Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told Every single one of the 200 NHS trusts in the UK so far assessed for cyber security resilience has failed an on-site assessment, MPs on the Public Accounts Committee were told yesterday. There are a total of 236 trusts. There is no timeline on when the remaining 36 will be checked over. In a hearing about the WannaCry …
"exercises little useful control."
True dat.
NHS England have now developed the nhs.net email system - that all the trusts can use
If they could do something similar for (e.g) a "Patient Checkin / management / tracking " system they could all use that - instead of them all running off to loads of separate 3rd party companys getting bespoke stuff made that needs to be replaced before they've even got it working properly and paying through the nose for it . x 236 trusts
The NHS has 1.7m employees. Do you really think that an organisation of that size would be manageable without breaking it down into a large number of smaller operating units?
WTF, they split it up because their mates on the boards of other companies don't want one big customer with negotiating power, 230+ is much better ... everybody wins except the tax payer, NHS employees and patients, but who cares about them.... there are many more big businesses that have that many staff. All this is just Thatcherite lies to milk the taxpayers, patients, employees to make the richer richer ...
I know, you might think another commy guardian-reading comment@rd, but if I compare care in Germany, France, and the UK ... I would rather not be treated in the UK ... and I think the staff are equally qualified in all those countries, maybe even more in the NHS ... Thank Feynman the late Admiral's family is there to donate that life-saving piece of equipment, NHS is in a state where it relies on donations ... and the NHS probably has the most motivated staff of any healthcare system in the world ...
Plus 200 or so CCGs, covering the approximately eight thousand independently-operated-but-nhs-contracted GP practices, plus your local authority's public health and social care provision and the innumerable charitable and private providers taking greater and greater shares of the funding.
When a system is so comprehensively fragmented and every component in that system so comprehensively failed, it is wrong to blame the elements of the system. When 200 out of 200 trusts tested fail to meet a standard, you cannot blame the trusts. You must and should blame the Department of Health, and ultimately the minister.
Some of the issues are due to Java versions external companies insist on using, despite being vastly out of date and will not support or the service won't work if updated to the current version.
Add on that upgrading Java involves the usual CAB rigmarole, and the fortnightly release of Java soon becomes an even bigger PITA.
Here's a tip , NW Eng trust that shall remain nameless - Dont make the Smoothwall content management filtering system OPTIONAL!
I'm no network expert, but I'm sure there are ways of directing traffic through the smoothwall that dont rely on the user not unticking a box in their browser!
Here's another - block executable downloads. I'm struggling to think of any reason any user would need to download a .exe / cmd / ps / vbs.
'course you cant do (2) till you've done (1).
I'm struggling to think of any reason any user would need to download a .exe
Because IT departments are bound by the same network policies and need to. What we do instead is scan everything and restrict non-admins from running them.
Lets be clear, Wannacry did not happen because some Doctor, Nurse, Physiotherapist or whatever decided to run COOLPICTURES.JPG.EXE whilst logged into their Windows XP system.
It happened because undermanned IT departments in underfunded hospitals took too long to test patches and software updates. As others here have said, it wasn't because they were all running XP either. Infact, if the NHS had been all XP, it might have escaped relatively unharmed since many trusts have reported that their XP machines were not infected at all.
Give us the money and personnell to do it and it will be done.
Having been assessed as part of this programme (I work for an NHS Trust) there is no way anyone could ever pass.
Why?
Because national NHS systems rely on things like older versions of Java and Flash Player.
Don't have them installed, stuff doesn't work.
Have latest versions installed, stuff doesn't work.
"The NHS should be such a large buyer of IT services that it can dictate any terms it wants to IT suppliers, "
NHS: We demand that all MRI scanners work with Windows 10 for the next 20 years
Supplier: Which version?
NHS Windows 10!
Supplier: Which Version?
NHS: The new one!
Supplier: OK for the next 20 years it will be compatible with the latest version of Windows 10 as of today.
@John G Imrie
@Zog_but_not_the_first
Easy to say, not so easy to do.
There are a lot of requirements placed on NHS contractors. If you add yet another one, you run the real risk that there will be *nobody* who is fully qualified to provide some vital product or service. And so you'll always have to make compromises somewhere.
So there's always going to be argument about which requirements are essential, and which are merely desirable. Argument means politics. Welcome to square one.
@John G Imrie
@Zog_but_not_the_first
But this is exactly the problem mentioned upthread, there is no centralised purchasing or logistics anymore, it was got rid of in favour of each individual Trust having responsibility for their own purchasing.
If there was a centralised logistics and purchasing facility, then economies of scale alone would make a massive difference to the amount of money the NHS spends on IT, drugs, estates and everything else.
However, government policy (and not just the present government, but those of all political leanings) seems to be deliberately aimed at fragmenting and removing this ability.
The problem with centralised logistics and purchasing is that big brown envelopes are easy to spot than than lots of little brown envelopes.
If it was me doing any of this I would have a centralised IT department that managed the data and budget then individual IT departments with defined processes of what is and what is not to be done. I would then get to work identifying where programs and hardware needs upgrading while trying to isolate them where necessary. I would also look at what programs can be brought in house either by coding them from scratch or purchasing the code from a company. This does of course need funding which is where the problem ultimately lies because to fix the problems you need to upgrade and upgrades cost money. That's the way I see it should work though I'm sure some will agree and some will think I'm bonkers.
I think a large part of that is the fact that "the NHS" doesn't really exist, individual trusts purchase for themselves, hence the disparate systems used across trusts. Due to that there is no NHS buying power. In fact, in one trust I have worked with, individual hospitals within the trust controlled their own IT budget.
(IT consisted of one trained member of staff, and one trainee who worked part-time, for a city of approx 462,000 within its metropolitan area)
Where ticking boxes is more important than working systems.
Some of the assessment checks seem largely irrelevant, and most organisations would fail them.
Additional registry keys needing (a matter of opinion rather than a proper risk analysis) to be set after some obscure Microsoft update, for example.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
