
NHS + IT
Ahhh. A match made in heaven.
The UK's National Health Service will pay white hat hackers up to £20m to protect its IT systems, it announced today. NHS Digital is looking to make a deal with consultants to create a security operations centre, which it says will ensure the safety of staff and patient data nationwide. Speaking to The Telegraph, NHS Digital …
As an infosec already in the NHS. The problem isn't the systems we have IT wise, it's the clinical ones which then force reliance on old version of Java and prevent updates of OS etc being applied.
You can harp on about "all you need is WSUS" but frankly that's not true, we already have it! We simply can't implement it to any sort of standard as either you want clinicians to have access to patient data quickly and securely or you want OS updates. because these clinical systems are flippin ancient and no matter how hard we scream about it there's no money to replace them and no leverage in contracts signed years ago to force developers to keep on current versions for dependencies.
Hiring more Infosec staff won't help in a majority of trusts/CCGs as frankly the problem is sitting within clinical systems and old medical devices. WE KNOW THIS. but we're unable to do anything about it as nobody can afford to replace them.
Yes but you're employed by the NHS in an infosec role so your opinion counts for nothing to the higher management.
If you want to be listened to you need to quit, pay for some fancy certs, then get rehired as a "Transformative cyber-enablement specialist" (or similar snake oil seller), reword your original advice as shiny shiny marketing guff then jobs a good un. They'll pony up 5x extra to do the job you would have suggested to them in the first place on your original salary.
Feel free to replace "NHS" with any other public sector body.
3. is most of the problem. Lots of 25+ year old proprietary stuff that either no patches exist for, or the patches that DO exist break other things. Hospital systems are a horrible, horrible mixmash of ancient tech, brand new tech, and duct tape.
It's no different to corporate IT. We recently "upgraded" to a new outsourced HR solution. It doesn't tick any of the boxes that IT "required" of it (federated SSO, 2FA, device independent, no activex), but it's the choice of the the HR VP so that overrides any other concern.
Actually we could have had the federated SSO and 2FA, but the beancounter vetoed the extra £3k pa that would have cost us in license fees. Still wouldn't make it work in ¬(IE > 6, IE < 11).
When your hosted solution requires ActiveX to draw a calendar on a webpage, you know you've made a wrong technical choice...
This, 100%
I asked a friend in one of the big consultancies why NHS managers recruit external consultants at 5x the cost, for things their own staff could do, and his belief is that they're happy to pay just to abdicate responsibility. E.g. if it fails, they're off the hook because they can say they paid top dollar for 'the best'.
Over the years, I've observed this to be correct more often than not. The last port of call for many senior managers is to consult with their own teams (or even try to manage them). The team then has some salesperson forced on them who extracts their knowledge and then gets 5x the pay for it. Then leaves and the team have to fix the shit they caused anyway.
I now view a manager employing a consultant as a public admission that they're scared, out of their depth and couldn't care less about wasting public money.
"I asked a friend in one of the big consultancies why NHS managers recruit external consultants at 5x the cost"
In general because that's competitive with paying a market rate salary and benefits for someone who is actually certified, competent and experienced! And is a lot easier to get approved.
because these clinical systems are flippin ancient and no matter how hard we scream about it there's no money to replace them
You could still use that WSUS that you already have to keep W7 patched up , which would have avoided the little WC accident.
and no leverage in contracts signed years ago to force developers to keep on current versions for dependencies.
This does seem to be a lesson that is never learned - or maybe it was an option offered but whichever Public Trough guzzling IT contract Pirate Cartel said - "What? , you want it to work in the future? Thats 4 times the price then."
"Hiring more Infosec staff won't help in a majority of trusts/CCGs as frankly the problem is sitting within clinical systems and old medical devices. WE KNOW THIS. but we're unable to do anything about it as nobody can afford to replace them."
So like someone with suspected plague, rather than take them out and burn them, isolate and monitor. Or don't do anything and risk the consequences.
3. is most of the problem. Lots of 25+ year old proprietary stuff that either no patches exist for, or the patches that DO exist break other things. Hospital systems are a horrible, horrible mixmash of ancient tech, brand new tech, and duct tape.
Most of the trusts actually have reasonable endpoint protection on their standard terminals. It's all the non-standard kit (software for a multi-million pound body scanner that has to run in IE6 on a physical device with a parallel/serial port, that just HAS to be networked back to backend database/monitoring server for some bloody stupid reason, etc, etc) that causes problems.
Sure, a dedicated IT team could airgap or DMZ most of this old horrible insecure stuff, but at the moment the NHS is all for the "centralised" approach "because of cost savings". So often the offsite big team of generalists just patch it into the main network so they can dial into it remotely.
It's far easier in the smaller (non hospital) trusts.
I work in one of the Emergency Services trusts. We didn't get hit by any of the recent ransomware attacks - and we haven't actually had a successful malware attack in the past 8 years (the last one that got in was Conficker back in circa 2009). But the main reason for this is because we run our own segment + internet links which are firewalled off from the rest of the NHS network (we have to use some of the central NHS LAN portals, but these are by exception - we don't even talk directly to their DNS servers!). All Internet Access goes through a proxy and all non-whitelisted sites are blocked. USB drives are blocked. Removable Media is blocked. All emails out and in get scanned, with close to 90% of them going into quarantine if they have any attachments on them at all. Automatic Updates get applied automatically one day after patch tuesday (apart from the essential 999 servers which get done manually). We do have some systems which we can't regularly patch for a number of bloody stupid supplier-support-contract-related reasons, but these are kept off our domain on separate VLANs from all our other tech.
We have a very small onsite IT presence which couldn't cope if we didn't take the "block EVERYTHING, allow by exception" approach.
I'll echo the previous poster's comments about having to support 7 different versions of JAVA though (one for online banking for the Finance people, one for the ancient legacy Voice Recorder software, one for the New Voice Recorder, one for the Staff Payroll Portal, one for the CCTV, one for the Staff Passcard printer software, and one for the VOIP Phone system portal) - Bleh!
(Posting anon for obvious reasons...) ;)
"3. Patch your sodding systems"
Then find the latest version of java has bricked 20% of applications. i.e. (and no other browser) is no longer compatible with some critical back end system implemented 15 years ago,, the driver update has stopped a 1/3 of printers working, the TLS 1.0 you've dumped now means you can no longer administer a load of black box equipment..........
Do I go on why you can't "just upgrade"?
We actually already HAVE a department of NHS Digital that is supposed to be doing Cybersecurity called CareCERT - so are these guys outsourcing their own work? We pay them to do this. Why are we paying again? The bidding guidance in the tender specifically excludes companies without a turnover of more than 5 x the contract value from bidding.
So that excludes all but the hugest of the huge. Many of those same few companies have recently performed badly in NHS/Gov contracts (capita, atos), or have recently been pwned themselves (experian)
#omnishambles
The problem is not that
NHS IT cannot be bothered to put patches on.
Does not know how
Prefers older software or even
Can't afford to patch.
We put patches on where allowed
We have the same qualifications as everyone else - BSc, HND, Cisco or even(!) Microsoft for example.
We'd rather have Windows 10 than XP and Linux would be even more fun.
It would be cheaper to patch.
If most IT departments had their way, CSC would have been out of the NHS 15 years ago along with the other wastes of public money that kept us on IE6 until a couple of years ago and now keep us off lots other modern ideas - such as non IE browsers and updated versions of Java.
Someone in authority should put down rules that block recurrences of such stupidity. This may not happen. They may be called DXC now but they are still the same CSC who caused the problems and faulty attitudes.
"we (this corner of NHS) currently use Java SE 6 Update 39 from 2013-02-01 for all our browser java needs! hooray!"
So set active content to only run in the Trusted Security Zone in IE and use Group Policy to add only sites you trust to that zone. Job done. That will be £20 million please.
...this would only be the right solution if the NHS's actual, core security problem was a lack of white hat hacking consultants in some data centre somewhere.
Yeh, it might be useful in a way, but as everyone who works here knows, just getting the basics right (patching, stop people clicking on stuff they shouldn't, etc, etc) would go a lot further. A lot of the time, the security people already KNOW where the holes are, and don't need expensive consultants to tell them, but they're not supported by senior management (until there's a data leak or virus outbreak when saving their own arse suddenly becomes a top priority).
And they should wake up and get rid of the ridiculously counterproductive IG Toolkit while they're at it - any NHS organisation can easily pass with flying colours and still be full of holes, so all it does is give senior management an excuse to spend nothing on *actual* security because they scored well on the Toolkit. It's an absolute effing joke and everyone knows it.
Probably the most sensible comment I've read on this thread. Get the basics sorted - could not agree more...but without management support then you really are on a hiding to nothing.
I once did a consultancy gig with an ex-NHS CISO who was about as impressive as Jeremy Corbyn but with less vision.
Yes and no. It can be done honestly - in effect, our IG Team ask something like 'can you give us evidence of patching and update regime working'. IT, quite honestly, then supply them with the requested evidence. The auditors then check the IG Toolkit submission against the provided real-world activities and Behold! It's a Pass!
However, if IG came to IT and asked, 'can you give us evidence of where you're patching and update regime is catastrophic', IT would be able to supply this just as easily.
In short, auditing is not pentesting, they're all just looking where the light is.
I briefly worked for a trust in Scotland, and every single fucking penny had to be spent on patients.
We were four versions behind on MS Office, had nineteen domains with all the associated clusterfuckery that that entails. NTFS permissions were completely screwed. Ransomeware occurred three times a week.
The building itself hadn't had a lick of paint since it opened in 1898. The bogs were so bad I used to go across the road to the station to have a shit.
The Storage Team had a geographically dispersed cluster, the nodes of which gradually got more and more out of sync with each other. That in turn caused Windows Server to keep complaining that it needed to run Chkdsk, but they just ignored it and hoped for the best.
I've worked as a certified (fancy certs and all) pen tester within the NHS for many years as part of a small team - we pen test our own and other NHS orgs amongst others. Only one of the 20+ organisations we deal with was hit by Wannacry and we raised SMB issues with them a fair while beforehand. Unfortunately it appears that in-house expertise isn't really valued by some national level NHS orgs and outsourcing (presumably at great cost) is the favored approach. Frustrating to say the least, maybe we should just give in and take the higher pay packages on offer in the private sector!