back to article London hospitals left in critical condition after ransomware attack

Hospitals in London are struggling to deliver pathology services after a ransomware attack at a service partner downed some key systems. NHS England's London region confirmed in a statement to The Register that a provider of pathology lab services, Synnovis, was the target. A spokesperson for the region said: "This is having …

  1. Anonymous Coward
    Anonymous Coward

    all the eggs in one very torn basket

    Would seem particularly silly to rely on one single provider who had already been targeted amd succumbed to ransomware at least once already.

    1. Plest Silver badge

      Re: all the eggs in one very torn basket

      Given all the nepotism that's often so rampant in UK gov selected services we can only assume the old adage, "It's not what you know, it's who you know.".

      1. steviebuk Silver badge

        Re: all the eggs in one very torn basket

        Having worked in the NHS, I agree.

  2. Anonymous Coward
    Anonymous Coward

    Let me guess ..

    .. I think I can predict which OS they are using.

    :(

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me guess ..

      The one that runs the almighty pile of shit called systemd?

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me guess ..

        That would still be safer, even with systemd..

    2. Casca Silver badge

      Re: Let me guess ..

      Yea, lets blame the OS. Not that you can make it safe if you are villing to try...

      1. druck Silver badge

        Re: Let me guess ..

        Why not blame the OS? If you didn't have a steaming pile of excrement as the base of your system, you wouldn't need so many security tools to try to work out what it is doing, which is almost indistinguishable from malware right out of the box with the latest version.

      2. ChoHag Silver badge

        Re: Let me guess ..

        But you can't just apt-get install security and be done with it if you're in Windows...

  3. Anonymous Coward
    Anonymous Coward

    Attack Revealed On June 4 2024

    It's been a while, but the Equifax hack has a few lessons:

    (1) The hack was eventually revealed in July 2017

    (2) ....but the hackers had been exfiltrating data for months

    (3) ....but the duration of the exfiltration was actually unknown

    (4) ....and the scope of the data stolen was never fully defined

    This report in El Reg is pretty clear about item #1 at Synnovis............

    ......and pretty unclear about items #2, #3 and #4.

    I think we should be told!

  4. VicMortimer Silver badge

    This isn't going to stop until countries make paying ransom a crime.

    1. cyberdemon Silver badge
      Unhappy

      > This isn't going to stop until countries make paying ransom a crime.

      That would help, but sadly i don't think these attacks would stop even if nobody paid. A lot of these gangs seem to be part of a hybrid warfare strategy from the "crinks" (China, Russia, Iran and North Korea).

      These mafia states redirect domestic organised crime to their war efforts, allowing them to make money through both ransomware and scams provided they only hit Western targets.. Even if nobody pays a ransom, they will sell the data to other gangs who will use it for industrial scale automated scamming and other secondary attacks.

      A big part of the problem is reliance on 3rd party cloud IT contractors in the first place. But fixing that would require a decade of public sector investment in training and retaining in-house IT professionals, which successive governments have cut to the bone..

      1. t245t Silver badge
        Facepalm

        Re: > This isn't going to stop until countries make paying ransom a crime.

        > .. A lot of these gangs seem to be part of a hybrid warfare strategy from the "crinks" (China, Russia, Iran and North Korea) ..

        Best to deflect attention from the manufacturers of the crapware /s

        1. Casca Silver badge

          Re: > This isn't going to stop until countries make paying ransom a crime.

          Oh, you think there would be a difference if they would have used another OS. Sorry but no.

      2. I ain't Spartacus Gold badge

        Re: > This isn't going to stop until countries make paying ransom a crime.

        cyberdemon,

        I can't speak for the state of hacking in China - but in Russia it's an absolute jungle out there. The security services definitely do use criminal gangs to target foreign states - and use them in hybrid war. But it's not in exchange for protecting the home market from their attacks. I rather suspect that they are given a choice of going to prison for their crimes in Russia or set on certain targets - and probably end up paying a cut of their profits to FSB officers in exchange for not going to prison.

        If you look at the Bellingcat (or other) investigations of Russiain FSB and GRU agents, it's truly amazing how much data is out there. They were able to get hold of large portions of the Russian passportv voting and car registration databases - plus phone and credit card transactions. It was one of the ways they were able to track down the two GRU officers who carried out the Salisbury Novichok attack. They had sequential passport numbers and they were then able to cross-reference their (and some of the passport holders in the same number sequence) phone and credit card details to, for example, find a GRU office in Moscow were various of these people had all had pizzas delivered to. There's a whole network of security journalists and researchers mining this data for interesting stuff - and I'm sure Western intelligence agencies are also having a go. While there's lots of this kind of data about the UK / US / European population online, it doesn't seem to be quite as extensive yet - though I'm sure Intelligence services with access to hackers will be trying to hoover up lots of lovely data while they're about it.

      3. Like a badger

        Re: > This isn't going to stop until countries make paying ransom a crime.

        "A big part of the problem is reliance on 3rd party cloud IT contractors in the first place. But fixing that would require a decade of public sector investment in training and retaining in-house IT professionals, which successive governments have cut to the bone.."

        Before that, it requires government to rethink what activities and services it should provide for itself, and what are better provided by commercial providers. At the moment the default position in the UK is that the public sector should outsource anything that it can, and that won't be changing regardless of the current general election.

      4. steviebuk Silver badge

        Re: > This isn't going to stop until countries make paying ransom a crime.

        True. Looking around for another job and all I'm seeing is sweat shop MSPs.

  5. FrogsAndChips Silver badge
    FAIL

    3rd attack in a year on Synlab

    After Italy and France, now Britain. You'd think "lessons would have been learned" after the first attack, but of course no! Time for everyone involved with this provider to cut ties before they're one more victim on the list.

    1. Doctor Syntax Silver badge

      Re: 3rd attack in a year on Synlab

      You'd think lessons would be learned by Synlab, yes..

      Just switching to a different supplier for a complex laboratory service? Really?

      1. FrogsAndChips Silver badge

        Re: 3rd attack in a year on Synlab

        From the article: "Some activity has already been cancelled or redirected to other providers at short notice". Looks like it's feasible.

        1. Doctor Syntax Silver badge

          Re: 3rd attack in a year on Synlab

          Some activity isn't all of it. It's very likely involving a lot of phoning round for capacity and a lot of couriers taking samples around. It's going to involve time spent doing that which would normally have been better used elsewhere. If you're in London why not give one of the hospitals a call to see if they're looking for volunteers to help out with that. At the same time you can do a real feasibility study.

          1. FrogsAndChips Silver badge

            Re: 3rd attack in a year on Synlab

            Thanks for the offer, but I'm currently staying at home to attend to my wife who's just had a surgery, and I'm glad it's not her hospital that's been attacked by these scumbags.

            Now I know it's never an easy task to change suppliers, but if you're tied to one supplier for a critical activity, then you already have a problem. If this supplier is a security liability, you have an even bigger one.

            1. Prst. V.Jeltz Silver badge

              Re: 3rd attack in a year on Synlab

              tied to one supplier for a critical activity

              Surely this is the case 95% of the time?

              Its just not practical / feasible / logical to have two suppliers for these systems.

              Its not like having a failover server.

        2. Sir Sham Cad

          Re: 3rd attack in a year on Synlab

          " redirected to other providers at short notice. Looks like it's feasible."

          They mean other local NHS Trusts (Healthcare Providers), not other IT Providers.

          1. FrogsAndChips Silver badge

            Re: 3rd attack in a year on Synlab

            That was a statement from Synnovis, so it's likely they were referring to other pathology labs taking care of their own activities, rather than healthcare providers.

        3. pig

          Re: 3rd attack in a year on Synlab

          Everything is feasible at a cost.

          You can have any two of price, quality and time.

          What, you want it now, and want it to be good?

          Hope you have deep pockets.

    2. hoola Silver badge

      Re: 3rd attack in a year on Synlab

      It is easy to say "Lessons would have been learned" however that actually assumes you can do something about the underlying cause, ingress point or vulnerability,

      If the attack is exactly the same as an earlier one that is unforgivable.

      They can cut ties with the provider but cannot do that overnight. They are stuck at the moment where the priority it to get things working again. Dumping the current provider now is unlikely to expedite that and they will have all sorts of contractual and insurance issues.

    3. ChoHag Silver badge

      Re: 3rd attack in a year on Synlab

      Lesson: if we give a convincing enough sob story on camera, nothing happens.

  6. Tron Silver badge

    Plan B. Have one.

    If your services touch the public internet they are vulnerable. So you should have a back-up plan that offers a rapid and smooth fallback to a resilient analogue/manual service for when it happens. As essential as a fire drill. No audit sign off and no bonuses until you can operate without vulnerable software. Given that this is going to last some time (and even longer if the NCSC are involved), the fallback for hospitals should cover all services on site. Time to rediscover paper forms and have them ready. Digital is a luxury, not a default.

    1. Doctor Syntax Silver badge

      Re: Plan B. Have one.

      This is a path lab service. It's not clear whether they're being run on the hospitals' sites or whether they have a centralised lab. In the latter case having a set of fully equipped set of labs on site really would be a luxury. In either case falling back to services on site is meaningless - either they are on site or there's nothing to fall back to.

      A lot of the instruments will be controlled by PCs. "Digital" isn't a luxury, its how it works.

      1. Atomic Duetto

        Re: Plan B. Have one.

        I’m old enough to remember when scientific instruments used either for research or process control (XRD, XRF, particle size, CNC, etc.) were controlled by PC but NOT connected to the LAN, WAN, Cloud.. because it simply didn’t exist yet. Most all services are now beholden to the enshitiffication of the IT world because profit driven companies decided the OS needed to phone home for a license key, patches, additional storage, or even the actual processing… whatever, to maintain and control revenues.

        Connectivity, the internet is not what it once was (or thought it could be). Switch it all off, define the actual business requirement and start again. Paper and people to shuffle it are cheap and plentiful.

        My mother (85 last week) was once one of a few people (5) that could manage the staff payroll of a four figure govt. dept. without waiting for the cloud or being held hostage by an external actor. Some of these “IT services” are not better, they’re just “data driven” honey pots for profiteering (by large software co., ext. consultants, criminal orgs, state actors).

        1. doublelayer Silver badge

          Re: Plan B. Have one.

          "Paper and people to shuffle it are cheap and plentiful."

          We live in different worlds. In mine, paper is cheap, and everything else is expensive. People to move forms manually when a computer can move thousands per second are a lot more expensive than that computer. Finding the people who want to do that work is not easy either. Dealing with errors caused by, for instance, someone misreading handwriting is not fast. Space to store all that paper is not free.

        2. I ain't Spartacus Gold badge

          Re: Plan B. Have one.

          Atomic Duetto,

          You can't not have lab equipment connected to the internet when it has to pass on its testing results via the internet to the hospital deparments that need the information.

          Obviously you could have dedicated networks or use something like fax transmissions for some of this - but then that would mean having specialist kit to do the job, and would create other problems of keeping it working.

          Each hospital doctor is probably ordering tens to hundreds of lab tests per day (depnding on their speciality) - and that data has got to be moved around.

          1. Atomic Duetto

            Re: Plan B. Have one.

            Yes.

            My comment was simply that ubiquitous 24/7 connectivity to everything (prod/dev/data) is the issue.

            Where needed (is it needed), is it secure?

            I appear to have introduced my own simpleton straw/paper man by mentioning historical business practices.

            I was not passing comment on the lab services required by the NHS.

            FFS

        3. ChoHag Silver badge

          Re: Plan B. Have one.

          Computer says no.

      2. Fatwelshbuddha

        Re: Plan B. Have one.

        It’s a centralised lab. A very big one. It’s an industry I used to work in so know the pathology biz pretty well.

        https://www.pathologyinpractice.com/story/44387/new-synnovis-hub-laboratory-processes-first-samples

    2. Caver_Dave Silver badge

      Re: Plan B. Have one.

      I do know of one trust that had two suppliers for a number of their services, just for this type of redundancy.

      Bean counters saw this as waste and cut the most expensive in each case, despite IT and Medical managers arguments regarding resilience.

  7. Conundrum1885

    This question should be put to Starmer and Sunak tonight

    "What is your official position if critical infrastructure such as the power grid or utilities is attacked by cyber terrorists?"

    Personally I'd be finding out who attacked and readying a retaliatory strike if they don't hand over the key(s) but that's just me.

    Some call me an extremist for daring to even suggest such a thing but when lives are at risk you don't simply stand by

    and do nothing.

    The UK absolutely needs an offensive cyber-warfare division of the Army (call it Net Force or something) which can use any

    assets at its disposal to achieve the aim of keeping the UK safe on the Internet.

    1. Headley_Grange Silver badge

      Re: This question should be put to Starmer and Sunak tonight

      And the answer they'd both give in private would be along the lines of "We know what needs doing but it will cost a lot of money to fix and if we tell the voters we're going to put taxes up they won't vote for us. Easier to just let it happen and blame Russia, China, etc."

      We get what we pay for.

    2. Sandtitz Silver badge

      Re: This question should be put to Starmer and Sunak tonight

      "The UK absolutely needs an offensive cyber-warfare division"

      The UK (and other countries) needs a defensive cyber division which has audit privileges over every public sector + public company for their cyber security and offer recommendations ranging from compulsory - with penalties if not implemented later on - to optional.

      1. Conundrum1885

        Re: This question should be put to Starmer and Sunak tonight

        Like this??

        https://en.wikipedia.org/wiki/United_States_Cyber_Command

      2. ScottishYorkshireMan

        Re: This question should be put to Starmer and Sunak tonight

        Aye right, and the Government then sells the data this organization holds to the likes of their favourite lobbying org and we are back to square one.

        These problems exist because there is a politician making a buck out of the situation. Red Tory or Blue Tory, its just going to be different hands in the till.

    3. doublelayer Silver badge

      Re: This question should be put to Starmer and Sunak tonight

      You might get them to say that, but they're not going to do it.

      Prime Minister: Who attacked our power grid with ransomware?

      Security consultant: We're pretty sure it's a ransomware group called TheoreticalName.

      PM: And who runs that?

      SC: We don't know yet.

      PM: How can we find out?

      SC: They attacked a Brazilian water company, an American school, and a factory in France recently. Does that suggest anything?

      SC: Well, you can usually assume that there are at least some people in Russia for any of these big things. We do know that Russia is blocked in the software as a victim country.

      PM: So bomb Russia then?

      You can suggest anything you want, and if you ask enough times they'll realize that you want a military response and they'll promise you one, but they will have reasons not to do it when it happens. Those reasons are logical. There's a reason why we don't solve every diplomatic incident with bombs.

      1. Anonymous Coward
        Anonymous Coward

        Re: This question should be put to Starmer and Sunak tonight

        And their response would be;

        "We take cybersecurity very seriously and will be invested heavily in ensuring our IT arrangements are as safe as they possibly can be. “

        They would then go back to their offices and try and figure out why the budgets are so broken that front line hospital staff are being made redundant and services are being cut in order to “save money”

    4. Anonymous Coward
      Anonymous Coward

      Re: This question should be put to Starmer and Sunak tonight

      offensive cyber force..

      We have one… its new building is under construction within the BAE perimeter at Samlesbury near Preston. it is expected to employ 8500 people from across military and govt agencies.

      This public information doesn’t mean to say that the people already exist, are doing the job but working somewhere else right now.

      1. Anonymous Coward
        Anonymous Coward

        Re: This question should be put to Starmer and Sunak tonight

        "offensive cyber force..We have one… its new building is under construction within the BAE perimeter at Samlesbury near Preston. it is expected to employ 8500 people from across military and govt agencies."

        Right, so they're going to recruit top IT talent from Blackburn, Preston and Blackpool? This is going to be as effective and useful as our Border Force (or the other dullard's "Border Security Command").

        1. tiggity Silver badge

          Re: This question should be put to Starmer and Sunak tonight

          @AC

          Maybe people could move there from elsewhere? (makes a change from people having to move to London)

          Locals with aptitude could be trained (skills need to be learned, e.g. I have worked in IT for a long time but that does not mean I will have automagically absorbed cyber offense skills)

          A lot cheaper area to live than London (property prices such that younger people might actually be able to afford a mortgage!)

          The economy of this country is horrendously skewed by London, and it creates a vicious circle as companies move to London / surrounds as they know "talent" is there, which tends to give a bit of a "brain drain" elsewhere in UK as some "talent" inevitably moves to London as not many jobs in their local area.

          So govt / big companies employing significant numbers of people in areas outside of London is a good thing for UK as a whole as less centralization of "talent"

          .. Lives in forlorn hope of much of the rest of country getting anything like the (relatively) cheap & frequent public transport of London, or the stunning amount (& quality) of museums, galleries, theatres etc. which are obviously another attractive feature of London

  8. t245t Silver badge
    Terminator

    “Cyber” systems are not fit for “cyber” purpose.

    Given the ongoing malware infestation. It is patently obvious these “cyber” systems are not fit for purpose.

    Catholic faith-driven Ascension healthcare group

    Wha' do the doctors prescribe two “Hail Marys” and an “Our Father” with the medication /s

    1. Uncle Slacky Silver badge
      Devil

      Re: “Cyber” systems are not fit for “cyber” purpose.

      Hopefully they're not modelling themselves on Mother Teresa...

  9. Bendacious Bronze badge
    Unhappy

    No one ever thinks they are the bad guy

    I can understand how most ransomware spreaders can find excuses for what they do. Even though it's all crap, you can convince yourself that life gave you no legal opportunities, or you are just too special for a 'normal' job. Maybe your ransomware is a weapon against another country that has wronged your country and you've successfully dehumanised all of the citizens of that country. You are only taking money from evil companies that basically stole it in the first place. However they have manage to make themselves the hero in their mind, or decided that they had no choice, attacking critical medical facilities must be very tricky to excuse when you are unable to sleep at 3am. Ransomware gangs aren't just one psychopath, its a group of people who must talk to each other and choose targets. I'm hoping that their bad consciences take all the pleasure out of their lives.

    1. StewartWhite
      Devil

      Re: No one ever thinks they are the bad guy

      You're rashly assuming that criminals think of anything other than themselves. They may well not even have bothered targeting as "hit and hope" is a viable strategy for ransomware given how dim most people are when it comes to clicking on random links in emails etc. If criminals are anything they're Social Darwinists but mostly they're just lazy,greedy and stupid (hence why they're caught as PC Plod tends not to be too assiduous or bright themself).

    2. t245t Silver badge

      Re: No one ever thinks they are the bad guy

      > .. I'm hoping that their bad consciences take all the pleasure out of their lives.

      If they grew up outside the Judaeo-Christian cultural heritage then the concept of a personal conscience would be alien to them.

      Busting Scam Call Centres in India

      1. CowHorseFrog Silver badge

        Re: No one ever thinks they are the bad guy

        Thats a bit rich, there are aresholes everywhere including jews and christians.

        Close to half of all office workers are themselves frauds, they do little if anything but bullshit. You might some of them as managers. We all know examples of people who could be gone for a month and nobody would notice and yet they still take their pay home.

  10. CowHorseFrog Silver badge

    They need to put the person who recommended adding internet connectivity in jail for a long time,, then people will stop making irresponsible decisions that caused this vulnerability to happen.

    1. abend0c4 Silver badge

      The problem is that health service providers are under great pressure to deliver services online, partly in the name of efficient use of staff. Some of the London hospitals provide appointment bookings and access to test results and consultation notes over the Internet. They're also under great pressure to exchange information with each other electronically so that the era of letters passing from one clinician to another via the postal service - and lost - and paper notes being distributed between them and available in complete detail nowhere.

      Given the number of independent organisations involved, any private network you devised for that purpose would be just about as vulnerable as the Internet. As soon as you link a bunch of vulnerable systems together you amplify the risk of exploitation and you only need access to one of them to begin an attack.

      Despite the evidence we have gathered over a couple of decades at least on the vulnerability of traditional computer systems we've done almost nothing serious to rethink them. We cannot depend on IT that requires expensive frequent replacement and constant human vigilance simply to operate as intended. It's time to threaten the suppliers with substantial penalties and to stop blaming the hapless users.

      1. CowHorseFrog Silver badge

        abend: The problem is that health service providers are under great pressure to deliver services online, partly in the name of efficient use of staff

        cow: This is a bullshit claim.

        Staff can talk to the customers on a separate computer, they dont need to use their "intranet" computer to talk to external customers.

      2. CowHorseFrog Silver badge

        abend: They're also under great pressure to exchange information with each other electronically so that the era of letters passing from one clinician to another via the postal service - and lost - and paper notes being distributed between them and available in complete detail nowhere.

        cow:

        Wow this is why these bad things happen...

        Idiots like yourself dont hvve the imagination that you can still have computerised healthcare on an intranet without connecting to THOSE computers to the internet.

        Simple answer two computers. There problem solved.

        In answer to your next dumb response that this costs money, yes it does, but it costs far less than damage like this new problem where vandals attack hospital systems because of internet connectivity.

        1. ChoHag Silver badge
          Thumb Down

          > > Idiots like yourself dont hvve the imagination that you can still have computerised healthcare on an intranet without connecting to THOSE computers to the internet.

          > Given the number of independent organisations involved, any private network you devised for that purpose would be just about as vulnerable as the Internet.

          Two replies in a row and you didn't read what you're responding to before sending either of them? Although I'd lose the "about as vulnerable as" bit.

          > Simple answer two computers. There problem solved.

          Simple questions: Who makes the second computer? Who installs it? Who uses it? What does it communicate and with whom? How? Who out of the small number of mostly clinical staff does a local healthcare provider designate to maintain this pile of electronic crap?

          Two computers? You now have an order of magnitude more than two problems.

          1. CowHorseFrog Silver badge

            Chohang: Simple questions: Who makes the second computer? Who installs it? Who uses it? What does it communicate and with whom? How? Who out of the small number of mostly clinical staff does a local healthcare provider designate to maintain this pile of electronic crap?

            cow: WOW

            THe second computer or an ipad would be part of the solution suggested, provided and supported by the original consultant. It would be locked down to one of popular video chats, the doctor would use their other computer to view personal records and all that.

        2. abend0c4 Silver badge

          Idiots like yourself

          Charming.

          In my experience, people mostly make rational decisions based on the constraints of their situation. Telling them to do something else without changing the constraints isn't going to help. Pretending the constraints don't exist is merely sophistry.

          1. CowHorseFrog Silver badge

            THe constraints only exist because money has been wasted on management and consultants who take lots of money and dont give proper money saving advice.

    2. hoola Silver badge

      Yet the general public are screaming for everything to be online, they cannot do anything if it is not online, on an app and uses Social Media as the contact tool of choice.

      Most will read this think "incompetent overpaid hospital consultants and it is all the government's fault". The exception will be those who are directly impacted will have a similar view whilst ranting on Social Media that their appointment was cancelled and it is all the fault of the NHS.

      1. CowHorseFrog Silver badge

        Another stupid comment. They cant grasp the concept that you can have both, ...

        No wonder those consultants are idiots, just look at the responses to my original post, none of them show a slight amount of intelligence, like using different computers for public zoom chats and the intranet computer system w/ actual customer data.

      2. tiggity Silver badge

        @hoola

        I would argue that "the general public are screaming for everything to be online" is not wholly correct.

        Lots of companies / govt agencies essentially forcing activities to be online.

        Partners mother is a pensioner, not online & does not want to be, so we have to deal with many facets of her life that she is unable to do as they are online only (e.g. the bank she is with has closed many branches so no nearby branch, dealing with utilities companies etc. is pretty much impossible without doing it online (she tried the joys of massive phone line queues* and just when getting near the head of the queue, the call getting disconnected) - she would love to be able to do things "offline" ).

        She is lucky we can do "online" stuff for her, many people without internet and lacking family / friends to deal with that aspect of life for them have a very difficult time, playing the roulette of phone queues or just having to do most things via letter.

        * IMHO deliberately understaffed to make the phone queue experience a nightmare, effectively forcing people online. The phone line queues that depress me most are where they are so big they do not even give a "you are position 'n' in the queue" as 'n' would just be absolutely massive.

  11. Yorick Hunt Silver badge
    Facepalm

    Ermagerd!

    Not only have miscreants pooped on their data, they also desecrated their signage!

    Seriously, does nobody know how to use an apostrophe these days?

  12. cantankerous swineherd

    the nhs is busily training people to click on links in txt msgs and emails and seem to be doing a fair bit of that themselves.

    personally I report txts purporting to come from the nhs wanting me to click on a link as spam. But I'm pretty sure it's the idiot surgery sending some really quite odd links, well away from nhs.uk

    1. Plest Silver badge

      The NHS appears to be busy these days wasting time and money handing out forms that require you to select your gender from the the 47 they came up with that week.

  13. StewartWhite
    FAIL

    "our IT arrangements are as safe as they possibly can be"

    "We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be." they say. I call BS - they are definitely NOT as safe as they possibly can be otherwise the attack wouldn't have succeeded (+ their total IT security budget will be way less than their CEO's bonus).

    1. Phil O'Sophical Silver badge

      Re: "our IT arrangements are as safe as they possibly can be"

      Indeed. If you run a bank you don't keep the keys to the vaults in a cupboard on the wall and send memos to the staff reminding them to be careful. The keys are securely stored, with precise rules about who can access them, and a process in place to enforce those rules. Anyone breaking the rules gets fired.

      Until IT companies realise that data is as valuable, and needs the same protection, these stories will continue. There's nothing new or unusual about doing this, the security services have such processes and the IT equipment to implement them is already widely available.

      1. This post has been deleted by its author

      2. Dr Who

        Re: "our IT arrangements are as safe as they possibly can be"

        Good analogy. Especially because vaults still get robbed.

        Whatever you do and whatever you spend, there will be a sufficiently skilled, well resourced and determined adversary who could defeat you (if you have something that's worth nicking). There is always some limit to the countermeasures you can afford to put in place, so you must always make your plans on the basis of when, not if, you will be compromised. Excellent preparation for a breach is the sign of a well managed business.

        Also, not all data has/have equal value. As such, different databases should be secured to different levels.

  14. BadRobotics

    Is there no-one doing the same for CRINKS companies? I know NK doesn't have international internet access, but the rest?

  15. Anonymous Coward
    Anonymous Coward

    Money Talks

    Remember, NHS services and contracts are won by the lowest bidder. Corners have to be cut to meet financial constraints...

    1. wolfetone Silver badge

      Re: Money Talks

      This. Exactly this.

      They're private, they're turning a profit. You do that by putting the prices up or cutting costs. And so more often than not IT and security are seen as a cost that isn't needed.

      And none of them, Tories, Labour, or the Milkshake are going to change this.

      Democracy in action, my fragrant hole it is.

    2. CowHorseFrog Silver badge

      Re: Money Talks

      THis has nothing to do with loweest price winners and everything to do with those winners not being responsible for their recommendations. Responsible here means they recommended a solution and they need to sufer the monetary consequences when their recommendation fails like it has here.

  16. Kev99 Silver badge

    Oy! Let's put all of our business critical, confidential, and proprietary kit out on the net and cloud. Even my little nippers know that both are but a bunch of holes held together with bits of twine and water.

  17. Phil995511

    People who attack hospital IT structures and thereby put lives at risk deserve a life sentence...

    1. CowHorseFrog Silver badge

      And the people who allow it to happen because they are clueless mangement who hire and accept advice from the wrong people should also goto jail for exactly the same reason.

      The real cause of the problem are the frauds who call themselves management, make them liable and considerable amounts of money would be saved and the public wouldnt be put at risk because of their poor choices.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like