How easy is it to hack a fax machine anyway?
25% of NHS trusts have zilch, zip, zero staff who are versed in security
A quarter of NHS trusts in the UK responding to a Freedom of Information request have no staff with security qualifications, despite some employing up to 16,000 people. NHS hosptial photo, by Marbury via Shutterstock NHS could have 'fended off' WannaCry by taking 'simple steps' – report READ MORE On average, trusts employ …
COMMENTS
-
-
Wednesday 12th December 2018 10:08 GMT Andrew Commons
How easy is it to hack a fax machine anyway?
Not that hard apparently. There was a lot of press about it in August of this year. A lot of them come bundled with MultiFunction Devices and you have to tweak a few configuration options to stop them being used as a path into the internal network. This has been the case for quite a few years now.
-
Tuesday 11th December 2018 19:48 GMT WolfFan
Pay?
What’s the pay like? As long as the location isn’t somewhere like Hull or Slough, if the pay is acceptable I’d take the job. I suspect that the pay will be... suspect... unless the powers-that-be get appropriate reminders.
Pirate icon ‘cause, why not? Hoist high the Jolly Roger! Avast ye scurvy NHS swabs, and prepare ye to be boarded!
-
Wednesday 12th December 2018 01:42 GMT Anonymous Coward
Re: Pay?
As long as the location isn’t somewhere like Hull or Slough, if the pay is acceptable I’d take the job
Look what happened at Equifax: A mid level IT staffer was blamed for not patching and got the boot. That person will struggle to find gainful employment in ITSec. Who round here believes that a single IT pro was responsible for Equifax' comprehensive disaster?
Likewise the NHS. You'd have complexity, resistance to change, unsupportive and incompetent senior management, stuff all resources, and plenty of responsibility with zero power to take the necessary decisions.
Would you really take the job?
-
Wednesday 12th December 2018 10:12 GMT Anonymous Coward
Re: Pay?
No, it would be a horrific job. You would try to do anything like say block USB thumb drives with a group policy, then get a massive bollocking from a surgeon who had “always done that” and eventually figure it wasn’t worth even bothering. It will only change when it’s mandated from the very top and people who refuse to comply start getting sacked.
-
-
-
Tuesday 11th December 2018 20:40 GMT The Nazz
Hacking made easier.
Hacker 1 : We should maybe target the NHS, plenty of private details in there.
Hacker 2 : Hell yeah, why don't we send them a FoI request and see which ones may have poor security.
Hacker 1 : Good Idea. Hey there's a few here who don't employ anyone or even bother to spend money on IT security. Let's target them first.
Hacker 2 : Yeah, we'll do it Friday afternoon when no-ones about.
-
Tuesday 11th December 2018 21:02 GMT sanmigueelbeer
Re: Hacking made easier.
Hacker 2 : Yeah, we'll do it Friday afternoon when no-ones about.
Between the dates of 22 to 24 December 2018 (and follow-up attack from 30 December 2018 to 01 January 2019) is best time to launch an attack. The effects would be astounding.
NHS may not have enough staff trained in IT Security but what if there is no staff with IT Security knowledge on-shift, on-duty or even rostered during this period and then a hack happened.
WannaCry(pt) and (not) Petya attacks all happened on a late Friday afternoon. Imagine what would happen when a successful attack happened on the dates mentioned above.
-
-
-
Tuesday 11th December 2018 23:13 GMT Anonymous Coward
Re: I wish this was a unique situation
Places I've worked have had security aware IT staff ... howver, they were also full of the sort of "I'm a software engineer so I know what I'm doing" sort of employees who's reaction to receiving a phising email is to see what's inside the attachment and then forward it to everyone in the organisation with a "look how clever I am message" explaining that if anyone sees the same attachemnt (that's now been sent to everyone) then they shouldn't open it because it contains <list of attacks>.
-
Wednesday 12th December 2018 11:03 GMT CrazyOldCatMan
Re: I wish this was a unique situation
in-house IT security-aware
And lets also say it here - just becuase someone has a "security qualification" doesn't mean that they are any good at actually doing IT security - it just means they have a qualification..
Much like the much-despised MCSE[1] - all it proves is that someone has regurgitated their crammed training during an exam.
[1] Must Call Someone Experienced..
-
Tuesday 11th December 2018 23:10 GMT Pen-y-gors
Security costs
We all know that security costs, as do so many things.
For an under-funded trust, when the choice is between spending cash on security training and staff to avoid a (future) data breach, an on spending cash on staff who can stop people dying tomorrow, it's and easy choice.
Same as any choice - Universal Credit late? Benefits stopped for no good reason? Limited cash? You buy food to stop starving today, and try to forget the risk of being evicted in a few months for not paying your rent.
Immediate needs outweigh future ones.
Only answer is more real money for the NHS. If we want it, it has to be paid for.
-
Wednesday 12th December 2018 00:11 GMT Anonymous Coward
Re: Security costs
"Only answer is more real money for the NHS."?
I would look to getting rid of the management overhead first, there are still lots of people without medical qualification in the NHS taking home wages that the qualified are unlikley to ever see.
You can't just throw money at the NHS you need to make certain the money goes where it should and that means getting rid of the leeches first.
The whole "running state welfare as a business" was a fail idea in the first place, there has never been any evidence that business practices are cheaper or more effective for state services and until the "business" people are out of the loop then any cash going to the NHS will again be diverted away from what should be the primary goal i.e. healing the public. The best your "lob cash and hope for the best" is going to accomplish isslightly cheaper carparking whilst you wait in a queue that is just as long as it was before the cash injection and will only get longer whilst the money is going everywhere but where it is needed
-
Wednesday 12th December 2018 07:25 GMT tfewster
Re: Security costs
> "I would look to getting rid of the management overhead first, there are still lots of people without medical qualification in the NHS taking home wages that the qualified are unlikley to ever see."
When I worked for the NHS in the 80s as an IT specialist, my salary (low for IT but high for the NHS) put me into a management grade. As such, I was contracted to "work the hours necessary to perform my duties", i.e. long hours and no paid overtime. I regularly made the comment to medical staff that I was an "administrative overhead"; They were polite or smart enough to recognise that my IT skills were valuable.
I understand what you mean about administrative waste, but most of the administrators are desperately trying to make sure money is spent well. The Government has the same underlying goal, though frequent changes in policy inevitably mean more short-term waste. It's not a simple subject, but it's highly visible.
-
Wednesday 12th December 2018 12:26 GMT Anonymous Coward
Re: Security costs
"I understand what you mean about administrative waste, but most of the administrators are desperately trying to make sure money is spent well."
For many years, I lived around the corner from a senior administrator at a large hospital. We shared a common interest in electronics and tech. He used to go into work 2 - 3 days a week and spent much of his time at home. When they had additional funding from government, he and his colleagues would ensure they each had a pay rise, hired a few more administrative staff in their offices and left relatively little to be passed onto the "front line".
-
Wednesday 12th December 2018 13:19 GMT Doctor Syntax
Re: Security costs
"most of the administrators are desperately trying to make sure money is spent well."
Most but maybe not all. There are occasional reports in the local press of the non-for-profit business (maybe owned by the local trust but I can't remember the details) or the people it employs to do the work, district nurses etc., having pay squeezed. There are also reports of large pay increases for the top management. Not for profit? Oh yes?
-
-
-
Wednesday 12th December 2018 12:33 GMT JohnG
Re: Security costs
"For an under-funded trust, when the choice is between spending cash on security training and staff to avoid a (future) data breach, an on spending cash on staff who can stop people dying tomorrow, it's and easy choice."
The first question they should address is why a bed in an NHS hospital is apparently 4 - 5 times more expensive than for a private patient in a similar German hospital. Similarly, the costs quoted by NHS trusts for various procedures are dramatically more than in Germany. German staff are no less qualified than their British counterparts and earn similar salaries. Equipment costs are the same. Why is there such a large discrepancy?
The second question should be: why the hell don't they send more NHS patients for treatment in Germany, both to save money and to reduce waiting times/strain on resources?
-
-
Tuesday 11th December 2018 23:59 GMT Anonymous Coward
It's okay computer secure themselves
The real question is why companies and agencies are allowed to even use computers if they have no competent IT staff?
Oh, computers are just another tool? well that doesn't work to well for Health and Safety and it shouldn't for IT.
If company security fails were seen in the same light as H&S fails then you can bet that the insurance companies would push for greater diligence.
Personally I think it should always have been a state requirement of any company storing personal data to insure against IT incompetence along with a fast track court process for claiming inorder to get their lives back. Then the offending company can't just go bust and start a new company when they fkup, the next wouldn't get insured as the directors would still be linked to the payouts from the last company.
I am all for limited company protection but since directors are not require to prove competence then this would have dealt with most of the IT security security issues over the last 40 years.
.
-
Wednesday 12th December 2018 13:19 GMT Doctor Syntax
Re: It's okay computer secure themselves
"If company security fails were seen in the same light as H&S fails then you can bet that the insurance companies would push for greater diligence."
You're right, of course, but I'm not sure this applies to the NHS. Back in my Civil Service days the policy was to "self-insure". That meant that when the lab burned down HMG paid for rebuilding. If the NHS works in this way then that pressure is absent. But I'd like to think the insurance companies would push other businesses a
bitlot harder.-
Wednesday 12th December 2018 21:01 GMT Fishwife0001
Re: It's okay computer secure themselves
"HMG paid for rebuilding. If the NHS works in this way then that pressure is absent."
Self insure is at the heart of dealing with all the NHS failures that atract litigation. Hence the NHS culture od never accepting blame. I've been retired for a few yaers but in my experience, hospital management is not afraid to intimidate claimants with statements infering that their action will impinge negitively on cancer care, children's treatment and anything else they can think of to frighten people. Cyber security is a very low level priority. Computers are a tool, just a tool, nothing untoward going to happen. Consider the IT department wanting to make serious inroads into their security. The hospital management has just changed the level of cleaning in the A&E from 24/7 to 3 hours daily. IT wants more money. Lol.
-
-
-
Wednesday 12th December 2018 00:47 GMT Nick Kew
It seems to me the question asked doesn't really tell us anything. An organisation might say "none" because it doesn't separate out a specific security role. Maybe it's outsourced, along with other IT functions? And security expertise isn't necessarily associated with box-ticking training and qualifications.
Not that I'm suggesting they're on top of it. That would indeed seem far-fetched.
-
Wednesday 12th December 2018 12:33 GMT phuzz
It's worse than that, they were being asked by a security firm (ie this was a PR exercise) if they had any staff who'd had 'security training'.
So apart from the fact that this is only being reported on because a company's marketing department saw a good way to get attention, it also begs the question, exactly what kind of 'security training' would be useful? All the people I'd trust to secure a system have exactly zero formal training. From my own experience of IT training, although I did learn stuff, the actual certification just showed that you could complete and exam, not that you had any aptitude for the subject.
So, perhaps the NHS has no competent security staff, or perhaps it has lots who've never had the budget to be sent on an overpriced training course just so they can put a line on their CV saying "security trained". This PR piece doesn't really give us the information to decide.
-
-
Wednesday 12th December 2018 10:14 GMT Mike 137
"no staff with security qualifications ..."
If that really means no staff with security expertise, than I'm genuinely worried, but in my experience security qualifications do not necessarily equate to security expertise. Practically all "security qualifications" I have investigated in detail consist of cramming sessions followed by multiple choice tests.
This has become the norm, presumably because it's cheap to deliver, and pitifully low expectations of "expertise" have resulted. As the author of a course that includes a variety or exam questions, I was saddened recently by feedback from a testing centre that candidates struggle with short answer and essay questions despite scoring highly in multiple choice.
In the real world we need rather a different kind of expertise - to be able first to work out what the question is and then to come up with an appropriate solution without prompting, and to do both reliably under pressure in emergency. The multiple choice "exam" tests the exact opposite - merely the ability to recognise on demand some pre-defined statement you were told no more than a week ago.
This simulacrum of training and expertise is not restricted to infosec - it has infected the whole domain of risk and compliance. You can, for example, become a "certified EU GDPR practitioner" in five days including 2.5 hours of multiple choice testing, thereby, according to at least one training company, becoming equipped to serve as a corporate Data Protection Officer with the authority to render your employer liable to multi-million euro fines.
So let's please have more people with expertise, but let's stop selecting them on the basis of bogus qualifications that signify nothing of value.
-
Wednesday 12th December 2018 11:07 GMT CrazyOldCatMan
Re: "no staff with security qualifications ..."
So let's please have more people with expertise, but let's stop selecting them on the basis of bogus qualifications that signify nothing of value.
[Wild applause].
Sadly, in order to make the case for someone to be employed or promoted, HR departments mostly want to go for the safe option and that's to require them to have qualifications of some sort. It's very rare that an IT-person-with-a-clue is allowed to both write the job spec *and* be part of the interview process.