PwC's HSE hack post-incident report should be a corporate textbook

There's still a mountain to climb...

PwC's HSE hack post-incident report should be a corporate textbook

Ireland's Health Services Executive has published a fresh summary of the devastating ransomware attack that hit the country's healthcare sector in the summer of 2021 -- on the back of a detailed public post-incident report by consultancy PwC. The HSE is Ireland's largest public sector employer, with 130,000+ staff manning 70,000+ IT devices across 4,000 locations. More than 80% of the HSE's extensive IT estate was affected by the Conti ransomware attack, which saw 31 of its 54 acute hospitals cancel services ranging from surgery to radiotherapy.

The report notes that:

  • The HSE did not have a Chief Information Security Officer (CISO) or a "single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
  • It had no documented cyber incident response runbooks or IT recovery plans (apart from documented AD recovery plans) for recovering from a wide-scale ransomware event.
  • Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. Antivirus software triggered numerous alerts after detecting Cobalt Strike activity but these were not escalated. (The antivirus server was later encrypted in the attack).
  • There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Healthcare Network (NHN).
  • There was a lack of effective patching (updates, bug fixes etc.) across the IT estate and reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. (The initial workstation attacked had not had antivirus signatures updated for over a year.)
  • Over 30,000 machines were running Windows 7 (out of support since January 2020).
  • The initial breach came after a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email; numerous subsequent alerts were not effectively investigated.

PwC's crisp list of recommendations in the wake of the incident -- as well as detail on the business impact of the HSE ransomware attack -- may prove highly useful guidance on best practice for IT professionals looking to set up a security programme and get it funded. (PwC's full 157-page HSE post-incident report is here.)

HSE post-incident report recommendations

HSE's IT environment had high-risk gaps relating to 25 out of 28 of critical cybersecurity controls . Credit: PwC

Among its recommendations: That the HSE "should establish clear responsibilities for IT and cybersecurity across all parties that connect to the NHN, or share health data, or access shared health services. This formalisation of responsibilities should include specification of Service Level Agreements (SLAs) for centrally-provided services, including availability  requirements. The HSE should define a code of connection that defines the minimum acceptable level of security  controls necessary to connect into the NHN, to be agreed by all parties connected to the NHN, including requirements for central reporting of cybersecurity alerts and incidents. The HSE should establish a programme to monitor and enforce ongoing compliance with this code of conduct. Compliance with the code of connection should become part of the onboarding process of any connecting organisation."

The report is in keeping with similar post-incident reports across most major recent cybersecurity incidents, including the ransomware attack on the Colonial Pipeline in the US in 2021 -- with that company also having an absence of cybersecurity leadership and a basic lack of security hygiene contributing to the incident's impact.

(The Stack continues to urge organisations hiring a CISO to have them report directly to the CEO and regularly to the board where possible. As specialist cybersecurity recruiter Owanate Bestman earlier told us: “Traditional reporting lines are typically CISO’s reporting up to the board, usually the CTO or CIO. In smaller organisations, this can even be the CRO. In such cases, the CISO title is not usually present, but instead, it is Head of IT/ Cyber Security, which often betrays an underdeveloped or misunderstood security function. Of the CISO searches I have conducted, most of the reporting lines are to the CTO, followed by the CIO. Far fewer tend to report the CEO. While other factors come into play, CISO positions that report to the CEO are more attractive to applicants as it is seen as giving the role a more significant presence. It provides the CISO with a seat at the table.")

See also: Veeam CISO Gil Vega on reporting pen testing results to the board, building a security culture, sleeping at night, tips for CISOs.