Hospitals cancel outpatient appointments as Irish health service struck by ransomware Ireland's nationalised health service has shut down its IT systems following a "human-operated" Conti ransomware attack, causing a Dublin hospital to cancel outpatient appointments. The country's Health Service Executive closed its systems down as a precaution, local reports from the Irish public service broadcaster RTÉ said, …
Yes because England did so much more when the NHS was hit.
Yes, yes! I remember the bombing attacks in Russia against those ner'do'wells... Oh wait, No i dont. What about the sanctions? Nope none of those either... Hmmm. Arrests? Nope... Diplomatic pressure? Nope...
Good to see Britian taking back control of its own ability to do nothing...
Something about people in glass houses having short memories?
"We are deeply concerned that this attack was not conducted in compliance with published EU ransomware standards. The regulations specifically require RSA encryption at 1024-bit or higher, not Diffie-Hellman. Also, the regulation clearly specifies that payment demands must be in Bitcoin or Ethereum, not Doge, and the demand notice must be posted in French, German, and English in addition to the local EU country's primary language."
When are we going to issue sanctions against countries that harbour these criminals? And of course countries that sponsor them or even are them.
The situation has got so serious that the only solutions are incredibly uncomfortable: increased security costs, decreased convenience, even vetting employees.
Is it time to fight fire with fire?
We need to formally amend the Computer Misuse Act and or replace it with a law that not only has teeth, but clear and defined provisions for legitimate cyber-security researchers so they can operate without fear of prosecution if their intent is in the interests of HM Government.
Just to make it really airtight, have it made retroactive to the start of the original CMA 1990 so pending cases can be reviewed as needed.
For that matter blocking traffic from unfriendly countries is actually a viable way to prevent some attacks and should be seriously considered.
If we decide to "target" the countries that the attacks appear to come from then we'll just see the attacks move to other countries.
It would be far more effective to start building secure networking to stop the attacks from working. Just throwing bricks more of less in the general direction that we think the attacks are coming from will do very little except to boost postings on social media. If your roof is leaking you can't fix it by firing a gun at the hole.
"we'll just see the attacks move to other countries"
If sanctions include blocking traffic then there's an immediate preventative element. But a longer term element would be deterrence. If condoning or even being over-casual about enforcement were to lead to life becoming difficult for the offending country then it would become difficult or risky to make such moves.
> If sanctions include blocking traffic then there's an immediate preventative element
"The Internet sees censorship as damage and routes around it"
These kinds of attacks can be perpetrated by an attacker using a dialup modem to a compromised box outside of the "blocked" area - and besides it's virtually impossible to block an entire country (Russia has tried on several occasions to do it the other way around, blocking all inbound traffic to create a russia-only internet - and failed every time - see comment about dialup modems)
The situation has got so serious that the only solutions are incredibly uncomfortable: increased security costs, decreased convenience, even vetting employees.
It was always so serious:
Increased security costs? The costs of failure to secure IT are higher. If you're increasing security spending in response to attacks you have not been spending enough (on the right things).
Decreased convenience? Yes, if using IT properly is less convenient (and efficient) than paper then why the hell use it? Is it more 'convenient' to have to clear up the mess when IT goes wrong or allows confidential information to be stolen?
Vetting employees? Yes, checking whether the prospective employee is ignorant* is a good idea. Being selective about who you employ (or retain) is sensible.
* Ignorant in this context is intended to include CIOs who think that security is not part of their remit. (Me? Bitter? Not much.)
Building a national health system (or any other service that is worth building) on shonky IT is a disaster waiting to happen.
Well, they were criminals and not state actors. So by that logic in 2005 we should have taken sanctions against the UK after the 7/7 bombings.
I don't know what you can do against the Russian state. We don't trade that much with them, so even ignoring the question of scale economic sanctions aren't going to be effective and the military option would be a exciting yet mortifyingly brief exercise in futility. Diplomatic grumbling is probably the most we can do.
Cobalt Strike. So the target failed a stringent pen test then.
Perhaps they're relying on the wrong tools for their own testing (supposing they do any).
I'm increasingly annoyed by the almost universal assumption of "adequate security" that never gets properly tested except by the bad guys.
You get the security you put sufficient and appropriate effort into.
It might be a good move for Health Services (and similar organisations) to instruct the local offices to run an overnight job to print out next days' appointments and explain why. The explanation might at least concentrate minds and the print-out should avoid cancellations for the next day and give the clean-up a day's start.
Of course going back to something as old-fashioned as paper might offend those who thought it would be a good idea not to have fax, pagers or the like as backup.
Hospital visit: the list of appointments is the easy part.
MD sees patient, compares status with IT based records. Orders tests (x-ray or lab) through same system.
Lab gets order to their IT system, analyses samples on instruments that are in turn dependent on a computer system (+ middleware, naturally)
Lab sends result by way of middleware to patient records system.
Medicines prescribed through IT system.
Surgery? The blood bank can naturally match blood without the special blood type analysis system and have a pre-printed supply of backup-labels for blood bags. Much more work and potentially less accurate (there are actually well over a hundred blood types...) and thus introduces patient risk. Collect blood from a donor without the computer system to compare records and previous results? I suspect that a specialist will have to individually approve each collection for it to be legal (and would be understandably reluctant to do so).
Yes, there is paper based backups for all/most of this, but they really do not scale and have problems (please copy hundreds of numbers and test codes down with no errors, comparing each to a list of reference values and making sure to flag any that are outside normal range or differs more than a certain amount from the last such test on that patient).
A small hospital lab performs on the order of a thousand lab tests per day. Add X-ray, microbiology, ultrasound...
To be able to operate fully without IT systems would require a total redesign of hospital workflows.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
