of legacy and the implementation of new control platforms with the backdrop of the above.

So, the legacy of the Cyber Attack lives on, creating daily challenges for IT staff and it is set to remain long after the memory has faded.  The challenge is similar in many ways to the COVID-19 impact on the health service in Ireland, which requires our clinicians to restore services while delivering on the vision of Sláintecare but with the long COVID-19 shadow threatening progress.  Similarly in IT, the dual shadow of COVID-19 and Cyber Attack hang over the opportunities to progress our vision.  We need to focus on the positive learnings gained delivering change through a crisis, and continue to leverage the ways of working that enabled the fantastic response to both COVID-19 and the Cyber Attack.

On a more sombre note, as we drive on with our strategy, we should not lose sight of the fact that there has been limited opportunity for staff to professionally and personally recover from what were traumatic events.  From the perspective of our staff, the similarity between IT and the clinical side of the HSE is indisputable – they have a level of loyalty, professionalism, resilience and care which goes above and beyond and is a distinctive quality highly regarded outside the organisation.  They shone through the crisis(s) and we now need to mind them.

 What now?

A subsequent “board commissioned” report by PWC found that the level of Cyber Security maturity, Cyber Security capability (specifically leadership) and Cyber Security governance was not fit for purpose for an organisation of the scale of the HSE. This position was also indicated in the Mandiant technical report.  Based on these reports, the HSE has implemented tactical responses which have enhanced technology controls and applied additional capability including 24X7 monitoring services.  They have also initiated a wider organisational Cyber Security Improvement plan which is multi-year, designed to enhance the Cyber Security maturity and capability of the organisation.  This is significant activity on top of all the strategic initiatives the organisations needs to deliver – so the load does not lessen.

 

Our Learnings: 

  • Cyber Threat is big business.  It is 24X7, relentless, innovative, and constantly mutating. Cyber Attack can be a reality for any organisation. Be ready.
  • The HSE have “best in class” IT staff – relentless, innovative, resilient, 24X7.  Their commitment and resilience during COVID-19 and the Cyber Attack was a key positive out of a very low period for the organisation.  They consistently delivered above and beyond at a pace that was acknowledged by external partners as extraordinary
  • Key Tips: Get your security foundations right, know your estate, have rigorous management of access particularly remote access and privileged access, have 24X7 Monitoring of Cyber Threat activity with clear escalation paths.
  • Get your children to study Cyber Security – they will always have a well-paid job!

Written by:  Helen Coughlan, Chief Technology Officer, eHealth & Disruptive Technologies

Published 9th May 2022