NHS hospitals told to swallow stronger anti-ransomware medication NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics. CareCERT (Care Computer Emergency Response Team) launched in November 2015, offering a national service that helps health and care organisations to improve their cybersecurity defences by providing proactive advice …
The NHS understanding of the term "security" circa 2007 :
"Thank you for your email. The site is secure, in that it is in a secure data
centre with several layers of network access security. Your data is stored in a
protected database server, only available to you when you log in with your username and password and, where applications are completed, available for viewing by the employer that advertised the vacancy that you submitted the application for.
Your data is not 'sent' anywhere, but is viewable through the web browser by you and the employer for which the application was intended once you or they have logged in to the site.
Making an application online without encryption is in line with normal practice on jobs and recruitment sites. However, more importantly, all aspects of the service and how it operates have been the subject of a review by an independent security consultant and by the Dept. of Health security officer before the service went live.
I hope that this has addressed your concerns. "
I had protested that the application to be submitted was not over a secure channel, this was the
reply. Perhaps things will change.
Just how different will NHS IT systems be after applying CareCERT Knowledge, CareCERT Assure and CareCERT React?
"a service to help organisations assess their local cybersecurity measures against industry standards"
It's 'industry standards' that has gotten us into this mess in the first place.
I don't understand why it is such a problem for them. Don't they do frequent incremental backups and discretionary access control?
If they do, then ransomware isn't really going to be a problem for them. If they don't, why do they think they are competent enough to store any business-critical data on their computers, let alone sensitive personal data?
Not 'industry standards'.
It is Microsoft standards masquerading as "industry standards".
Microsoft software is the poorest designed for security. Passwords stored in plaintext, hashes used for authentication, falling back to known broken authentication... executable everything...
The only way to win (in security) is to not use Microsoft software.
Yes, paraphrased :-) but still true.
Hi, I am not sure conventional backups work in healthcare. I noticed people mention them often.
Healthcare is a highly dynamic environment and critical data gets generated every minute. Incremental backups cannot run that often without creating an unsustainable IT overhead. Daily increments may be useless if you are hit by ransomware at noon, and in the afternoon you need data collected in the morning.
First and foremost people need to be trained and know how to avoid dangerous situations. Next, a specialized solution is needed to detect and stop ransomware. Since no solution is 100% reliable, a product that can also protect the files in real time and restore them in the case of a successful ransomware attack can help bring peace of mind.
I work for a company that builds such a product, combining ransomware detection based on file access patterns with file protection in real time, depending on how files are being manipulated. So, there are solutions which are not conventional and may yield better results.
(Rules of the house do not allow me to advertise, the point of my post is to raise awareness about newer and unconventional technology and encourage people to keep an open mind)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
