
The following is an edited transcript of one of our four topics. To hear the full conversation play the podcast
Howard: News item one: Newfoundland and Labrador’s privacy commissioner slams the provincial government for the way it handled a ransomware attack on the healthcare system in 2021. In the attack, the personal information of at least 100,000 residents and healthcare system employees was stolen.
Terry Cutler: Let me just open the hood a bit to show you what happens behind the scenes when this happens. Health care right now is taking a beating. There’s a lot of staff that come in [to an institution]. They’re all gungho to make a big change in their environment. You know, dealing with 18,000 computers. Then they realize how much bureaucratic red tape there is, and they can never get anything done. If they want to deploy a patch, it could take a month or two months because there’s always some reason why they can’t do it. And there’s a good chance that an IT consultant that found vulnerabilities is no longer there either. So when an incident occurs, they must coordinate different [IT] teams to discover what happened.
Then they realize there’s no EDR [endpoint detection and response] in place. Too many tools are deployed, so they don’t know where to look. So if somebody’s handling an incident on a desktop, they have to involve the network team, and maybe they have to deploy the server team. And these groups don’t necessarily talk together. Then they realize when trying to piecemeal this all together that they’re missing a lot of log information. Or the event logs were never collected, they’re in trouble now, and they’ve got to find an [external] incident response team. Then they find out how much it costs to engage these teams. Now they got get budget approval. Two or three weeks have passed since this occurred before they had an IR team. Then the team has to start collecting evidence. And the biggest challenge is to preserve the evidence of what happens so they can figure out what’s happening.