Faulty software, aging systems, complexity and a lack of full network control all contributed to computer virus infection at Waikato District Health Board last December, according to a report presented to the DHB’s board today.
The incident led to a system shutdown of up to two days in some parts of the health services provider.
The Audit NZ report levels criticisms at the DHB board, executive and management, saying insufficient priority was given to the work required to provide a more stable and secure IT environment.
Partly based on an internal report, obtained by Computerworld under the Official Information Act, Audit NZ identifies a series of failures that contributed to the infection.
“Several internal and external reviews and audits identified high risk areas that needed action,” writes report author Alan Clifford, Audit NZ’s director of information systems audit and assurance.
Other contributing factors include a large number of machines connected to the network but not supported by the DHB’s information services team. Weak password settings were also identified, along with the extensive use of USB sticks and weak enforcement of security policy.
The Conficker computer virus entered Waikato District Health Board’s network in December last year, almost certainly from a USB stick loaded onto a Wilson Parking workstation connected to the DHB’s network, according to the DHB’s internal report and as reported by the Waikato Times.
The workstation had no anti-virus software installed and was not fully patched, according to the report, dated 7 April.
The infection led to a shut down of the health service provider’s IT systems on 17 December, with some areas affected for just over an hour and others not fully restored for two days.
The Wilson Parking system is still quarantined from the DHB’s network, the report says.
The virus then entered Waikato DHB’s network by exploiting a server operating system vulnerability on a number of servers in the health board’s datacentre, by-passing CA eTrust anti virus software that was unable to capture and disable the virus, the internal report says.
CA has confirmed a flaw in its anti-virus software, the report says, and issued a fix.
From the datacentre, the virus then obtained domain administration rights from a logged on user and propagated throughout the server and workstation environment.
Waikato DHB was one of several New Zealand organisations hit by the virus, including the Ministry of Health and Fairfax Media (publisher of Computerworld), late last year and early this year. Many overseas organisations also fell victim to the virus.
Responding to Audit NZ’s criticisms, DHB management comment that a risk assessment was undertaken ahead of the attack as the Conficker threat emerged, but this was not documented.
A patch was also applied to critical servers and file and print servers and was tested, management writes.
Waikato DHB was in the process of conducting what it describes as an “ambitious programme of work” over four years to address issues identified in earlier reports, management says. These include messaging migration and perimeter security projects.
“The legacy of low investment for several years and too few resources takes some time to turn around, and the DHB recognises it still has some way to go,” they write in response to Audit NZ’s findings.
Management concedes not all servers were patched: “Some of our servers are so old that patching would be more likely to adversely impact the services running on them than any external threat would.”
DHB management writes in response that in an increasingly digital environment, these include all kinds of machines and not just PCs, however, all, they write, should be subject to standards and controls to ensure a safe environment.
Desktops, they write were clearly not up to the latest level of security.
Echoing a common issue in complex IT environments, management write that applying service packs and patches in the DHB’s current environment is “not a straightforward, automated process like it is with the typical home PC”.
“Each new software item needs to be tested in terms of its compatibility with other applications or operating software in use in the organisation. This makes it a longer and more resource-consuming work item, and as such it takes its place in the queue.”
Management write that difficulties in employing a security manager, now resolved, did not help. Nor did difficulties in getting security awareness training included in orientation programmes.
Once the infection happened, the DHB’s response appears to have been strong, with services restored “promptly” and no significant patient impact recorded.
The report says with the benefit of hindsight, the response could have been improved, however, in context, it was “appropriate but not optimal”.
Clear priorities were established, the report says, based on clinical need.
The media response to the incident was also criticised by Audit NZ as creating distractions and additional work for the team that were working on a fix.
“The involvement of the media is a moot point,” DHB management respond, “though the style of dramatic and inaccurate reporting which was experienced is not helpful to the organisation.”
Board management also outline a range of responses to help ensure such incidents do not recur. These include: improved patch management tools and processes; supplementing or replacing the anti-virus tool; defence in depth; and a continuing ban on USBs until further controls are in place.
Waikato DHB’s CEO, Craig Climo, notes that the virus did not take the organisation’s systems down.
“We made that decision, to protect the system and speed recovery. We have heard of a major New Zealand site where recovery took five weeks,” he says.
“Our attack was public because of the way we chose to deal with. IT did well to have us up and running in about two days. Services operated surprisingly well in that time.”
He says the issues that caused the attack have been addressed while broader issues of IT infrastructure soundness are being addressed and have been for several years.
The health board manages more than 3300 PCs, 180 physical servers and 30 virtual servers.