Consulting firm PricewaterhouseCoopers recently published lessons learned from the devastating and costly ransomware attack on Ireland’s public health system in May 2021. An unusually frank post-event investigation found that it was nearly two months after the initial intrusion to the launch of the ransomware. It also found that the affected hospital had tens of thousands of outdated Windows 7 systems, and the IT administrators of the health system failed to respond to multiple warning signs that a large-scale attack was imminent.

PwC's timeline before the deployment of Conti ransomware on May 14.

The Irish Health Service Executive (HSE), which runs the country’s public health system, was attacked by Conti ransomware on May 14, 2021. The timeline in the report (above) stated that the initial infection of the "Patient Zero" workstation occurred in March 2021. On January 18, 2021, an employee opened a booby-trap Microsoft Excel document in a phishing email sent two days ago on a Windows computer.

Less than a week later, the attacker established a reliable backdoor connection to the employee's infected workstation. The report stated that after infecting the system, "the attacker continued to operate in the environment for eight weeks until the Conti ransomware detonated on May 14, 2021."

According to the PWC report (PDF), there are multiple warnings about serious network intrusions, but these red flags have either been misidentified or failed to act in time:

By the time it was too late. Just after midnight on May 14, Irish time, the attacker executed the Conti ransomware in the HSE. The attack disrupted the services of several Irish hospitals, resulting in the almost complete closure of HSE's national and local networks, forcing many outpatient and medical services to be cancelled. Appointments in certain areas have fallen by 80%. "

Conti initially requested virtual currency worth 20 million U.S. dollars in exchange for a digital key to unlock the HSE server compromised by the organization. But perhaps in response to the public's strong protest against the interruption of HSE, Conte changed direction and handed over the decryption key to HSE without payment.

Nevertheless, it will take months to restore the infected system. HSE eventually recruited members of the Irish army to bring laptops and personal computers to help manually restore the computer system. It was not until September 21, 2021 that HSE announced that 100% of its servers had been decrypted.

As bad as the HSE ransomware attack, the PwC report emphasizes that it could be worse. For example, since HSE's backup infrastructure only regularly backs up to offline tapes, it is not clear how much data will be unrecoverable if the decryption key is not available.

The report found that the attack could also be worse:

The PWC report contains many recommendations, most of which revolve around hiring new people to lead the organization's double security efforts. But it is clear that HSE still has a lot of work to do in improving security maturity. For example, the report stated that more than 30,000 Windows 7 workstations in HSE's hospital network were deemed discontinued by vendors.

"HSE assessed its cyber security maturity rating as low," PwC wrote. "For example, they did not establish a CISO or security operations center."

PricewaterhouseCoopers also estimated that efforts to establish HSE's cybersecurity plan to the extent that it can quickly detect and respond to intrusions may cost "several times the HSE's current capital and operating expenditures in these areas."

An idea of ​​the "security maturity" model.

In June 2021, the HSE Director General stated that the recovery cost of a ransomware attack in May may exceed $600 million.

The remarkable thing about this incident is that HSE is publicly funded by the Irish government, so theoretically, it has enough money to spend (or raise) all these ambitious proposals to improve its security maturity.

This is in stark contrast to the U.S. health care system, where the biggest obstacle to doing a good job in safety is still the lack of a real budget priority. In addition, most healthcare organizations in the United States are private companies with meager profits.

I know this because in 2018, I was asked to give a keynote speech at the annual gathering of the Healthcare Information Sharing and Analysis Group (H-ISAC), an industry organization focused on sharing information about cybersecurity threats. I hardly accepted the invitation: I hardly wrote an article on medical safety, which seems to be mainly about whether medical institutions have complied with the laws and regulations of the United States. This compliance is centered on the Health Insurance Portability and Accountability Act (HIPPA), which prioritizes protecting the integrity and privacy of patient data.

To keep up with the progress, I interviewed more than a dozen of the best and brightest people in the medical security industry. A common perception I heard from interviewees is that if it is related to security but not to compliance, then it may not have a good chance of getting any budget.

These sources unanimously stated that, no matter what kind of good intentions, it is unclear whether HIPPA's "data protection" regulatory approach is viewed from the perspective of overall threats. According to HealthcareIT News, in 2021 alone, more than 40 million patient records were destroyed in the incidents reported to the federal government in 2021 alone.

In my 2018 speech, I tried to emphasize the importance of being able to respond quickly to intrusions. This is part of what I told the H-ISAC audience:

"The term'security maturity' refers to the street wisdom of an individual or organization. This maturity usually comes from making a lot of mistakes, being hacked a lot, and hoping to learn from each incident, measure the response time, and Improve.

Let me state in advance that all organizations will be hacked. If they are large enough, even people who do everything right from a security perspective can be hacked every day. Hacking refers to someone in the organization falling into a phishing scam, or clicking on a malicious link and downloading malicious software. Because let's face it, hackers only need to mess up one to gain a foothold in the network.

Now this is not bad in itself. Unless you don't have the ability to detect it and respond quickly. If you can't do this, you run the serious risk of transferring a small incident to a bigger problem.

Think of it as the medical concept of "golden time": the short time window after a traumatic injury such as a stroke or heart attack, in which case life-saving drugs and attention may be the most effective. The same concept applies to cybersecurity, which is why so many organizations now devote more resources to incident response, not just prevention. "

The somewhat fragmented health care system in the United States means that many ransomware outbreaks are often limited to regional or local health care institutions. However, an appropriate ransomware attack or a series of attacks could cause serious damage to the industry: a Deloitte report in December 2020 stated that the top 10 medical systems now control 24% of the market share and their revenue growth rate is Twice as much as other medical systems. market.

In October 2020, KrebsOnSecurity broke the news that the FBI and the U.S. Department of Homeland Security obtained small talk from a top ransomware organization that warned that "U.S. hospitals and healthcare providers face an imminent threat of cybercrime." Members associated with a Russian ransomware organization called Ryuk discussed plans to deploy ransomware in more than 400 medical institutions in the United States.

A few hours after that article was published, I got news from a respected H-ISAC security expert who questioned whether it was worth it to make the public so excited. This story was updated several times throughout the day, and within 24 hours at least five medical institutions were attacked by ransomware.

"I think it would be helpful if I understand what the baseline is, such as how many medical institutions are attacked by ransomware in an average week?" I asked the source.

"It's more like one a day," the source revealed.

No matter how long it takes, HSE is very likely to obtain the funds needed to implement the plan recommended by PWC. I want to know how many American healthcare organizations would say the same thing.

This entry was posted on Monday, December 13, 2021 at 09:13 PM

How interesting, so you said that most hospitals still know nothing about ransomware/malware threats? How can this be?

Perhaps the "tl;dr version" of this story is written like this:

Ignorant employees open documents attached to emails from sources they may or may not know. Due to weak email security, the file was allowed to enter the organization's network; failed to scan all incoming and outgoing emails and their attachments. In addition, the organization may not have any control over the use of documents containing embedded scripting languages.

The fact that the organization uses the old operating system may or may not have any consequences; although it is called "outdated," the article does not explain how it relates to the matter.

Too sleepy, I guess your suggestion is a) ignorant employees: better education and training b) lax email security: improve email security b.1) unable to scan: scan all emails and attachments b. 2) Unable to control scripts containing embedded documents: block script content

Yes, we will strictly follow your suggestions. Then we were hit again! The employee carefully checked the attached file, but it was made artificially so as not to arouse suspicion. The message has been scanned, but no scanner has detected that the attachment is malicious. The macro filter is active, but unfortunately the malware authors used some very clever techniques to block scripts.

We followed all your suggestions-but despite this, our organization was hit, our files were encrypted, and we can choose to pay the ransom or rebuild our organization from scratch!

Outdated systems (such as Windows XP and Windows 7) may still operate safely, provided they are isolated from a dedicated VLAN and can only communicate on expected ports. The hospital in the story above does not sound like they have established this type of network.

Government resources are not a problem. Let’s review every security review conducted by the US Federal Department, especially the Department of Defense (which I guess has a larger budget than the entire Irish government), and see if willingness and ability are related factors.

@Moike makes sense. I'm just a fool, but the real experts I've read have been saying for a long time that not everything needs to be connected to the network/internet (yes, I know they are different). This seems to be a wise choice, but I am just a dummy.

Your email address will not be published. Required places have been marked *

New York Times best seller!

Want to pursue a career in cybersecurity?

Click on the image of my skimmer series.

The value of a hacked PC

Badguy for your PC

Badguy for your email

The value of your email account may far exceed your imagination.

Why so many top hackers are from Russia

The reason for its decline

The growing threat of tax fraud

File before the bad guys can

Sort out crash courses.

Register, or be registered!

How was your card stolen?

Discovery is not so easy.