Your money or your life
Ministry of Health decided it couldn’t afford the cybersecurity that might have prevented the attack on the Waikato DHB. Dileepa Fonseka reports.
Ministry of Health decided it couldn’t afford the cybersecurity that might have prevented the ransomware attack on the Waikato DHB.
Revelations another DHB “was having their external firewall probed millions of times a week by Russia”.
The Ministry of Health abandoned an effort to secure all district health board computer systems, citing budget constraints. The Government also has not followed through on its Cyber Security Strategy 2019 which promised annual reports around cybersecurity breaches.
National Party health spokesman Shane Reti says the Government is not giving cybersecurity issues the urgent attention they deserve.
The Sunday Star-Times has seen messages between IT industry vendors showing high-ranked Ministry of Health technology personnel discussing a more advanced cybersecurity system with the industry in 2019. Conversations ended because the department said it had no approved budget to pay for the proposed system.
The plan would have seen a single system solution purchased by the ministry and then licensed out to different district health boards (DHBs). The push seems to have been prompted by a 2017 cyberattack on the Britain’s National Health service.
In response to queries about these communications, ministry deputy director-general of data and digital, Shayne Hunter, replied with a written statement saying no security software can provide 100 per cent protection against cyberattack, and both the ministry and health boards are constantly ‘‘undertaking steps to protect against new and emerging threats’’.
He notes ‘‘enterprise security protection software’’, of the type being talked about are in place at a number of different health organisations, but the ministry does not publicly disclose security tools and technologies.
In a presentation to a Health Informatics NZ conference in Hamilton in 2019, Hunter allegedly pledged to the health IT industry that the ministry would put money into a sector-wide cybersecurity system.
Meanwhile, key parts of the Government’s cybersecurity strategy have barely been implemented even though it was published two years ago. Promised measures included an action plan and an annual report.
The minister responsible for the cybersecurity strategy, Kris Faafoi, left the role in November last year.
His successor, David Clark, admits no annual cybersecurity report from the 2019 strategy document was ever produced. However, he promises a report will be produced for the 2022 financial year.
‘‘Implementation of some initiatives under the cybersecurity strategy were slowed or deferred as a result of the Covid-19 pandemic.’’
Health Minister Andrew Little says he does not know what cybersecurity discussions ministry officials had back in November 2019.
However, he believes the ministry does have an ‘‘IT leadership role’’. A future review into the Waikato District Health Board hack will explore what support it offered Waikato in terms of cybersecurity, and whether the board took it.
‘‘I’m not familiar with what happened 18 months ago, what I do know is that last week’s Budget contains specific funding for new IT platforms for the health sector and my expectation is that security will be chief amongst the features of new systems that are installed across our health system.’’
Sophos principal research scientist Chester Wisniewski says one IT product discussed by the ministry in 2019, Crowdstrike, was expensive compared to other premium products but could have helped authorities detect the infiltration before hackers got full control of Waikato DHB’s systems.
‘‘It’s got a very good reputation, and in the hands of a capable person, is a really effective way of detecting and responding to an incident.’’
Wisniewski’s company produces a similar cybersecurity product to the one discussed between officials and the industry.
He says products like these, which go beyond typical anti-virus and firewall measures, are needed to repel attacks against institutions like hospitals because the nature of cyberattacks has changed over the past five years and many are now ‘‘human operated’’.
‘‘Historically the only time you really consistently faced human adversaries were if you were in finance, all the big banks, you were in government, or you were in defence,’’ Wisniewski says.
‘‘Those groups were wellpositioned to be ready for human attackers because they had been doing it for years. Hospitals had never seen a human attacker.’’
The danger to smaller institutions, like hospitals, once mainly consisted of largely automated computer programmes which are easier for antivirus programmes and firewalls to detect. And it was difficult to avoid detection by authorities when collecting the money.
But now, ransom payments can be made under the radar using cryptocurrency, making humanoperated infiltration more profitable.
All of which means you now need more than just an antivirus or a firewall.
‘‘You need a modern enough tool that understands how to analyse the behaviour because there is no code involved,’’ Wisniewski says.
‘‘It’s a human, right there, there at the keyboard, doing things the same way your legitimate IT administrator would be doing those things in the network.’’
Waikato DHB chief executive Kevin Snee has been quoted as saying their working hypothesis is that a network breach came via an individual slipping up and opening up a piece of malware in their email inbox.
Theta head of cybersecurity Jeremy Jones says it is not common for these kinds of breaches to happen this way because an email has to go through a number of stages and checks before a user even touches it.
Modern ‘‘adversaries’’ usually take advantage of some vulnerability in a connection which allows remote access from the outside world, like those needed to allow employees to work from home.
Wisniewski says while user precautions and good cyber hygiene around email are important, someone is always likely to slip up. And even if they don’t, attackers can discover other flaws which leave your system open to ‘‘full domain compromise’’.
So you need to have software and personnel that are up to the task of detecting these attackers. In cyber-parlance they are often referred to as ‘‘adversaries’’, once they are actually inside your system.
And it is easiest to detect them in those first few days after they have broken in.
Imagine a burglar who breaks into a house in the dead of night. Until they figure out where everything is they are potentially making a lot of noise as they bump into the furniture.
Wisniewski says Waikato District Health Board IT personnel would have seen these attackers if they were looking, or had the tools to look.
‘‘They [the adversaries] don’t necessarily know what kind of security software you have. They don’t know if it’s Crowdstrike or if it’s Sophos or if it’s McAfee. They don’t really know what they’re
‘‘Any offer to the ministry is only as good as the ministry’s ability to centrally fund it.’’ Jeremy Jones IT consultancy Theta
up against, and so they’re kind of clumsy at the start, and they’re usually setting off some alarms.’’
While all of this is going on, your more traditional ‘‘old school’’ IT expert might see a bunch of alerts and dismiss them as evidence a firewall or anti-virus is working.
‘‘Modern security people go ‘that’s the alarm being set off by somebody who just broke in, I need to go investigate’.
‘‘The ones that fail, in the end, are the ones that didn’t know or didn’t understand the severity of the alerts they were getting.’’
On average these kinds of attackers are in these systems for 11 days before they send through a ransom note, but Wisniewski says he knows of cases where attackers have been in the system for up to 400 days.
There has been rising concern in recent months about the growing frequency of cybersecurity lapses at major institutions in New Zealand. Cyberattacks caused major issues at both NZX and the Reserve Bank. Those attacks appear less sophisticated than what Waikato DHB experienced recently.
Controversially though, the full details of the NZX attack were never released to the public.
Jones believes authorities and companies need to release more details about hacks like these so others can protect themselves.
He spent 17 years in the Royal Air Force in a variety of defensive and offensive cybersecurity roles. These included a stint as head of data security at Nato’s largest data centre, in Norway, roles protecting military networks in places like Afghanistan, and cyber warfare-related initiatives for the British government.
Jones says he has sympathy for the situation that eventually led to the ministry not following through on commitments to pay for a cybersecurity system across all health boards.
The ministry could only work with the budget it had, he says. Even if it went ahead and bought a cybersecurity product with the intention of licensing it to all health boards it could not have forced them to take it on.
‘‘Any offer to the ministry is only as good as the ministry’s ability to centrally fund it.
‘‘Unfortunately for the ministry, at the time we had this conversation there were no centralised funds available for this.
‘‘Even if there were, there’s a reasonable chance some of the DHBs wouldn’t have taken it up anyway.’’
Reti says cybersecurity should be led by central government rather than health boards, who are just not equipped to take on these kinds of responsibilities.
Over the past few years he has been asking regular cybersecurity questions of the country’s health boards. The answers he has received don’t seem to have boosted his confidence in their cybersecurity capabilities.
‘‘About three years ago I pointed out that Hawke’s Bay DHB was having their external firewall probed millions of times a week by Russia.
‘‘There were some DHBs, who, their firewall was being probed so much the log was filling up over days.
‘‘Rather than figure out what they should do about it, they just turned the log off.’’
He believes the cost of cybersecurity software which helps repel an attack is ultimately worth it, because the cost of prevention is much lower than the disruption caused by a successful cyberattack in an area like healthcare. Cybersecurity expert Paula Gair, who runs deriskme.com, says cyber spending is always an issue because there is never enough money available for it.
She also believes a lack of centralised government resourcing and action are an issue when it comes to cybersecurity here.
On Thursday more details came to light about the attack, including allegations a piece of ransomware called ‘‘Zeppelin’’ had been found on Waikato DHB computers. The software encrypts all data on a system, then whichever group uses it demands ransom and offers up a decryption key for the data.
Despite this method being used it is also likely that the data was stolen before it was encrypted by Zeppelin. This way the data can be sold on if Waikato DHB does not pay.
If the information is sold on, it could lead to identity theft or individual patients and staff being extorted.
Gair says this form of ‘‘double extortion’’ is common with these kinds of attacks.
Zeppelin ransomware first surfaced in 2019 and was used to target hospitals, but has received a new lease of life thanks to an update which makes it much harder to detect.
Wisniewski says quite a few ransomware groups have sworn off targeting hospitals while the Covid19 epidemic rages.
Some, like a group who launched an attack on Ireland’s national health service, have not.
However, even if Zeppelin ransomware is officially confirmed as having been found on health board servers we still won’t know who was behind the Waikato cyberattack, or how they actually got into the system, because of the complicated shadow marketplace adversaries operate in.
Almost every aspect of a cyberattack can be sold, contracted out, or monetised in some way. The group which discovers the flaw, or breaks into the system, can sell access to another group who specialise in threatening ransom or stealing data. With ransom off the table this leaves Waikato DHB with the task of rebuilding its systems from backups. This process could take anywhere up to a year, especially if those backups aren’t up to scratch.
Reti says one of the questions he asked of Waikato DHB at select committee was how often it tested those backups.
‘‘They said they hadn’t backed up in the past year, across the whole domain.’’