CS Sep-Oct 2021

More documents

Recommendations

Info

health check 8AM AND I.T. IS IN FOR A VERY TOUGH DAY! STARK LESSON UNFOLDS IN THE CYBER SECURITY DANGERS THAT ARE LURKING 'OUT THERE' Cheshire and Merseyside Health and Care Partnership wanted to find out how well it would stand up to a cyber-attack. So, it asked Gemserv Health to put together a scenario-based response exercise that started with some seriously bad news - but uncovered a lot of useful information. It's 8am and it was a nice day until you turned on the radio. The news has just started and the lead story is that a video has been released showing a group of NHS leaders making worrying remarks about a Covid-19 vaccine. They seem to be suggesting that safety issues are being covered up and the share price of the vaccine maker has crashed 10% overnight. The phone starts ringing. It's a press officer wanting to know what IT is going to do about this leak, or fake, or whatever it is. CYBER-ATTACKS SPREAD, FAST This is the scenario that greeted 22 heads of IT in Cheshire and Merseyside in spring 2021. It was constructed by Gemserv Health, with input from Cheshire and Merseyside Health and Care Partnership, to find out how the integrated care system (ICS) would respond to a cyber security incident. Paul Charnley, digital lead for the ICS, explains that the commissioners, councils, hospitals and other providers in the area have their own policies and procedures in place. But the ICS didn't have an overarching response that was tested and ready to use. that requires every organisation to plan for and rehearse its response to a cyberattack, but one of the things that we learned from WannaCry is that a cyberincident can impact a large geography very quickly," he says. "We need to be able to coordinate. "The exercise that we ran really brought that to life. It was very salutary and very helpful, and it has given us a lot to think about. We have learned a lot since WannaCry, but we are in an arms race with the hackers and we've still got more to do." LEARNING FROM WANNACRY WannaCry was the worldwide ransomware attack launched in May 2017. It didn't target the NHS, but the National Audit Office estimated that 34% of trusts in England were impacted anyway. One reason was that the NHS employs a lot of people; with 1.3 million staff, it had a lot of malicious emails to contend with. Another was that WannaCry spread through older, unpatched Windows systems; and the NHS had a lot of those in computers and medical devices. However, a third problem was that there was no coordinated fightback. The NAO reported that the Department of Health had been working on a plan, but it hadn't been tested at a local level, so "it was not immediately clear who should lead the response and there were problems with communications." Some trusts couldn't be reached by email "because they had been infected by WannaCry or had shut down their email systems as a precaution", leaving a mix of switchboards, mobiles and WhatsApp as the only way through. ONLY AS STRONG AS WEAKEST LINK IT leads in Cheshire and Merseyside wanted to do better. "After WannaCry, we swore that we would work more closely together, under the tagline: 'we are only as strong as our weakest link'," says Charnley. The 22 heads of IT in the area agreed to standardise their policies and procedures, and to pool any funds made available by the NHS, to make the money go further. Cheshire and Merseyside HCP is now working with NHS Digital on a target cyber-security architecture and on a procurements process to deliver the strategy. "NHS Digital has a data protection toolkit 16 computing security September 2021 @CSMagAndAwards www.computingsecurity.co.uk
health check This has enabled individual organisations to work to a standard on one of two security information and event management systems: one medical device protection product; and one single sign-on product to give staff secure access to clinical and administrative systems. "We have worked on our strategy and then we have moved to manage our supplier market and our procurement teams to buy in harmony with that," he adds. "Gemserv has supported both the policy and the business models." FINDING THE GAPS Cheshire and Merseyside HCP is better protected against a cyber-attack than it was five-years ago; but the mantra of cyber-security is not to ask "if" a cyberincident is possible but "when" one will occur. The scenario-based exercise was designed to find out how ready the ICS is to deal with an attack; and whether IT leaders across the patch are clear about who will lead the response and how they should communicate with each other. Before Covid-19 arrived, the ICS had been looking to run a physical event, but because of the pandemic it moved to Microsoft Teams. Five virtual break-out rooms were set up for organisational teams to use, and the scenario was fed to them. As the event went on, the teams also received 'injects' of information to take the scenario in a different direction and test their ongoing responses. They got some 'good' news: the video didn't feature local executives and was instead a 'deepfake'. They also received some 'bad' news: one of the executives who had been deep-faked had also been spear phished. His email and that of his contacts had been targeted. A route was open for a ransomware attack. NOT IF, BUT WHEN Charnley says that on the day of the cyber scenario event, years of hard work in Cheshire and Merseyside paid off. IT teams were able to mount a more coordinated and coherent response to the Gemserv scenario than they were to WannaCry. They also had better tools to use. However, the exercise showed there were gaps to fill. The area turned out to be short of some specific cyber-security expertise out of hours. There were still questions about how decisions would be made that were big enough to require sign-off from Government departments in London or the NHS's central bodies in Leeds. It emerged that health and local authority incident response planners needed a cyber playbook to put alongside the playbooks they have for dealing with train wrecks, chemical spills or even nuclear incidents. Gemserv Health is now helping to write one, and when it is ready, Charnley wants to test it by running the exercise again. "Gemserv told us that the military builds things and then attacks them," he says. "It costs millions of pounds. We don't have that kind of money, but we can learn a lot this way. I want to do this every six-months - certainly every year - and I think every ICS should be planning to do the same. "I'd definitely encourage others to follow this model and this approach. We wanted to work with an external partner, because it's easy to be insular or to play to your strengths in these exercises. Having an external view was very helpful. It gave us a lot of things to think about." Paul Charnley, digital lead for ICS: no overarching response in place that was tested and ready to use. www.computingsecurity.co.uk @CSMagAndAwards September 2021 computing security 17
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment 2021 COMPUTING SECURITY AWA
Page 5 and 6: There’s a difference between feel
Page 7 and 8: ADISA ICT Asset Recovery Standard 8
Page 9 and 10: UNIQUE EVENT FOR THE CYBER SECURITY
Page 11 and 12: ansomware BASIC SECURITY IS ESSENTI
Page 13 and 14: 50 % OFF RANSOMWARE PREVENTION & PR
Page 15: information security things, but, w
Page 19 and 20: global intelligence will have impli
Page 21 and 22: all at sea CRUISING FOR A BRUISING
Page 23 and 24: all at sea Secondly, adversaries' c
Page 25 and 26: information security more effective
Page 27 and 28: new-world shakeup for every employe
Page 29 and 30: global intelligence Incident Notif
Page 31 and 32: CS Nominations 2021 NOMINATIONS OPE
Page 33 and 34: APTs malware to install backdoors t
Page 36: Pragmatic and experienced risk mana

CS Sep-Oct 2021

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?