Nice to see the bell ends at the NAO including whether the NHS trusts could afford to take those simple steps and that is the issue.
NHS could have 'fended off' WannaCry by taking 'simple steps' – report
The UK health service could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings about falling victim to a cyber attack a full year before that incident happened. This was among the findings of an investigation by Blighty's National Audit Office, which today …
COMMENTS
-
-
Friday 27th October 2017 08:35 GMT Elmer Phud
but where does the money come form --
Oh, the numerous failed attempts of doing it all on the cheap but spunking the dosh on 'guaranteed' bonuses - no matter how much of a total fuck-up was made.
BUT they will STILL blame the 'NHS' and not the ministers who wrap chains around one pot of money while encouraging their mates to have a dip (or two, or three)
-
-
Friday 27th October 2017 09:09 GMT Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?
Re: RE: "but where does the money come form"
<quote>Mr. Dogshit
What money?
WSUS = £0
Configuring a firewall properly = £0</quote>
Awesome, hey everyone, he's offering to do it for free! Across the entire NHS!
Well, you know what they say, you get what you pay for. Shit, in this case. Literally in fact, judging by the commentards name.
-
Friday 27th October 2017 12:49 GMT Martin Gregorie
Re: RE: "but where does the money come form"
Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision. The NHS is top-heavy with useless management anyway, so the savings made by sacking them will more than pay for replacing outdated PCs.
-
-
Friday 27th October 2017 20:23 GMT Martin Gregorie
Re: RE: "but where does the money come form"
So, if the makers of MRIs, PET scanners etc can't or wont upgrade them, put an airgap round said devices and the out of date stuff they talk to as an interim measure.
I know that purveyors of various medical devices have traditionally been, ahem, lax about system security. Others might prefer to call it "wilfully negligent" but I couldn't possibly comment. That said, more general publicity on this topic outside the medical and IT communities together with the odd sueball and much more attention to security on the part of purchasers should get their attention.
-
Monday 30th October 2017 08:40 GMT wallaby
Re: RE: "but where does the money come form"
"I know that purveyors of various medical devices have traditionally been, ahem, lax about system security"
its got nothing to do with being lax or otherwise. Sometimes these systems wont work with more modern operating systems full stop. I have an SEM that has 2 PCs attached to it, one is XP SP2 - if you try and put SP3 on it breaks the software - these things are so finicky that even putting both PCs on a strip plus so that they share the same earth will cause them to not function properly.
The manuf doesn't make software on a newer platform for the SEM, so my options are to spend in excess of £300k on a new instrument or keep the XP SP2 machine running. As I have an out of date OS on the networks its my responsibility to make sure it doesn't cause issues - I isolate it from the internet and VLAN it so it cant see any other parts of my network nor they it. I spend a few quid on software to prevent USB sticks working in it (or baulk them myself by killing the drivers or tweaking the registry) and I'm as safe as I can be.
If I let it face the outside world and let users loose on it to read emails or Facebook or websites in gen'l then I deserve everything I get.
-
-
-
Monday 30th October 2017 14:59 GMT Mark Dempster
Re: RE: "but where does the money come form"
>Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision. The NHS is top-heavy with useless management anyway, so the savings made by sacking them will more than pay for replacing outdated PCs.<
I'm afraid that just shows that you don't really understand the issues here.
-
-
This post has been deleted by its author
-
Monday 30th October 2017 10:54 GMT EnviableOne
Re: RE: "but where does the money come form"
every sysadmin in the nhs would love to have the time to do this
they are too busy trying to get all the outdated systems to talk to each other or monolithic integrated systems to retain their delicate balance that keeps them on while still working just about for the user, while at the same time trying to deal with the all important users, changing regulations and unexpected new systems some department has decided to addopt without any change control.
All of this on stick thin budgets and about 1/10th the staff of an equivalent sized private organisation.
-
-
-
-
Friday 27th October 2017 11:51 GMT Chris King
There seem to be lots of reports coming out at the moment damning the NHS.
It's as if someone's trying to say "look, the NHS is failing, but ignore the man behind the curtain screaming that we're starving it of funding - everything will be SO much better when we sell it off to our private sector chums for a fraction of what it's really worth !"
-
Friday 27th October 2017 11:56 GMT Anonymous Coward
"The NHS" isn't even a real thing. Services are delivered by an unholy mess of CCGs, local authorities, "Vanguards" (yes, really), GPs practises and hospital trusts, with little to no geographical or organisational sanity in place.
Thanks for that by the way Lansley.
The only body with any kind of claim to being "The NHS" is NHS England, which is a relatively small policy-and-coordination shop sitting directly under..
The Department of Health.
Blame the DoH. Blame the minister. Blame his and his predecessor's relentless drive to cut every penny out of the NHS they could.
-
Friday 27th October 2017 15:43 GMT Anonymous Coward
"The NHS" isn't even a real thing. Services are delivered by an unholy mess .....Thanks for that by the way Lansley.
Let me correct you. My other half has been in the thick of the unholy mess for some years now, and the current structure of the NHS is almost entirely the work of one Tony Blair and his ministerial sycophants, in a series of changes from 2008 through 2012, including the creation of trusts, CCGs, "Agenda for Change" and all the rest. The same bunch of dung-heads who committed to the large and humiliatingly failed NHS IT programs, and the same bunch of dung-heads who committed about £70bn of health service money to poor value PFI contracts.
So, feel free to blame the Tories, but unfortunately the current structure, performance, IT, and funding arrangements were directly and indirectly the work of the Labour party.
-
Friday 27th October 2017 18:58 GMT Anonymous Coward
and the same bunch of dung-heads who committed about £70bn of health service money to poor value PFI contracts.
And this very day, Labour MP Meg Hillier, who chairs the Parliamentary Public Accounts Committee, has announced how shocked she is that most of the current PFI "asset owners" are tax dodging international finance houses. Apparently, although the international tax treatment hasn't materially changed from the last Labour government's time in office, "these companies are clearly profiting and paying no UK tax. I don't think that was ever envisaged when PFI was established."
So stitch that, Guardian reading knobs. Your preferred government created this stinking mess, and now in opposition it wrings its feckless, limp wrists and condemns the very practice that it followed
-
Friday 27th October 2017 19:46 GMT JamesPond
"the current structure of the NHS is almost entirely the work of one Tony Blair'
Lets get this correct,
NHS Trusts started in 1990
PFI contracts started in 1992
CCGs were created in 2012.
Labour were not in power in any of these years.
NPfIT / CfH was a Labour initiative and whilst it produced some good systems (for example national PACS, ePrescribing), it was not overall good value for money, too top-heavy, the contracts were rushed and there was no accountability.
-
Monday 30th October 2017 15:02 GMT Mark Dempster
>Let me correct you. My other half has been in the thick of the unholy mess for some years now, and the current structure of the NHS is almost entirely the work of one Tony Blair and his ministerial sycophants, in a series of changes from 2008 through 2012,<
You do realise that the Tories took over in 2010? And one of the first things they did (after promising not to) was to start a top-down reorganisation of the entire setup?
I used to work in the NHS, and I still do bits of consultancy for them.
-
-
-
-
-
-
Friday 27th October 2017 08:23 GMT Steve Davies 3
Re: They will not learn
The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions without a hefty price tag and 6-9 months of thumb twiddling, spec writing and procastination(we can't get the staff you know) per patch This MUST change.
There fixed it for you.
sometimes, I'm sure that some of us oldies wish for the days of IBM green Screens/3270 and the rest. Life was a lot simpler in those days. I'd guess that even today Z/OS is inherently more secure and robust than any Windows system could ever be. Sigh.
Now where's my zimmer frame :) :) :wink:
-
Friday 27th October 2017 09:51 GMT m0rt
Re: They will not learn
In terms of infomation retrieval and input regarding text, that is stil a far better solution. That or an ISeries or whatever they calls the AS/400 these days. I5?
Even if it is a terminal emulator on <insert your OS here>, it would still mean core records are fairly safely stored, acessible and not at the same risk levels. "Shit, WannasobII is here, break out the 3270s guys"
-
-
Friday 27th October 2017 20:18 GMT JamesPond
Re: They will not learn
"The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions"
That is easy to say but what is the alternative? Upgrade the servers and workstations to the latest patch without validation? Ok if you are dealing with a desktop running a spreadsheet or wordprocessor. More risky if you are dealing with a workstation that has software manipulating patient data that if it breaks down, or worse, manipulates or displays data in an incorrect manner, could lead to patient safety being compromised.
Would you be prepared to certify Microsoft's zero-day patch will not affect your clinical software without first going through validation testing?
I worked on NHS clinical messaging systems for BT that used Microsoft Exchange 5.5 with x.400 messaging as the underlying routing platform. Microsoft released a patch and I found in our test lab that MS had introduced a bug so that in certain circumstances messages could enter an infinite loop and cause the server to crash (in x.400 a message should only loop 255 times before being non-delivered but Exchange was incorrectly re-writing the message ID in the e-mail header so the server couldn't recognise that the message had been received previously). We reported this to MS and stopped NHS sites installing the patch. Without this testing, many NHS end-sites could have been down for days whilst they restored their systems from scratch.
-
Monday 30th October 2017 11:02 GMT EnviableOne
Re: They will not learn
Dispite the government's assections, there is no such thing as the NHS.
There are 241 seperate NHS trusts that try to get the best deal they can with no backing from the centre
and any economies of scale or central contracts have been killed (to get the headline off the DoH budget)
any one of these trusts can try fix it or we go elsewhere, but GE, Siemens, Phillips, Agfa are too big for one trust to affect them and the smaller companies you havent heard of, quite often have nigh on monoploies in there specific area, so if you need this tech you have to use them.
-
-
Friday 27th October 2017 08:30 GMT Anonymous Coward
Easy to mitigate
-Patch your o/s monthly
-Regularly patch your Apps that open files (word/pdf etc) regularly
-Don't run an o/s or app that is no longer in patching support
- Don't let Apps connect to the internet to pull down their own updates in an Enterprise environment - test updates in a sandbox first then use your software deployment tools to push out tested updates
-Run anti-virus & update hourly and AV scan on demand all files
-Scan incoming email using AV and block .exe attachments
-Scan and block sites when web browsing using a web proxy and AV scanner
-Set web browsers to block adverts and flash
-Use a localhosts file to sinkhole malware and advert sites to 127.0.0.1
-
-
Saturday 28th October 2017 11:04 GMT JulieM
Re: Easy to mitigate
The NHS is big enough, and its use cases are special enough, to have its own dedicated IT team maintaining its own preferred (read: iron-fistedly enforced) software distribution. In times when the NHS's own computers are running smoothly, they could probably even take on outside work to keep themselves busy.
Even Sun Microsystems acquired their own office suite and database server so they did not have to pay money to, and rely on the co-operation of, Microsoft.
-
-
Friday 27th October 2017 08:36 GMT techdead
Re: Easy to mitigate
easy to say, much more difficult to implement in a huge organisation like the NHS, with public money, lack of resource, i.e. IT slaves to do the donkey work, get down time scheduled, manage staff, pay overtime etc., etc. - hard enough in the private sector ("can you do this overnight instead of at the weekend? we don't want to pay your team overtime but they can go without sleep instead"), never mind in a huge public entity
-
-
Friday 27th October 2017 09:22 GMT Doctor Syntax
Re: Easy to mitigate
"oh the system supplier wont allow you to citing that their system is a medical device, not a computer system"
Which makes a big difference because it carries certifications against it in its original state and it costs time and money to recertify it in its patched state. It's time that whole arrangement was looked at again. Should certification lapse after some interval unless equipment has up-to-date patches?
-
Friday 27th October 2017 17:46 GMT Anonymous Coward
Re: Easy to mitigate
Which makes a big difference because it carries certifications against it in its original state and it costs time and money to recertify it in its patched state.
OK. We are where we are, water under the bridge and all that.
But looking to the future, can I assume that the NHS will be refusing to buy software tied to current versions of an OS likely to be obsolete in something like five years? I'm not suggesting that it be maintained free of charge in perpetuity, simply that when they sign the contract for some long life hardware, they give some serious thought to how it will work when the OS is out of support.
-
Friday 27th October 2017 18:48 GMT Anonymous Coward
Re: Easy to mitigate
You won’t be buying anything anytime soon. Software companies are completely inept. Inept to the point where some very big players won’t certify minor point updates of OSs for security applications even though there are known vulnerabilities in them.
The software industry is an utter shambles.
-
Sunday 29th October 2017 11:02 GMT Doctor Syntax
Re: Easy to mitigate
"But looking to the future, can I assume that the NHS will be refusing to buy software tied to current versions of an OS likely to be obsolete in something like five years?"
It's not a matter of buying S/W alone. It's the complete package of H/W, the custom S/W that works with it (not only the user applications but also drivers) and the underlying O/S.
The driver bit is a particular problem if you're relying on the manufacturer to update it. After all, they're relying on the underlying O/S driver model not to change in 5 years. Is any OS vendor going to guarantee that? If, for instance, the OS implements vendor signing of the driver that might sound fine now if they've signed the existing driver. But in 5 years time they may simply refuse to sign all 3rd party drivers.
You also rely on all the parties in what might be a long chain of specialised bits & bobs that went into the device's BoM to play along or even to exist years into the future.
TL;DR It really isn't that simple.
-
-
-
-
Friday 27th October 2017 11:20 GMT 97browng
Re: Easy to mitigate
How simple it is, I dont know why it has not been done.
Apart form you have a piece of software that has not been updated for years because it is vitally important yet nobody has the money to upgrade it.
You cannot put the latest patches for other software/OS on because it will break this very important piece of software. You tell the relevant people you need to update the software and OS to stop a potential security breach but this will break the software. The answer you always get back is 'if it stops working a child might die'.
And that is where the argument ends, a potential security breach VS a child dying. Yes we all know that the potential security breach could in turn mean all systems are down and more risk to people but it never works.
Testing in a sandbox is so easy. Ohh wait we support 700+ applications, who is going to test them all, with all possible iterations. It is not possible.
Add to this that a lot of the software used is very niche and only ever made by one company and you are caught by the short and curlys. You know it is not 'secure' yet it is the only thing that can do what you need.
Why not make your own software then? Ok we will just hire some more staff to do it (with the imaginary money tree) and then find out that it cannot integrate with what everyone else is using so it is no use.
I don't work for the NHS (or in the security team) but local government and we get it all the time. People working for either small companies or those that use a very limited amount of applications and need little integration with anyone else have no idea. Try working for the government or NHS where ICT has very little power or budget and has to support hundreds of critical applications that are made by a plethora of suppliers.
-
-
Saturday 28th October 2017 18:34 GMT Danny 14
Re: Easy to mitigate
then you find oncology devices that cost millions and only work on XP. or BMS systems that only work on Win2k (yep! Preston hospital im looking at you) granted the BMS was VLan'd and not routed. the best you can do is vlan or partition off on a private physical network.
in an ideal world everthing will be patched and upgraded. in the NHS the funds arent there or worse still contracted out so you arent allowed to touch it.
-
-
-
Monday 30th October 2017 08:40 GMT Anonymous Coward
Re: Easy to mitigate
Its a pity the reg dosent have threaded comments.
I'm with the OP up there who said WSUS and patching were free and got ridiculed.
What he meant was that is already in place and paid for and has staff to operate it , also paid for .
They just didnt push the right buttons , through laziness or inertia.
This entire thing was down to specific patches released 3 moinths earlier that plubbed the smb vulnerability not being installed . nothing more . except they could also have used a decent firewall instead.
What I want to know is how what the annual pen tests said , over the years , and how many of the issues raised were acted on.
-
-
-
Friday 27th October 2017 09:01 GMT Anonymous Coward
Governments everywhere are the same. The Pols and Burs in charge like to use massive companies as buying from them can guarantee an easy, post last career, income with a company that supplies some service to said software giants.
Hire a number of OpenBSD developers/system admins, or other Open Source systems people, and get some real expertise in place to secure the networks. (I reference OBSD as I follow its news, others would do.)
Surely, Government Departments have the buying power to have hardware manufacturers give up hardware details so that proper drivers can be written when required.
There is the above issue and, in Canada, the Phoenix Payroll System.
http://www.cbc.ca/news/canada/ottawa/senate-replacing-phoenix-new-payroll-system-rfp-1.4371269
-
Sunday 29th October 2017 11:20 GMT Doctor Syntax
"Surely, Government Departments have the buying power to have hardware manufacturers give up hardware details so that proper drivers can be written when required."
Medical equipment has to be certified as safe and effective in the markets in which it sells. The NHS is probably not going to be counted as a big enough market to make manufacturers see some UK-only spec. as being worth spending time and money on pandering to; at least not unless they charge a great deal extra for it.
A better bet would be to pressure the certification authorities to ensure that in order to remain certified equipment has to be maintained reasonably up-to-date. Of course that would be easier if we were part of a larger market such as the EU but in order to make an extra £350m a week available for the NHS (as Boris still seems to insist on) we won't be.
The likelihood is that imposing a draconian regime of that (or any other) nature would simply result in a good deal of existing equipment being orphaned by the manufacturer declaring it EoL or simply closing down altogether.
-
-
-
Friday 27th October 2017 17:55 GMT Anonymous Coward
Re: Easy Isn't It
Wow, who knew that making things better could be so easy.
If you think about that from a workflow perspective, it is actually much easier than the NHS make out.
From time to time queues build up, that's life. But if you can't clear them, then by definition they build towards infinite length, until they are limited by patients dying before treatment. We have a bit of that, but not much, so on average the NHS is treating people at the rate that new cases arise. With a bit of better resource planning, getting the queues down isn't that hard, its just some basic maths.
I'm sure the doomsters will object violently to this post, whining endlessly about how the Torys are to blame for everything but that's the reality. Either you have ever increasing queues, or you at some point have to match the treatment volumes to the new case origination rate. And if you can do the latter, then the simple trick is to do that sooner, before you build up this huge backlog. Everyday production companies address and resolve this problem, the NHS could do a whole lot better - as one example, if they are importing international locums, make them into a mobile task force, instead of doing it at the individual trust level.
-
Friday 27th October 2017 18:24 GMT Charlie Clark
Re: Easy Isn't It
If you think about that from a workflow perspective, it is actually much easier than the NHS make out.
Yeah, juat get out your stop watch and do a time and motion study… Funding for the NHS has been cut in real terms since 2010 and due to cuts elsewhere in social care some hospitals have seen significant increases in their workload without a commensurate increase in resources, And there's them Europeans who're leaving the service after everything Blighty has done for them.
-
Friday 27th October 2017 20:36 GMT Headley_Grange
Re: getting the queues down isn just some basic maths
"With a bit of better resource planning, getting the queues down isn't that hard, its just some basic maths."
The maths is easy, but the numbers that go into the maths are a tad more difficult to come by. It takes 7 to 15 years to train doctors and surgeons. It takes 3 to 10 years to train a nurse. How many hip operations will be needed in ten years' time? How many critical care beds and nurses will be needed ? How many social care beds, etc., etc.? We need those numbers, and all the other ones, together with they way we distribute them around the country, and some definitions for standard work. Then the maths is easy and we can start working today to feed the right number of trainees into Uni and building the hospitals to have the right capacity in the NHS in about 10 years time. As long as the spec. doesn't change.
Sure, you could manage the NHS like a production line or a project and I'm sure that a Friday night pubstorm could come up with the treatment equivalents of MRP, pull, flow, kanbans, buffers, scrums, sprints, EV, etc. (pick your buzz space). Maybe the hospital could hold a stock of healthy grans so that when they haven't got the capacity to treat yours they could just send you home with a healthy gran from the buffer stock :-)
Anyone really interested in this subject should try to get hold of "Transforming Health Care" by Charles Kenney.
-
Sunday 29th October 2017 11:24 GMT Doctor Syntax
Re: getting the queues down isn just some basic maths
"The maths is easy, but the numbers that go into the maths are a tad more difficult to come by."
The easiest thing of all, once you get into lead times of 5 years and over, is to kick it all down the road into the next government's territory.
-
-
-
-
Friday 27th October 2017 09:43 GMT Martin an gof
What went right elsewhere?
This attack seems to have hit England hard, but not the other devolved areas - my wife works in the NHS in Wales and although they did endure some "lock down" (emails in particular were blocked for a while) they didn't have the major disruption seen in England. Wales is just as cash-strapped as England, so what did they do differently?
Also slightly annoyed to hear an "expert" on Today this morning basically blaming XP, when in this instance is appears as if it was W7 that suffered the most.
M.
-
Friday 27th October 2017 10:02 GMT iron
Re: What went right elsewhere?
It would be nice if the article used correct and consistent terminology. It starts off talking about NHS England but then lazily falls into talking about the UK. As you say Wales did not seem to be as badly hit and they are part of the same NHS as England. Then you have Scotland which has its own NHS with different policies and practices.
El Reg journos - THERE IS NO NHS UK!
-
Friday 27th October 2017 13:08 GMT Martin an gof
Re: What went right elsewhere?
Wales did not seem to be as badly hit and they are part of the same NHS as England
No they are not. Health is one of the devolved areas and NHS Wales is completely separate (as far as I'm aware) from NHS England. From what I see, the structure is a lot "flatter" than in England, with seven Local Health Boards, rather than innumerable tiny bodies.
Funding, however, is subject to the whims of the UK government which effectively means the English government. Health is one of those areas where it sounds as if Welsh (and Scottish etc.) MPs should not have a say on English policy (the so-called West Lothian question), but as I understand it the Welsh government grant as calculated by the somewhat out-of-kilter Barnet Formula is directly related to spending in England, thus if English MPs decide to reduce NHS funding in England, a proportional amount is removed from the Welsh Government grant, even if the policy in Wales is to maintain or increase funding for the NHS. Money then has to be transferred from other budgets.
Education is another devolved area where the structure is different in Wales to England.
M.
-
Friday 27th October 2017 17:58 GMT Anonymous Coward
Re: What went right elsewhere?
somewhat out-of-kilter Barnet Formula is directly related to spending in England, thus if English MPs decide to reduce NHS funding in England, a proportional amount is removed from the Welsh Government grant,
England has the lowest per capita health spending in the UK, and the lowest per capita public spending in general. Personally I'd be more than happy to give the Scots the independence some of them crave, and to FORCE independence on Wales. Be interesting to see how the Scots and the Welsh would cope with that.
-
-
Sunday 29th October 2017 11:30 GMT Doctor Syntax
Re: What went right elsewhere?
"As you say Wales did not seem to be as badly hit and they are part of the same NHS as England."
No. They even keep separate records of the GPs working in Wales. I discovered a whole bundle of fun around that when I was trying to keep a unified database for a service provider. A GP moving from one English practice to another or one Welsh practice to another wasn't too bad. But when they were going to move across the border..
-
-
-
Friday 27th October 2017 09:50 GMT ThePhantomBovine
It's all so simple..
GP's could take the simple step of seeing their patients. Surgeons could take the simple step of operating on all the patients on their list. Consultants could take the simple step of seeing and treating all the patients on their list. Domestics could eliminate hospital outbreaks by taking the simple step of cleaning the hospital. You could go on indefinitely with gross oversimplifications of 'what was needed', but as always the prerequisites to achieving the 'simple' steps are usually not as straight forward. All departments within hospitals are plate spinning, and when one of those plates falls, it's all too common to see scapegoating of those with no control over the number of spinning plates because it all comes down to money and power over how it is spent.
-
Friday 27th October 2017 18:56 GMT tfewster
Re: It's all so simple..
Sure, but if you're spending money on triaging, queue management systems, backlog reporting etc. you're addressing the wrong problem - put that money into healthcare instead!
Oh, and using the cases of specialised clinical systems and scheduling server patching as excuses for not patching desktops doesn't wash. ("NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems.")
-
-
Friday 27th October 2017 10:41 GMT Amos1
None of the comments directly touched on the initial infection vector so here it is: STOP PUTTING YOUR SERVERS DIRECTLY ON THE INTERNET.
Shodan showed that both NHS and Telefonica had servers with every default port open to the Internet, including SMB. Perhaps some well-meaning obsolete not-competent-for-this-position manager overrode the techies with a "But the file share requires a username and password so just do it!"
-
Friday 27th October 2017 11:19 GMT sebbb
The big thing on the spreading of malware is not really servers facing internet, but the N3.
You see, N3 is a giant private WAN with 10/8 addressing with a whole bunch of ports wide open between NHS bodies (including SMB 139). Private companies (like the one I'm working for) connecting to N3 must have separate firewalling in place. In fact, we were not affected at all and were still able to access data on the ERS just fine.
-
-
Friday 27th October 2017 11:22 GMT Anonymous Coward
I work in the NHS
We'd not have been hit if our CRAP ITY supplier hadn't told us certain ACLs were in place when they clearly weren't, then ending up with some of our sites having NONE following that same CRAPI-TYA company making changes which resulted in them being wiped.
We'd literally have not been affected at all.
-
Friday 27th October 2017 11:39 GMT MrRimmerSIR!
Re: I work in the NHS
Good to hear from someone on the inside. The key here is that it is not possible to lock down the apps or OS on an individual machine, so the bext that can be done is to have firewalls and other access control mechanisms in place.
And when a supplier fails to do what they claim to have done, there should be penalty clauses invoked to make sure they don't fail again. I wonder if said crap company has had moneys withheld? (yes, that was a rhetorical question, I think we know the answer).
It's all very well blaming "the NHS" or "the DOH", but both organisations are made up of people. Again, accountability should mean the pen-pushers responsible for the failures should be personally liable.
-
Friday 27th October 2017 20:43 GMT JamesPond
Re: I work in the NHS
Having worked for both hospitals and for IT suppliers to the NHS across a lot of different NHS England hospitals, there is a huge variation in how IT services are delivered and their professionalism.
The best I've seen are in-house staff who were reasonably well looked after and had down-to-earth managers with reasonable IT and management skills (many originally trained in the armed forces). The worst I've see are where
a) IT services are outsourced to a very big blue company who won't react until they have a purchase order
b) outsourced to tiny local companies with insufficient resources to handle anything but the normal day-to-day 'my pc won't boot' fault and find it difficult to retain skilled staff.
c) in-house staff are badly managed by maniacal leadership who are only concerned in advancing up the ladder and think that staff motivation has a 1:1 link with how loud they can shout.
Unfortunately in my experience, there are a lot of very competent and dedicated indians (small i) being lead by incompetent chiefs. I have seen first hand that once you are in the NHS, it is a job for life unless you actually kill someone and where the only way to 'get rid' of someone useless is to promote them.
-
Saturday 28th October 2017 12:24 GMT Angry IT Monkey
Re: I work in the NHS
Outsourcing usually comes down to a complicated lowest bidder / jobs for the boys formula that doesn't include quality. Over the years I've come across so many clangers from these bargain-basement companies that I'm sure they just drag random people in from the street to implement critical projects dealing with people's lives/health/money/future.
Sadly I can't post any without being identified at work and I'm not quite ready to retire...
@JamesPond - it's not just tiny local companies, I've dealt with huge national and global IT companies that struggle beyond "My password needs resetting" including a very big blue one.
-
-
Friday 27th October 2017 20:53 GMT Headley_Grange
Penalty Clauses
"And when a supplier fails to do what they claim to have done, there should be penalty clauses invoked to make sure they don't fail again"
Penalty clauses are unenforceable in English law.
Liquidated damages are allowed, provided that that the damages are a true reflection of the losses incurred. Liquidated damages are limited to the amount set out in the contract.
I think the NHS would struggle to contract for services if they tried to reflect the potential true costs of a major cock up in the liquidated damages. Some of the companies I have worked with simply add the liquidated damages to the contract price to ensure that they are covered, meaning that if the supplier performs well the customer, effectively, incurs the cost of their performing badly!
-
-
-
-
Saturday 28th October 2017 00:47 GMT katrinab
Re: Which is it??
Both, as people from other parts of the UK do get sent to England for some things that aren’t provided locally, and people in England sometimes get sent to Scotland when there is no capacity in England. Also, people who live near the borders sometimes cross them to get to the nearest facility.
-
Monday 30th October 2017 10:17 GMT Bernard M. Orwell
Re: Which is it??
"Which was it, England or Britain?"
You have to bear in mind that, according to most media, England IS Britain. That's certainly part of the problem, but its also worth remembering that to Parliament, England is London, and everything else is "The Northern Powerhouse" (Pardon me whilst I vomit from the patronization) or "bloody Europe".
-
-
Friday 27th October 2017 11:46 GMT Anonymous Coward
"These include developing a response plan setting out what the NHS should do in the event of a cyber attack; ensuring organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action); and ensuring that organisations are taking the cyber threat seriously. "
So, not quite frontline operations, not quite senior leadership..
Sounds like middle management to me! Can't be having any of that in the NHS. No sir. Doctors and nurses only please, and the less of those the better!
-
This post has been deleted by its author
-
Saturday 28th October 2017 10:42 GMT JulieM
It's a mess
There are mission-critical apps in use right now which will only run on an obsolete OS, because they use the same insecurities exploited by malware for their legitimate business logic; and cannot be rewritten to work in a more secure environment because the Source Code is lost, due to the original supplier having gone out of business.
The only way to weed them all out is going to be to replace every piece of software with something for which the Source Code is available. Unfortunately, that is unlikely to happen, as it will lead to a blame game -- and too many people are getting fat on caging up Source Code anyway.
-
Saturday 28th October 2017 15:49 GMT h4rm0ny
It's always "simple steps".
That's what most computer security - "simple steps". But you have to complete a hundred of them and the attacker only has to find the single one you missed. With hindsight you can almost always point back at something and say "this wasn't done". Yes, but how many people were doing how many things?
-
Sunday 29th October 2017 01:05 GMT david 12
Repeated repeated repeated warnings
So they had warned people about patching, but their warnings were hidden/disguised by the noise about getting rid of XP.
Ironic that it happened in the NHS, given that the medical system is well aware that warning overload leads to people ignoring warnings. Most drug-interaction AI systems are turned off because they generate so many drug-interaction warnings. More obvious to the lay-person, walk through any hospital and count the beeping patient monitoring systems.
-
Sunday 29th October 2017 11:47 GMT Doctor Syntax
Having touched on certifying equipment in previous comments, here's a suggestion answering some points made about businesses providing support services.
Require services to be certified. If, as in a previous comment, ACLs weren't in place, the service provider loses its certification and must pass its contracts over to another provider.
And I don't mean simple ISO 9000 box ticking. The service actually being provided gets unannounced spot checks to see what the reality is.
-
Monday 30th October 2017 09:01 GMT GruntyMcPugh
"Department of Health and Cabinet Office wrote to trusts saying it was essential they had "robust plans" to migrate from old software, such as Windows XP, by April 2015."
Interesting, because I had an interview for an IT role at an NHS Trust Hospital in November 2015, and they were still talking about moving to Windows 7, and hadn't started.
I now work in local govt, and we're well into our Windows 10 rollout, and are migrating patching from WSUS to SCCM.