Conficker seizes city's hospital network

The probable picture...

From having worked in NHS tech, the probable picture is more like:

A PC reboots in an operating theatre. PCs in operating theatres tend not to have much on there apart from access to the databases of what's next, and what's going on. It's an inconvenience, but not a showstopper. The really imporant stuff is non-windows, and that's the stuff that keeps you alive.

Now, one of the consultants is likely to have been most peeved by this, and demanded an instant assurance from the trust board that this doesn't happen again. The trust board let IT know that it needs to be fixed NOW. Don't think about it, just stop it happening.

Trust IT are usually completely overworked (try 5000 users, with one sysadmin, one DBA, one Network Admin and 6 people to fix PCs, all that to support all the external vendor supported systems, plus stuff the local devs do, the security, the patching, the planning, the documentation, the management of systems etc.).

The likely event is that the decision was made to hold back updates until all the policy could be implemented to split the main load of computers apart from the Theatre ones, and the admin(s), if they had an admin team (some hospitals share people amongst several sites, and rely on vendors for support of all the machines they have; a LOT of NHS vendors keep trying to say "You don't need local admins, buy from us, and we'll look after the application on the machine for you". Without saying they won't keep machines updated or anything else like that, and some trusts, not knowing better, go with it, especially the small hospitals), being told, "Just turn it off until it can be fixed. Directive from the Directorate".

The reason Windows in in the NHS is because all the developers code for it (the amount of medical software that is Windows/SQL Server/IIS only is the huge majority). Which means it needs to be implemented. And there are also huge Microsoft deals making it cheap to install Windows.

So, because of budgetary constraints (no NHS hospital has enough funds to run well at the moment; the 'Targets Culture' has meant huge amounts of money having to be spent on ticking the boxes, or being fined by the Government when you don't manage to, Which creates a vicious circle of "Can't afford the resource to meet the arbitrary target set by the Government, so they fine you, taking what little you had away from you, making you miss more targets") , you end up with too few staff to do the real work, but because everything usually keeps pushing out the number, the Directorate consider that all is ok. And if everything just works, they cut back more on IT, making it a prime target for cuts at every stage.

NHS IT is a bind. You're overworked, understaffed, under resourced at every stage, with a group of competing Medical departments all pushing for arbitrary systems to be installed (sometimes with a day's notice if you're lucky), all wanting things to be done. Yesterday.

Yeah, this kind of thing is likely to happen in a large amount of the hospitals around. There is an easy solution (and it's not "fire the teams there"). It's called "hire the right size of team to do the job, with extra qualifications and experience to complement the existing skills".

However, that costs money. And it comes back to the NHS not having any, so requests to expand the team will be met with a resounding "No".

Oh, and for all the people out there saying NHS should use Linux.. It does. It has a standing deal with Novell, and using several other flavours in various trusts.

As well as using Solaris, AIX, Netware and a whole host of other operating systems too.

It's nice to have a big team of people looking after a homogenous network (been there, done that; it's quite comfy)..

Seriously, spend a bit of time in NHS IT, with a tiny team (if there is a team) supporting several different OSs, databases and applications with little to no time for research, testing or even basic infrastructure maintenance (that costs money for resource that isn't there). Again, been there, done that, and it's NOT very comfy at all.

The choices for IT are basically: Keep the systems secure and well maintained, but the doctors and medical staff up in arms about the maintenance outages. Or keep the place running and operational, but just barely.

Oh, and if you choose the secure and maintained, Directorate overrule you because of complaints by Medical that nothing gets done.

Yet again...

Yet again, a deficiency in Microsoft's products results in a workaround that creates even more problems. It should be possible to set things up so that the operating system cannot reboot without user intervention. By all means install the patches - but wait for confirmation before booting. Not so for Microsoft, who knows better and will happily reboot a system in the middle of a critical task, sometimes even when you tell it not to.

Fucking idiots.

For that matter, in a real operating system most patches shouldn't cause a reboot at all.

As for the other arguments about why corporations choose certain OS, the rule I've developed in my 25 years of working in the field is "if a decision makes no sense, follow the money". Probably someone who made the decision was rewarded, one way or another, for making that particular decision. Either the fact that they drained the accounts of other divisions into their own triggered a bonus (because their division is obviously "making a profit", even if it's at the expense of the rest of the enterprise), or they got a kickback from the vendor, or any number of other scenarios that I've seen played out. The OS selection rarely if ever has anything to do with the technical merit, and everything to do with who is married to whom, or who is shagging whom, or who is an boot licking arse bandit with no more ethics than a hungry weasel.

Seems a little fool hardy...

NHS/Public Sector bods, correct me if I'm wrong, but aren't these IT Change Advisory Boards normally headed up by "senior management", which in the NHS is likeley to be made up of doctors who do not have a fucking clue? Having said that, I know of several private sector organisations that have yet to install service pack 2 on to XP. I honestly cannot think of a business reason why this is the case. Is there anybody out there that can shed light on it?

To me it just seems wholly irresposible to turn of updating wholesale. I hear the aguments for, but think they are at best misguided. If, over 8000 computers, a patch knackers 100 of them. Thats only 1.25% that are down. If they are all unpached on a LAN then 100% could potentially go down. Neither scenario is particularily acceptable, but surely the first is preferable?

Mungo. Chill the fuck out mate. Its only an OS. Get a grip. Ignore the trolls. Besides, I'm sure I've read you pointing a gaffawing finger at Mac/Linux. If I'm wrong, sorry, if not, sucks being made to look stoopid doesn't it?

@ Duncan Hothersall

You are still talking from your arse Duncan.

These 'most places that have a policy that only Windows is allowed on the desktops' organisations you talk aren't public sector. I'll stand corrected but I havent found one yet with the balls to state that they only allow windows on their production desktops because in terms of public sector procurement you aren't allowing fair competition and I will include STHT in that. Anything over 50K comes under a European Competitive Tender process which is very picky about how you dismiss tenders you dont want.

These are probably private companies that you talk of and I suspect that your company isn't even one of them cause I'll bet you use a Linux desktop at work just like me. I'll bet your outfit has a smattering of macs also, just like mine and guess what, just like STHT so I doubt that this is the case at all. So where's your Windows-only desktop policy now? Does your outfit have a Windows only desktop policy, Duncan. Of course it doesn't. So shut up you fanny.

I will concede that there are going to be companies that do have this policy but not yours, not mine and not STHT. The real reason why Linux isnt on that desktop in the theatre in STHT is that it still lacks the application development needed for it to be seen to be competing directly with windows. From an application stakeholders point of view the nice-looking but crap windows app will always beat the crap looking but good linux app.

As for the monopoly element you speak of, it has no legs. Even if windows disappeared overnight and we were all left with completely blank servers and desktops, do you really think there is enough diversity in linux applications to fill the void left in each market sector? You know there is not. If there were more development for Linux apps it would be considered more seriously as an alternative which brings me back to my point.

You have illustrated my point perfectly. The amount of effort and lines you have wrtten today would have gone someway towards writing an app for that PC in the theatre at STHT but instead you chose to use it to moan about why Linux isn't where you believe it should be.

I dont want to fight anymore. You either get it or you dont so I will agree to disagree. No hard feelings Duncan, sorry for any offence etc.

@Mungo, actually no ...

although I'd agree there is much writing to be done, the same applies to the alleged/anticipated/evaporated applications of NPfIT written for Windows.

The way Windows was sold to the NHS was far more like Bill sitting on a sofa with Tony, for a rather short time and agreeing to do it. None of the software was written by then, and well, how much of it is written now?

The NHS has a record of doing things wrong first, then scrapping it and redoing it. The X.400 email system was a case in point. relay.nhs.uk though has been running a parallel service of Exim on a commercial Unix for many years. It is only the rollout and enforcement of Exchange Server as a replacement for whatever the replacement for the Exchange X.400 stuff was that is likely to kill it off.

My coat? The one with an iPhone in one pocket and a penguin in the other.

How likely is it...

...that they've managed to completely clean their network.

My experience working for the NHS IT doesn't give me much confidence in their cleanup.

Windows in operating theatre?

When I worked in the NHS, the only 'general-purpose' computing equipment (as opposed to monitors etc with embedded chippery) permitted in the operating theatres was special 'hardened and certified' kit (think it was running some kind of Citrix) approved by US and UK medical device agencies, and we were told CATEGORICALLY (I worked in IT) that no way would we ever get any of our standard Windows or *nix kit in there that was deployed elsewhere in the Trust. What donkey changed that policy?

slap your self very hard

The Scottish frie brigade was down as of yesterday 1100 pcs and servers on their ass.

Firewall and closed networks don't count for shit if your staff can plug in those infected USB pen drives ...

When will companies learn and users ...you are at work your equipments designation is work not as a holiday snap viewersor the latest tune player or funny you tube video.

Truning this into an Operating system arguement is like chewing house bricks , not very bright and rather unpalateable.

Dont blame the OS if your companies change control and update policy is non existent.

This is less of a microsoft problem and more of a WTF is ITIL problem.

Group Policy - USB

You would think that the NHS would have a group policy to disable the USB storage driver.

@Nathan - is that a joke?

Internet in Operating rooms

It must be to view that, "How to perform open heart surgery" video on Youtube.