If there was one story this year that propelled cybersecurity as a conversation topic from the server room to the board room, it was last May’s ransomware attack on the Health Service Executive (HSE). It crippled computer systems across most of the health service for weeks and caused widespread cancellations of essential surgeries and health scans.
Now, seven months later, the HSE has published a comprehensive 157-page post-incident review (PIR). Here, BH Consulting CEO Brian Honan gives his take on the key findings, and lessons that organisations can apply.
1: Be transparent in your communication
The first thing to say is that the HSE has to be applauded for publishing the report and being so transparent. I would urge businesses and organisations to take the time to review the report, evaluate the lessons learned, and see what applies to them. Many of the issues the report identifies are by no means unique to the HSE. It is one of the better publicly available PIR reports, comparing well with examples of communication from other major ransomware victims like Norsk Hydro and Maersk.
Publishing the report continues the HSE’s transparent approach throughout the incident since the CEO’s first radio interview following the attack. Not only has this helped to reassure everybody who uses the HSE that work was being done to counter the threat, it also showed other organisations: this is what can happen. In turn, that transparency enables organisations to learn how to improve their own responses.
2: Share the learning
From the report: “To carry out this assessment, we developed a “PIR Cybersecurity Framework” which was based on the NIST Cybersecurity Framework and Control Association Control Objectives for Information and Related Technologies (“COBIT”). These are both internationally recognised standards.”
The HSE board, CEO, and executive management team commissioned PwC as independent consultants to carry out the review. By basing the report on the NIST Cybersecurity Framework, it provides a practical, objective approach. And it means the recommendations in this report apply not just to the HSE, but to all organisations.
3: Reach a broad audience
What I especially like about this report is that, unlike many PIR reviews, it’s not aimed towards a technical audience. That can often lead to businesses thinking of security purely as an IT problem. Instead, this document can be consumed not just by security professionals or IT people; it’s written to be understood by non-IT people. It highlights a lot of areas that the business can help and should be doing to manage their response from a cybersecurity point of view.
4: Assign a leadership role for security
From the report: “Within the HSE, there is no dedicated executive oversight committee that provides direction and oversight to cybersecurity, both within the HSE and all organisations connected to the NHN [National Health Network]. A known low level of cybersecurity maturity, including critical issues with cybersecurity capability, has persisted.”
That finding jumped out at me. My sense is that the HSE, like many large organisations, historically saw cybersecurity as an IT problem and left it to IT teams to look at. The lesson here is: treat cybersecurity as a business risk, not an IT issue. Assign an individual with the appropriate level of authority and autonomy to look after it.
Every organisation should have somebody with sole responsibility for security issues, where their role is to ensure that cybersecurity is kept on the agenda for the board and senior management, and that a suitable security programme is in place.
5: Don’t stop at the scapegoat: identify all causes of an incident
From the report: “On 18 March 2021, a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email. This resulted in a Malware infection of the Patient Zero Workstation.”
Some of the initial reporting about the PIR focused on the fact that an individual clicked on an infected Excel spreadsheet. But looking at the bigger picture, the real question to ask is: how did that email bypass the HSE’s defences, its antivirus and spam filters? Companies should check their own systems and understand how would an infected email bypass security filters to get into a staffer’s inbox? And, had the recipient been given appropriate training to be able to spot suspicious emails and to know what to do when they did? Do they know who they should report this to?
6: Build defences in depth
From the report: “There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across the HSE’s IT environment or the wider NHN…”
“Reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. For example, the workstation on which the Attacker gained their initial foothold did not have antivirus signatures updated for over a year.”
We know the Patient Zero device had not been updated in over 12 months. So, the question organisations should ask is: do they have proper monitoring and tools in place to ensure all devices are patched with latest software? Do all machines have anti-virus installed, and is that up to date?
The report highlights several opportunities that the HSE had to spot and react to the breach, but they hadn’t been monitored, or alerts went unresponded. So another question is: what monitoring does your organisation have in place? Does your security team have the right tools, training, and resources to manage and respond to those alerts when they happen?
The criminals were able to work their way through the systems by compromising accounts with privileged access such as administrator accounts. Companies need to protect any such accounts properly and keep them at a very small number.
7: See cybersecurity as an investment, not a cost
From the report: “the national health service is operating on a frail IT estate with an architecture that has evolved rather than be designed for resilience and security.”
This point will be familiar to many large organisations: the HSE didn’t segment its networks, it was using old equipment, with many devices running Windows 7 which had its own vulnerabilities. Organisations need to realise that keeping their systems up to date is a key investment in their business.
Think of it this way: if your business needed a fleet of cars for salespeople or vans for deliveries, it would keep those vehicles up to date and maintained properly. Rather than seeing this as a cost, think of the business benefits: improved worker safety, keeping business operations running (fewer breakdowns with newer cars), and projecting the right image. (Whatever your thoughts on branding, it plays a big part in establishing your reputation with customers and the public.)
Similarly, the longer your business operates on aged equipment and underinvests in cybersecurity, the bigger the probability that you will suffer a major breach or an outage that will have huge negative impact on your business from a financial, productivity and a reputational point of view. What I hope this report shows to all businesses is that a lack of engagement and investment in IT and cybersecurity is not a sound business strategy or an effective cost saving measure.
8: Take responsibility for the failings
It’s positive that the HSE has shared this report. However, to be critical, it highlights the many opportunities the HSE missed to mitigate this. An infected email bypassed its security filters, someone clicked on the infected attachment, and antivirus wasn’t updated. The spread of the attack further into the network happened because alerts were not responded to. Most breaches aren’t sophisticated; they require a chain of events that lead to a bigger breach. Had appropriate controls been in place, the HSE could have disrupted the attack before it caused more damage.
9: Beware commentary that jumps to conclusions
Nature abhors a vacuum, and unfortunately, so does social media. But when an incident happens, organisations often can’t share many details about it either because it’s still investigating the cause, or it may be working with law enforcement. After the HSE’s ransomware news went public, initial commentary claimed the reason for the breach was because the HSE was running Windows 7. Windows 10 has more security protection than its earlier incarnation, but it wouldn’t necessarily have stopped the Conti ransomware. Now, the HSE report has highlighted the root cause of this incident. That’s important because the speculation can now end.
Some of the commentary on security Twitter has been a mix of the useful but also at times impractical. Getting the basics right isn’t as simple as it sounds. Patching software and keeping antivirus up to date for five or ten computers is straightforward; doing that for 5,000 or 10,000 machines patched, with all dependencies they have on different legacy systems and healthcare technology, is much less so. We need to be mindful of the wider context. The HSE is the largest employer in Ireland. The health system was already creaking while also trying to manage the national response to a pandemic.
Many organisations around the world can be grateful and thankful to HSE for being so open and transparent so they can learn from this. For a long time, I’ve advocated victims of incidents to share their experiences to help improve overall security. So, the HSE has done a great service not just to the public sector but also to many businesses in Ireland and worldwide. The breach was worldwide news; making the report public closes that loop. And hopefully the HSE will get the support, funding and resources it needs to address the issues.