Royal Melbourne Hospital affected by virus

IT systems at Melbourne Health, who run the Royal Melbourne Hospital, have been infected with a computer virus that has forced the hospital to shut down many of its systems.

Information Security in organisations such as hospitals can be extremely difficult, and I feel for the IT professionals currently working to resolve this problem. Whilst many organisations lag behind in updating their software such as Operating Systems (OS), hospitals (and manufacturers, and utilities) often can’t update all of their systems: Many of the devices used in hospitals require some kind of computer to operate them, and the vendors who produce those devices can be very slow to update their software to work with modern OSes.

This creates a security minefield.

The article linked at the top of this post notes that the infection may have started with Windows XP computers. Windows XP is no longer supported by Microsoft and is terribly insecure when compared to modern OSes. It will be interesting to watch this story unfold and discover more about the circumstances of this event. I would like to know:

  • Was Windows XP only on those computers that required it for support of medical devices? Or had they been extremely lax in updating systems across the entire organisation?
  • What measures (if any) were taken to (better) secure the Windows XP machines?
    • Were they isolated on the network?
    • Were restricted to just their required purpose (operating medical devices)? Or were staff checking email and browsing the web on these machines?
    • Were intrusion detection and prevention systems in place?
    • Virus and malware scanning?
  • What security protocols and training were in place to help staff making security blunders?

Primarily, I hope no patients suffer with worse outcomes as a result of this issue. But further, I hope — this being a public hospital — we will see a proper review completed and a report released that will let us learn from this incident.


Ten Keys to Cyber Survival (link)

I just came across this article by John Walker posted on Tripwire’s The State of Security. It outlines 10 key measures to put in place in preparation for a cyber security incident, and I think the list is pretty good. I’ve reposted the 10 items below, but you should go read the full article.

Key 1: Preparation
Always expect the worst to happen, and be prepared and have an established CSIRT (Computer Security Incident Team) structure in place, which may be mobilized in a coordinated manner.

Key 2: Processes
The time of encountering an attack is not the time to consider how you will respond to the event. Here, it is essential to have documented processes in place to guide the CSIRT through the security engagement with clear and defined robust actions.

Key 3: Skills
One very important element of the key chain is to have the right people in place who understand the ramifications and implications – people who can deliver value to the incident response process based on the technological risk.

Key 4: Tools
Have tools and response capabilities in place that may be deployed to support the security mission, along with a team who has been trained in their use.

Key 5: Communications
It is important for those larger organizations to have both internal and external communications protocols in place to assure they may apply follow-the-sun capabilities, as well as communicating with external agencies, such as the police when the event dictates.

Key 6: Case Management
At the core of all successful incident responses exists the ability to document a contemporaneous record of events, and to record any acquired element or artifacts that may seem to be pertinent to the case under investigation.

Key 7: Stay Legal
It is essential that the applicable laws are understood in relation to the region, or regions which are implicated by the event – ranging from the UK with its Data Protection Act to those outsourcing domiciles, which fall under other international laws and directive.

Key 8: Cyber Threat Intelligence (CTI)
When encountering any form of cyber adverse interest, it is a good practice to seek out what any potential adversaries may be saying about your brand online though the employment of CTI – this can give an organisation suffering a cyberattack an insight into the attacker’s mind and objectives.

Key 9: Digital Forensic Readiness
Remember you may need to investigate the acquired artifacts in more depth, so having an evolved Digital Forensic Readiness Capability in the CSIRT Framework should be considered an essential element.

Key 10: Learning
The last important element of the keys to success is to learn from past events and to adjust the futuristic rules of engaged on the past experiences.