According to the Department of the Environment, Climate and Communications, the National Cyber Security Centre (NCSC) has been working with the Department of Health and the HSE to identify the technical details of the malware used in these incidents. But this cyberattack and its consequences are more than just a technology issue. It is about disruption to health services and data protection. The securing of a critical IT system is a systematic approach with the responsibility going right up to the top management in organisations.
As things stand, the recovery from this cyberattack could be a costly and painful exercise, given the widespread impact of it and the disruption it caused. HSE as a public department and the public health services must be protected and managed effectively, including the management of its IT systems. We need to be assured that the public funds for HSE IT systems are used to implement and run robust and secure systems that are not vulnerable to this level of cyber threats and widespread disruptions.
WE LIVE IN A HIGHLY DIGITALISED WORLD
The protection of patient and medical data in the HSE system is very important. Medical data is extremely sensitive and can be a very lucrative asset for those who want to sell it.
Minister of State for Communications Ossian Smyth said “the Government does not believe there was a particular vulnerability to the attack in the Irish system, or that a particular weakness was exploited.”
This statement does not fit well with the level of impact and disruption this cyberattack has caused. It is a clear sign of some vulnerability in the systems. Denial is not the way forward to fix problems.
According to an Irish Times report, the scale of damage on systems will not be known for days. There is no clear picture in terms of the sanctity of backups and data breaches.
PROTECTING AGAINST CYBER ATTACKS
Cyberattacks are a fact of life. They are the viruses of the digital world. Cybersecurity solutions are the preventive and protective mechanism to stop cyberattacks from causing any damage. They are like the digital vaccines
Shutting down the entire – or most of – IT system is not a very skilful or sophisticated defence mechanism against such an attack.
The management and security of such large and critical IT systems must have more sophisticated and effective measures than shutting it all down.
The real challenge and success are to fend off such attacks and keep the computer systems running and the data safe. Shutting it all down is a success for the cyber attackers who want to disrupt the services to gain more power.
There are some questions we need answers to, in order to defend our public health system and make sure it is in good hands.
LEVEL OF DAMAGE: EXACT DETAILS OF DATA AT RISK MUST BE DISCLOSED.
· What IT systems (email, servers, medical software, etc) are infected?
· What data is compromised? What is the scale of data breaches?
· How safe is the backup data? How up-to-date, complete and clean is the backup data?
· Are personal/patient and staff data breached? How will people affected be informed?
· How come an attack like this spread so fast across many of the HSE systems? What are the actual failure points?
OUTSOURCED/CONSULTANCY IT SERVICES: The responsibility and accountability of consultancy firms
“HSE outsourcing of screening lead to Cervical Check crisis” we were told before.
· Who are the IT and security consultancy firms working for the HSE and advising the HSE management on these matters?
· Who are the external technology firms delivering HSE IT infrastructure and some of the software and maintenance/management services?
· How much money has the HSE / Department of Health paid out to outsourced consultancy firms to implement, manage and maintain its IT systems?
· What contractual responsibilities do the technology, software and security providers have in this failure against the cyber-attacks? What warranties are in place?
· Who pays for the recovery from this cyberattack?
CONTROLS
We live in a highly digitised and data integrated world. Medical data is very important to secure and protect.
· How up-to-date and robust are the HSE information security standards and practices?
· What are the controls and oversight processes to make sure standards are applied?
· Were there any cuts on securing highly sensitive data and the underlying IT architecture?
· When were the last internal/external IT and system security audits done?
· Who were the auditors?
· What were the findings of this audit?
· What actions were taken?
· Who is the executive with the responsibility to ensure audit/compliance findings are implemented?
· Have the executive managers and minister for Health seen the security/system audit reports and signed-off?
It says on the HSE site: “ICT Audit – this comprises of a number of ICT audits conducted in the main by external specialist ICT auditors contracted to work for the Division.
RECOVERY:
· Does HSE have an up-to-date BCP (Business Continuity), DR (Disaster Recovery – although this is slightly different) plans?
· Why is it taking that long to recover? What are the signed-off service level agreements (SLA’s) for system breakdowns?
DATA BREACHES:
· If medical/personal data of patients/staff is breached or lost by the cyber attack, what plans does HSE have to contact and inform the people affected?
· What plans are in place to recover lost data?
LESSONS & ACCOUNTABILITY:
We need accountability and proper management of the IT systems of our public health service.
Cyber attacks are a fact of life for every organisation and the executives must be prepared to fend off such attack and protect the systems and data.
This was not the case in the HSE cyber attack. Instead, we had a widespread infiltration and shutdown of systems which led to wider disruption of health services.
This is NOT a success story by any means. The HSE security solutions and processes have failed, leaving the management the only option of shutting it all down. A shut-down is not a highly skilled response but a last stand when no other means are trusted to fend off the attack.
A shutdown by the attackers or by the organisation leads to the same outcome: Disruption of services! This is always deemed a success by cyber attackers.
In the case of HSE, a shut-down must have been necessary and the right step to protect the systems and the data against further damage but it must also be seen as a desperate attempt.
This incident needs a serious investigation to bring out the details and a clear set of actions to secure HSE systems and prevent such attacks and disruptions in future
It has to be recognised as a systematic failure and lessons have to be learned.