Conti Cyber Attack on Health Service Exceutive- Recommendations to Overcome Ransomware Attacks

The Health Service Executive (HSE) of Ireland is the country’s publicly funded healthcare system under the Irish Department of Health, consisting of 54 public hospitals directly under HSE authority, and voluntary hospitals which utilize national IT infrastructure.

On May 14, 2021, HSE suffered a major ransomware cyberattack that caused all its IT systems nationwide to be shut down. It became the most significant cyberattack on an Irish state agency, as well as the largest known attack against a health service computer system in history, occurring during the COVID -19 pandemic.

It took four months to completely recover from the attack, with HSE sustaining numerous impacts to healthcare delivery during this timeframe. Conti ransomware was responsible for the incident.

On December 3, 2021, HSE published an Independent Post Incident Review consisting of a 157 -page redacted report, which is the foundation of this brief.

Key recommendations and findings

From D. List of key recommendations

1. Appoint an interim senior leader for cybersecurity (a CISO) who has experience rapidly reducing organisations vulnerability to threats and designing cyber security transformation programmes.
2. Establish an executive-level cybersecurity oversight committee, to drive continuous assessment of cybersecurity risk across the provision of health services.
3. Create a Board committee, to oversee the transformation of IT and cybersecurity to deliver a future-fit, resilient technology base for provision of digitally-enabled health services.
4. Plan a multi-year cybersecurity transformation programme, and identify and mobilise the resources to deliver.
5. Appoint a programme lead and define governance framework for the cybersecurity transformation programme.
6. Continue to use a managed detection and response service provided by a third party and identify a sustainable medium-term solution.
7. Mobilise a tactical cybersecurity improvement programme (while the cybersecurity transformation programme is being planned), with governance that feeds into the interim CISO and can provide updates on the programme’s progress into the Board committee.
8. Bring the governance of ongoing IT and cybersecurity improvement projects under the tactical cybersecurity improvement programme.
9. Use security testing ‘find and fix’ to identify additional security weaknesses and vulnerabilities by simulating cyber attack techniques, before identifying and triaging pragmatic fixes.
10. Schedule a ‘red team’ ethical hacking exercise for early 2022 to demonstrate the effectiveness of tactical improvements made and identify areas for further improvement.
11. Appoint suitable long-term senior leadership for cybersecurity (a CISO) and establish a suitably resourced and skilled central cybersecurity function.
12. Deliver a multi-year cybersecurity transformation programme to build defence in depth over time and address root-cause issues.
13. Design and implement a single and centralised security monitoring capability for the defined security boundary of the HSE that reports into the CISO.
14. Establish governance and oversight of Operational Resilience Programme.
15. Establish an Operational Resilience Policy and Programme scope, strategy and structure.
16. Establish assurance over the Operational Resilience Programme.
17. Embed the Operational Resilience capability via training and exercising.
18. Establish and document a formal governance structure to oversee clinical and services continuity in the HSE.
19. Support funded entities (hospital groups, hospitals and CHOs) to establish governance over clinical and services continuity.
20. Establish and embed a clear and consistent approach to clinical and services impact analysis across the HSE to inform recovery prioritisation.
21. Design clinical and services continuity workarounds, based on the clinical and services impact analysis, to enable the HSE to continue providing critical services while responding to an incident or crisis.
22. Develop and embed consistent Clinical and Services Continuity Plans at strategic, tactical and operational levels that align with the clinical and services business impact analysis.
23. Design an end-to-end Crisis Management Framework (integrated with the existing MEM and IM Frameworks) and overseen by the HSE Resilience Steering Group.
24. Design a suite of crisis response plans and procedures to underpin the Crisis Management Framework.
25. Ensure that the resources assigned to internal communications are sufficient.
26. Document the Communications Team’s existing response structures, processes, tools and templates in a Crisis Communications Plan.
27. Establish a formal training and exercising programme in support of the Operational Resilience Programme.
28. Deliver training to staff in key responsible and supporting roles, and new managers.
29. Conduct annual exercises to rehearse the operational resilience capability.
30. Review and refine the post-incident review process to ensure ongoing and continuous improvement of the response capability.
31. Instil a culture of preparedness in the HSE to reduce the negative impacts of disruption on its people.
32. Design and implement an integrated notification and escalation process and acquire a means of mass notification to all HSE staff and contractors.
33. Establish a Crisis Situation Centre to manage an organisation-wide response to a crisis.
34. Establish formal retainers with key third parties that may be required to support a crisis response.
35. Develop an integrated HSE-wide incident classification and severity matrix for assessing the organisational impact of an incident.
36. Designate and train incident information managers (or coordinators) at all levels across an incident or crisis response to maintain a consistent overview of the situation as it develops.
37. Identify and acquire a secure and resilient ‘out-of-band’ technology solution to ensure an alternative means of information sharing and communication.
38. Ensure the ‘higher organisational intent’ is aligned to the organisational values and drives the response and recovery strategy; review the strategy regularly throughout the response as the situation develops.
39. Agree delineated decision making authority across all teams in the organisation likely to be involved in an organisation-wide incident.
40. Familiarise the Internal Communications Team with the ‘out of band’ technology solution to enable focused and targeted communications during a crisis.
41. Review processes, plans and resourcing for response to future potential data breaches.
42. Scenario planning should be informed by the risk register, the process embedded in the Crisis Management Plan, and the activity conducted throughout incident and crisis response.
43. Design clinical and services continuity workarounds, informed by the Clinical and Services Impact Analysis.
44. Design workarounds to support rapid data remediation post-incident or crisis.
45. Rehearse workarounds in multi-team exercises.
46. Consider a review to establish the longer term clinical impacts of the Conti attack.
47. Ensure the Clinical and Services Impact Analysis is informed by an up-to-date asset register and configuration management database.
48. Map and document the people and technology resources and processes required to recover all critical systems in a pre-defined sequence.

Cybersecurity Framework

1. The HSE should continue to develop an asset register that is aligned to clinical and corporate services, as well as underpinning a process to ensure the register is maintained up to date. Doing so will allow the HSE to determine the potential impact of any future incident and effectively respond in a planned, controlled and structured manner.
2. The HSE should create a cybersecurity strategy, covering at a minimum incident detection, incident response and business recovery. It will also need to be aligned to the HSE strategy objectives and signed off by the HSE Board.
3. The HSE should establish an appropriate cybersecurity risk and governance framework to ensure there is a consistent and clear allocation of responsibility, authority, and accountability. Including the need to establish reporting processes to ensure potential cybersecurity incidents are appropriately reported in all cases.
4. The HSE should complete its required OES returns on an annual basis to ensure compliance with NISD regulations and to understand potential cybersecurity weaknesses with critical services
5. The HSE should develop a formal cybersecurity risk framework aligned to the business’ operational risks and strategic plans
6. The HSE should implement a Third Party Risk Management framework that defines how third parties to the HSE are assessed for cybersecurity risks and what risk treatment plans are appropriate to address residual cyber risk
7. The HSE should introduce a comprehensive, formalised cybersecurity training and awareness programme that is delivered to all staff at all grades across the organisation. This should be conducted on a regular basis.
8. The HSE should introduce centralised processes and procedures to manage and review the appropriate access and identities that require access to services and data. This should be in the form of an Identity Access Management (IAM) solution that would consistently manage access across users, System Admins and third parties
9. ICT HSE should implement a structured process for performing data backups and storing this data off site. Regular testing of this data should take place to ensure success recovery.
10. The HSE should develop a strategy for adopting the appropriate protective technologies and ensure consistent deployment across the HSE network.
11. The HSE should develop a process to maintain security baselines for all operational hardware and software, including but not limited to establishing preventative processes such as patch and vulnerability management processes.
12. The HSE should develop a cybersecurity threat profile that is informed by relevant sources to enable an effective monitoring capability. This should include threat intelligence feeds to provide an informed view of the latest cyber threats relevant to the HSE. These feeds should be used in conjunction with a SIEM to inform and provide IOCs for monitoring and detecting across the HSE ICT estate. Aligned to this the HSE should implement anti-virus consistently across the estate, ensure it as well as logging and EDR outputs are aggregated and obtain a 24x7 security operations centre (SOC) to monitor the entire business and detect anomalous behaviour and events.
13. The HSE should implement alert monitoring on all network servers, endpoint devices, and firewalls for the external and internal networks. Specific use cases for each alert should be developed for the chosen SIEM.
14. The HSE should implement a holistic network detection and response functionality with a dedicated team to continually monitor for and respond to alerts.
15. The HSE should develop an appropriate cybersecurity response policy, supported by plans and/or run books for cybersecurity incidents that are regularly reviewed and exercised so that it can mount an effective and efficient response in the event of a future incident.
16. The HSE should develop a formal internal communications plan where key internal parties such as senior leadership, voluntary hospitals, CHOs are receiving timely and consistent messages. Specifically the HSE should develop specific runbooks and template responses for specific scenarios to aid a speedy response and ensure there is consistent communication
17. The HSE should ensure that an appropriate response policy, plan, and process are in place to manage multiple security incidents, perform response investigations, and collect evidence to assess the best potential mitigation plan.
18. The HSE should develop formal mitigation strategies and tactics to isolate, remove, and monitor threats. Key Performance Indicators (KPIs) should be put in place so that performance can be optimised.
19. The HSE should establish a formal process, as well as resources to ensure lessons were learnt and codified from all incidents and are maintained to reflect operational and organisational change.
20. The HSE should implement a cybersecurity recovery plan that links to an asset register detailing Clinical, Corporate and other priorities and test this plan on a regular basis.
21. The HSE should develop a formal process for capturing improvements/lessons learnt following an incident.
22. The HSE should consider developing a communications strategy for cybersecurity incidents

Tactical Recommendations

1. Improve security monitoring capability
2. Secure privileged access
3. Build a vulnerability management capability
4. Harden the security boundary
5. Improve governance over the NHN
6. Improve preparedness for a ransomware attack
7. Accelerate foundational IT projects

Source: Read the full report at https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf.