In his June column for Digital Health, our cyber security columnist, Davey Winder gives his thoughts on the on-going incident happening in the Republic of Ireland.
The Irish health system is still, more than two weeks on, in recovery mode from the ransomware attack launched by the Conti cybercrime group. While there have been many headlines announcing the criminals had somehow ‘bailed out’ the Health Service Executive (HSE) by handing over the data decryption tool free of charge, I’m not going to join in group hug for the threat actors. Beyond the obvious small matter that these are criminals to be viewed with the greatest contempt, Conti has not let the Irish HSE, or the patients it serves, off the hook. Like most of the current crop of ransomware threat actors, Conti doesn’t just encrypt data to lock down networks: it steals it as well.
That data is still being held to ransom, with Conti demanding the HSE “try to resolve the situation” through paying an unknown amount (the original ransom was in the region of £14 million) and threatening to publish or sell patient data if this doesn’t happen. This, I should add, in addition to the sample that has already been published relating to 520 patients which includes correspondence and what the HSE described as ‘sensitive data.’ The legal injunction that the HSE obtained prevents that, and any other data from the attack, being shared, processed, published or sold. This is, if you’ll excuse my French, akin to ‘p***ing in the wind’ and won’t prevent potentially highly-valuable health data being sold to the highest criminal bidder.
Ransomware business model is a symptom, not the disease
The DarkSide group, behind the recent Colonial Pipeline attack that disrupted oil supplies in the United States, tried (and failed) to shift responsibility to affiliates who broke the rules. The most successful, in terms of attack rate and ransom returns, ransomware threats are conducted on a ransomware-as-a-service (RaaS) model. This works by the main criminal group, behind the coding of the malware itself, to focus on developing the attack code and the systems around it; affiliates are brought on-board to carry out the actual attacks, and supplied with a control console for payment negotiations, to launch further attacks (such as denial of service to add pressure to pay) and so on.
DarkSide blamed a rogue affiliate for targeting critical infrastructure, and promised to moderate all targets before any attack was authorised in future. That was before it aptly went dark, with bitcoin being emptied from cryptocurrency wallets it controlled, the servers it employed going down and the major Russian-language criminal forums banning advertising for ransomware affiliates. I don’t believe this will be the end of DarkSide for one minute. It may rebrand itself, the code may change in an attempt to obfuscate the origins, but the people behind it all will likely carry on.
Ransomware gangs have no moral compass
I mention DarkSide so as to bring the affiliate model into the discussion as Conti operates on a similar RaaS basis. I have yet to see these criminals claim a rogue affiliate targeted a country’s health service, which is just as well because this was no mistake. Indeed, the FBI has identified no less than 16 ransomware attacks carried out by the same Conti operators that targeted healthcare and so-called ‘first-responder’ networks. The decision to release the decryptor tool without any ransom being paid was more about public opinion and self-preservation than any sudden discovery of a moral compass in my never humble opinion.
What I’m saying here, to finally get to the point, is simply this: ransomware attacks against healthcare are here to stay. Which means everyone has to get better at preventing a targeted attack from becoming a successful one.
I’m sure that, with the benefit of time when the recovery process dust has settled, we’ll get a better insight into what went wrong to allow Conti to deal such damage in the Irish HSE case. What I’m not going to do is try and pre-empt the inevitable enquiry and map out the threat map with likely entry point markers. Doing so accomplishes nothing: everyone involved with cybersecurity already knows the most common attack methodologies, the weaknesses are not going to be a surprise to anyone.
Instead, I want to focus on strengths.
Investment in protecting healthcare infrastructure is key
Chris Vaughan, the technical account manager at cybersecurity systems management company Tanium, says his message is “you can’t always stop a sophisticated cyber-attack, but by having a good standard of IT hygiene and training in place you can certainly make it more difficult for the attackers to be successful.” I don’t disagree with any of that, nor for that matter with Jamie Moles, a senior security engineer with detection and response experts ExtraHop, who says “until investment is made in protecting IT Infrastructure these problems will continue to plague national healthcare providers worldwide”.
All of which makes a report from back at the end of March, based on freedom of information requests made by cyber services outfit Redscan, essential and encouraging reading.
The report compared results of this one with a previous look at how prepared the NHS is to tackle the latest security threats from 2018. The key findings are not only encouraging, but helps to explain why the NHS itself has suffered very few successful ransomware in the last couple of years.
“On average, trusts now have nearly twice as many employees (47%) with professional IT security qualifications (2.8 per trust in 2020, compared to 1.9 in 2018)” and “one in four trusts had no qualified IT security professionals in 2018 (23%), a figure which has now fallen to one in seven (15%)” are perhaps among the most relevant. But the fact that 83% of NHS trusts had also contracted at least one external penetration test last year should not be overlooked either.
The cybersecurity equation that’s paying off for the NHS
Fewer data breaches and successful ransomware attacks a rarity when more qualified security staff are being hired cannot be a coincidence. Only 15% of trusts were found to have no qualified security staff in 2020. Still too big a number, but down from almost a quarter (23%) in 2018.
There is no room for complacency, of course, but the NHS is, it would seem, at least moving in the right direction.
“With more and more healthcare organisations being targeted by attackers, every NHS trust needs to ensure it is prepared for the challenges ahead,” Mark Nicholls, CTO of Redscan said, “to deliver an effective service, organisations must continuously improve their defences to protect the patient data and infrastructure they rely on to save lives.”