Last week’s victim of cyber-attack was Colonial Pipeline in the USA. Today we hear that the Irish Health Service (HSE) is the latest target of cyber-attack. Hospitals are cancelling appointments and reverting to paper based systems. Our first reaction is disgust at the attackers, making easy money from important and critical institutions.
But, wait a minute, we need to know that very often the organizations themselves must bear responsibility. There are lots of things that can be done to prevent cyber-attack, but the number one priority is to have up to date, modern security systems that prevent all but the most sophisticated attacks. The fact is, the attackers focus on organizations that are well known for not investing properly in information technology security. I’m not familiar with Colonial Pipeline, but the Irish HSE is a serial offender in this area. For example:
Wednesday, 9 Dec 2020. RTE News: Thousands of HSE computers rely on out-of-date software The Health Service Executive’s information technology system is relying on thousands of out-of-date computers because a plan to replace them has not been completed. Last year, the HSE said it had “a programme to migrate” Windows 7 computers to Windows 10 by the end of 2020. At that time 46,000 of its 58,000 computers remained on Windows 7. The HSE has since replaced 9,000 of the 46,000 computers leaving 37,000 depending on the old software – 12,000 of those cannot be replaced because they are needed to run radiology and other systems that cannot run on newer software. The scaling down of Windows 7 was known widely from 2014 and the HSE started its migration programme in 2017.
Feb 18th 2021, HSE boss told NPHET member he was at ‘wits end’ over post-Christmas Covid computer glitch. The Journal.ie HEALTH SURVEILLANCE STAFF were urged to slow down the number of Covid-19 cases they were inputting into the HPSC’s data-reporting system after a computer glitch slowed the official reporting of cases after Christmas, newly released emails show.
January 09 2020 Irish Independent: ‘The cost is approximately €1.1m’ – HSE give details of Microsoft bill The HSE will spend €1.1m in premium extended IT support fees to Microsoft this year, the health service has said, with a smaller level of fees due in 2021. The HSE was responding after Independent.ie revealed that the body faces a hefty bill for not having its PCs and laptops upgraded to a safe and secure version of Windows in time for a deadline next week. Microsoft’s obsolete Windows 7 operating system will be cut off from security support worldwide next week, a deadline that has been flagged for five years. The company offers an ‘extended support’ service to allow those who haven’t upgraded to avail of critical security patches. In a detailed response, the HSE said that it has 46,000 Windows 7 computers still operating on its network, out of a total of 58,000 computers. However, HSE chief information officer Fran Thompson told the Irish Independent that the size and complexity of the HSE meant that it was “never” going to be able to meet the January 2020 deadline, even with several years’ notice. . . . 12,000 of the 46,000 machines “cannot be replaced” until radiology information systems are upgraded in 2021.
So the HSE is widely known as a lagger in its use of IT. This is a huge red flag waving for all cyber attackers to see. This morning’s news was clearly inevitable.
One wonders how many of the HSE staff have been and are continuing to work from home during the pandemic, further increasing the risk of cyber attack?
This is essential basic briefing – Imagine the scene: you’re an IT admin and you turn up for work on a Monday morning to find your IT systems are down and no-one can access or run anything. On your computer screen there is a message telling you that your systems and data have been encrypted with Conti ransomware and you need to pay a ransom for the attackers to decrypt compromised files and delete stolen information.