When reproducing, using, or extracting this text, always reference the source and the author : Ignacio Rondini

On the 20 of may, I participated in an event held by the Cercle du Numérique¹ , where we were shown how a big hospital group reacted during a cyber intrusion into their system. The attack started on a Friday evening, when someone on the monitoring and operations teams realised that the antivirus in one of the server was down. Then, when trying to reboot it and couldn’t do it, s/he realised that some ransomware attack was going on, as the data was being encrypted. This propagated into a few servers until they decided to isolate their servers and to completely restrict their internet access. The former to avoid data extraction and possible future extorsion, as the data held by the hospital is personal and at the core of their operations. Furthermore, that could suppose some serious GDPR consequences.

Beside the narrative on how the attack went and how they reacted, it was an interesting talk as it was real experience from real teams. Here are a few points that were remarkable for me.

First of all, you don’t know, completely, the dependencies of your systems. They suffered from this when taking out internet completely. Suddenly, tools that were, in principle, not talking to internet, they were not working any more because some hidden check on an endpoint. If you don’t have access to internet (or any other critical ressource), can your business keep operating? do your tools keep working? do you have access to your data, your repositories, your applications? And for how long? How do you keep data flowing?

At the hospital, one of the main backup tools was the phone. People could still phone to know about their medical visits, their exams etc. Paper could still be used to transmit information between diferent organisations. In this regard, one point that I found critical is that, according to the presentation, for some medical treatements, cancer for instance, you need to be able to compare two temporal situation. For instance, your imagery now and the one from 6 month ago. If you cannot access it because it is not available (or because it got encrypted and cannot be recovered, at least yet) then you cannot give a new treatement, thus making you lose time. It is thus important to know the nature of your data, how sensitive it is, to know what’s crucial for your organisation and what would be tolerated to lose.

Secondly, you need to know your business and talk to your users. This is paramount. In their case, their users were all the medical corp, together with the supportive roles such as administrative, HR and IT. In situations like this, where you need to contain the threats, and you’re disrupting the normal operations so much, you need to cohesively work with the different organisations, so you can establish priorities, workaround plans and to really align the effort and the security measures. You don’t need more risk (and frustration) added because people don’t understand the actions you’re taking.

Thirdly, you should prepare, but probably you will never be fully prepared. You can’t completely prevent bad things from happening and can’t prepare for every possible scenario, so you should also be prepared to react when attacks manage to hurt you. This implies having a clear organisation for these cases: Who can decide what? Who is the backup of who in those decisions? What should be communicated to whom? And so many other questions. In these scenarios, you may be pushed to take some serious decisions, and it should be clear who’s accountable for it and who can actually make them. Planing for the unknown implies to be ready for decision-making, instead of trying to foresee every decision. Nevertheless, you should still try to protect yourself the best you can.

I would say that lastly, security is everyone’s responsibility. Although, finding the balance between security measures and operational needs may be difficult. You don’t want to encourage shadow IT only because the mesure you took were not understood or because they disrupt too much the daily life of people, without letting them know why and proposing them alternatives. At the end of the day, everyone wants to do their job, so again, communication and a unified vision of the business is fundamental.

Footnotes

1. The Cercle du Numérique is a trade group organising around bringing French-speaking IT decision-makers in Belgium. You can find more at Cercle du Numérique ↩