Conficker seizes city's hospital network Staff at hospitals across Sheffield are battling a major computer worm outbreak after managers turned off Windows security updates for all 8,000 PCs on the vital network, The Register has learned. It's been confirmed that more than 800 computers have been infected with self-replicating Conficker code. Insiders at Sheffield …
"This decision was taken by the IT Change Advisory Board to prevent further disruption in theatres which could have affected patient care." No individual was responsible for the move, the Trust added.
Clearly the IT Change Advisory Board is a borg-like entity, so perfectly assimilated that distinguishing its individual drones is now practically impossible.
Sack 'em all (it?) then, obviously; if no-one is responsible, then everyone is.
Also, shouldn't anything you need in an operating theatre be running one of the guaranteed, real-time scheduling, safety-critical OSs that things like aircraft use?
Looks like some(one/thing) else is in need of being removed.
This is pretty typical, and 100% understandable as the MS updates have a nasty habit of rebooting when they see fit. Switching it off is a fast and easy way of ensuring that your systems are up.
Thank you MS for your totally shit update system.
A better way, of course, would be to have the PCs update from a local (and thus controlled by the trust) source, but still denying auto-reboot. Chuck a message up to user, (so they can re-boot when safe); run audits and have an IT bod check the PCs that say they have not re-started for the updates to take effect.
These problems are caused by the pathetic MS update system and semi-competent IT bods trying to work around the "we know best, you shall obey" attitude of MS. A machine reboot on a critical system could damage kit or, in the case of a hospital, kill someone.
As for the committe; yes. Sack them. They are obviously, to a person, not competent.
This post has been deleted by its author
Dear god!
You've first got utter stupidity on the part of the network managers: Computers in an Operating Theater should not be connected to the internet, especially if they're vital to the success of operations. And they should definately not be allowed to install updates unsupervised.
But to then react to that by disabling security updates across your entire organisation? Somebody needs to be sacked here. It sounds like both the network staff and the management are utterly incompetent.
I'm managing 100 computers here, without anything so critical as an operating theater, but I still have better policies in place than these jokers.
PC in operating theatre... seems reasonable.
Running Windows on it.... wouldn't be my first choice, but suitably locked-down it's reasonable, and has the benefit that people are familiar with the UI.
Turning off automatic updates... also reasonable (albeit counter-intuitive). Testing changes is extremely important; and the PC should be locked-down enough that it's not going to get infected.
Connecting life-critical PC in operating room to the internet... absolutely insane. Any life-critical PC should be air-gapped from the public internet.
(Also, any PC with my medical records on should be air-gapped from the public internet - not that the NHS would ever bother doing that).
Wait, some machines were playing up a bit, so they disabled *all* patching?
WSUS is free, and you can auto assign patch groups through GP. Wouldn't have been a stretch to put the critical machines in one group that needs patches more stringently tested before rollout and stick the general ones to update as per normal?
Anyone who can read TechNet articles can get WSUS running in an afternoon.
umacf24 hits the nail on the head, the dates in the story don't make sense. I just checked my in-laws Vista machine and it received the update in the first half of November.
I *want* to type things like 'use linux you fools', but of course if linux was more popular it would be as exploited, so I'd rather it stayed in the domain of the geek, server and netbook. And of course using Mav would make the NHS even more bankrupt........
Why are these computers connected to a LAN with internet access. Surely anything critical, and in this case potentially life-threatening should be on a separate network?
I worked for many years in the Space industry, and the operational machines (those which run the satellites) were on a physically separate LAN with absolutely no internet connection. PCs with the usual office apps and internet connections were on the development LAN.
That would be too sensible in this case.
@Paul Uszak: The operational machines are all Linux and Solaris, so no chance of a virus there ;)
'The trust argued that the consequences of its decision making had not cost public money, "just time and effort by the IT teams".'
All well and good, but that's time and effort that costs the trust wages, and means they can't be off doing something more useful instead. Time costs - even if you already employ the staff, there is still a cost - I'm sure the support guys weren't sitting around on their backsides doing nothing beforehand...
... if you read the Windows license carefully, it actually states that you shouldn't use it where anybody's life is at stake. This probably doesn't apply to Windows for Warships and the like, but what are these people running? XP? So Microsoft warned them the system wasn't up to it (and in fairness, if I'm guessing right about the OS, the system wasn't designed to be up to this sort of job).
Does nobody read the license agreement? Don't answer that.
My gut reaction was actually to go on a Linux-recommending rant, but in fairness, although I do think Linux is pretty stable and a minimal configuration can be incredibly robust, there are probably better things to run in an operating theatre. It would still be preferrable to an OS that literally comes with a health warning though.
'The trust argued that the consequences of its decision making had not cost public money, "just time and effort by the IT teams".' Err... and with what money is the IT team paid? Public money presumably? I know IT staff are not paid that much these days but still.
Also @Jon and others: they never said the theatre PCs were connected to the Internet nor that any of those were part of the 800 that are infected, they just said it was due to one of them that the decision to suspend automatic updates was taken. And remember that this virus can propagate through network shares, USB keys, etc. so depending on their network topology, you could very well have machines infected even though they have no Internet access: they just need to be connected to the network and they presumably are, at least indirectly, if they receive Windows updates.
I have worked in an OT environment for 7 years, and all the PCs used by our health trust run windows.
What mystifies me is that the PCs rebooting caused a significant problem. The software used in our theatres is primarily a database to track operating lists, staff involved in operations, surgical implants used, operating times, serology and other investigation results, and the like - the vast majority of which is still recorded on paper as well.
The only other application (and only recently introduced) has been the electronic viewing of X-rays and CT scans, with software to allow orthopaedic surgeons to plan the sizes of hip/shoulder/knee replacement implants pre-surgery.
The temporary (over the span of even as much as an hour or so) unavailability of any of these systems is nothing more than slightly inconvenient. However, this is simply a snapshot of OT computer use in a single trust,. Sheffield may be using more involved and safety critical systems.
Also, our IT department at least has the sense and decency to run planned maintenance and updates out of hours, and have the courtesy to email us and let us know in advance when and for how long the computers will be out of use.
Its why they have committees. So nobody is to blame and they can keep taking their fat pay checks regardless of how badly they feck up.
Its been proven time and again, if nobody is responsible for decisions then people do what they think is easiest for them.
Was it President Eisenhower who had on his desk a sign saying: The buck stops here.
Nothing wrong with Committees per se as advisory boards, but someone has to be decision maker and put their balls on the line.
Still, sounds like one major SNAFU. Auto-rebooting computers... shouldnt happen anywhere these days.
I can't believe no one here has said this yet but every single aspect of Windows Update that you can think of is configured using Group Policy and WSUS and is exactly what an organisation of this size should be using and I'm sure they were (though perhaps the Automatic Reboot setting wasn't ideal for the operating theatre PC's, pro's and con's of using Windows in a theatre aside.
It sounds to me as though the Anonymous person quoted in the article suggested to his boss that operating theatre computers be assigned to their own WSUS / Group Policy groups so they can be configured differently. His computer illiterate boss who one assumes is pally with a rather miffed surgeon overruled this decision. I think this man is where the focus should be.
Blaming the network staff here is a little premature I think. Many times the advice of network managers and other IT staff is ignored and it is very possible the 'IT Change Advisory Board' has no one with any technical experience at all, or the senior IT bods on the panel are so out of date to be next to useless when forming any kind of sensible decision.
Please don't blame the techies. Chances are they know exactly what they need to do and how to do it. Unfortunately the 'customer' and management may be getting in the way here I suspect.
Sack the clueless cunt. As others have said, the fucking exploit was announced waaaaay before December and it's just piss-poor admin policy if the fucking things are set on the default "check for updates smack-bang in the middle of the working day" policy and have them internet-capable and not on a segregated LAN with its own update server...
Useless...
Some dumb comments on here - this worm spreads on a network internally via network shares, no access to the Internets required. It might have got onto the network via USB flash drive.
Also, the surgery could have been taking place at 3am - this is the default setting for automatic updates to be applied. You've got to keep it simple - yes WSUS & GP allows you to configure everything but changing defaults around for the sake of it isn't a good idea. No doubt lesson learned - the hard way. Feel sorry for the IT bods at the bottom dealing with it.
Why is everyone assuming that just because a computer is in an Operating Theatre it means that it must be running mission critical tasks?
The article says nothing about what it was actually doing and for all we know it could have just held the surgeon's mp3 collection! It's fairly safe to say that it's not running anything on the life support side as it's likely that we'd have heard about the resulting deaths along with an amusing Register headline like "Blue Screen of Death" or something.
Having said that, what an absolutely crazy decision to turn of ALL updates! As has been said by others, it's not like WSUS is a difficult one to set up!
You just cant help yourself can you. You just dont get it!!!!!
If each and every one of you beardy-wierdy, tank-top abusing, sandal wearing, penguin loving freaks of nature wrote as many lines of code for linux apps as you do lines of abuse found here and in other comment areas and blogs then the world would be run completely by linux.
You slag off the fact that there is a windows PC in the theatre. Its not there to run OpenOffice or pick up some fucking email. The reason a windows PC is in there is because the application THEY want to run isn't available in Open Source or Linux. Why isn't it available? Because you usless fuckers are patrolling comment areas and blogs ready to troll windows failures instead of looking to improve Open Source application availability and properly compete in the market.
GET OFF YOUR ARSE. WINDOWS WILL ALWAYS BE AROUND UNTIL YOU USELESS TOSSERS DECIDE OTHERWISE.
Paris because even she knows a single opensource app does not fulfill the requirement of an entire market sector.
it would surely have to be connected to t'internet. This somewhat beggars the question, WTF is a computer in an operating theatre, presumably which performs some critical function towards the surgery (otherwise what is it doing there) connected the the internet? Surely any machine performing a critical life support function in a hospital should be in an isolated environment, in which case it wouldn't need updates anyway?
Why was an organisation of this size relying on automatic updates to patch their machines? There are enough patch management systems out there to control the rollout of updates to PCs that don't rely on the vagaries of a random download and reboot. Even WSUS could've handled the theatre PCs as a special case and that's a free download from MS.
This isn't a Windows problem so much as a management issue. Put this shower of monkeys in charge of a Linux installation and they'd still screw it up.
None of this adds up to a problem with Microsoft. It all adds up to a problem with management not having a clue what they are doing. For a start, despite comments from the usual Mac and Linux retards above, Operating Theatre PC's running windows are not running anything important. They don't run life support systems or any of that crap so the PC's rebooting would have been a minor inconvenience, not life threatening.
Secondly, why were the PC's all left to update themselves? There is no good reason for 90% of these PCs to be on the Internet in the first place and, in any case, it's appalling bad management to let them update themselves. Updates should be being pushed out from a central location in a controlled manner and at a specified time. Even then, it can be configured so that the user is ASKED if they want to reboot now or later.
And lastly, as pointed out above, the patches were released in October but update wasn't turned off until December. So, someone, somewhere, is telling big fat lies to cover their arse..
So this is a case of management not knowing Jack Shit and making crap up to cover themselves. The Linux and Mac retards who clearly didn't bother reading the article before hitting the button they have set up to post "Ha ha, Windows failed, Linux/Mac rules" can all crawl back under their rocks now.
NHS in huge management fuck-up is hardly a news story is it?
Patching is the optimum solution (and for the vast majority of PCs on desks it is the only sensible one). But in the case of Conficker, any decent AV program should have stopped it. Alternatively, a product such as eEye Blink can provide effective endpoint protection without really needing patches at all.
HOWEVER - Conficker is a tricky beast. If someone logs onto an infected machine with Domain Admin rights then it's pretty much game over, even if you have the patches installed. You cannot rely on patching alone.
It's not the OS that's at fault here, it's the mis-management that allowed a) the machines not to be properly locked down, b) system updates to be slapped on in what seems to be an uncontrolled manner, c) an ill-considered response to some objections to a small number of these updates to cause an even bigger outage!
The problem exists between keyboard and chair...
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2021
