Site icon The Stack

PwC’s HSE hack post-incident report should be a corporate textbook

There's still a mountain to climb on organisational maturity when it comes to cybersecurity. Image credit: Sylvain Mauroux

Ireland’s Health Services Executive has published a fresh summary of the devastating ransomware attack that hit the country’s healthcare sector in the summer of 2021 — on the back of a detailed public post-incident report by consultancy PwC. The HSE is Ireland’s largest public sector employer, with 130,000+ staff manning 70,000+ IT devices across 4,000 locations. More than 80% of the HSE’s extensive IT estate was affected by the Conti ransomware attack, which saw 31 of its 54 acute hospitals cancel services ranging from surgery to radiotherapy.

The report notes that:

PwC’s crisp list of recommendations in the wake of the incident — as well as detail on the business impact of the HSE ransomware attack — may prove highly useful guidance on best practice for IT professionals looking to set up a security programme and get it funded. (PwC’s full 157-page HSE post-incident report is here.)

HSE post-incident report recommendations

HSE’s IT environment had high-risk gaps relating to 25 out of 28 of critical cybersecurity controls . Credit: PwC

Among its recommendations: That the HSE “should establish clear responsibilities for IT and cybersecurity across all parties that connect to the NHN, or share health data, or access shared health services. This formalisation of responsibilities should include specification of Service Level Agreements (SLAs) for centrally-provided services, including availability requirements. The HSE should define a code of connection that defines the minimum acceptable level of security controls necessary to connect into the NHN, to be agreed by all parties connected to the NHN, including requirements for central reporting of cybersecurity alerts and incidents. The HSE should establish a programme to monitor and enforce ongoing compliance with this code of conduct. Compliance with the code of connection should become part of the onboarding process of any connecting organisation.”

The report is in keeping with similar post-incident reports across most major recent cybersecurity incidents, including the ransomware attack on the Colonial Pipeline in the US in 2021 — with that company also having an absence of cybersecurity leadership and a basic lack of security hygiene contributing to the incident’s impact.

(The Stack continues to urge organisations hiring a CISO to have them report directly to the CEO and regularly to the board where possible. As specialist cybersecurity recruiter Owanate Bestman earlier told us: “Traditional reporting lines are typically CISO’s reporting up to the board, usually the CTO or CIO. In smaller organisations, this can even be the CRO. In such cases, the CISO title is not usually present, but instead, it is Head of IT/ Cyber Security, which often betrays an underdeveloped or misunderstood security function. Of the CISO searches I have conducted, most of the reporting lines are to the CTO, followed by the CIO. Far fewer tend to report the CEO. While other factors come into play, CISO positions that report to the CEO are more attractive to applicants as it is seen as giving the role a more significant presence. It provides the CISO with a seat at the table.”)

See also: Veeam CISO Gil Vega on reporting pen testing results to the board, building a security culture, sleeping at night, tips for CISOs.

Exit mobile version