Another 'major cyber incident' at a UK hospital, outpatients asked to stay away

And the consultant for the eye hospital over from our support site that smashed up an expensive touchscreen computer because it was getting on his nerves.

The trust being large that it had TWO IT teams doing things seperately as that's what the Trust wanted. Giving us little access when rolling out new kit so having to sit at a nurses station for 20mins waiting for 3rd line to get out of their fucking meeting so I could install the blood printer (prints the labels that go round your wrist).

Then, which still pisses me off to this day, the IT managers daughter got a job because of who her dad was. Asked us to sort out some xray type machine (can't remember what it was. Was a PC but something to do with xrays) because "All the other engineers have gone home and you guys are the only ones left" (it was a Friday, we were contractors and all of IT had left early). We asked for the ticket which we kept being told we MUST GET A TICKET but she had none and cause of her dad, didn't need one.

So we go over the road, none of our cards let us in that fucking building. She's eventually made to come over to let us in, oh look her card doesn't work either. Jesus christ. We get in, find the nurses who tell us "IT was here earlier but they only took the keyboard and mouse". So essentially IT were being fucking lazy so made us move the bulky kit. Stuck it on a trolley and had to push it up the steep hill to the main building. We get to where we were told it was going, the guy has no idea what its about. Eventually someone arrives that knows about it and we then have to carry it up some windy stairs.

IT at the NHS is normally a shit show. I was first there in 2007. Left and back again in 2017. The IT culture hadn't changed! They were still quite cuntish. Having said that, still, if desperate, is a good place to start and get experience instead of working for the MSP sweatshops.

Back in the 90s, I worked in our local hospitall. It was a 600 bed hospital spread over several buildings in a site that occupied a huge area. I don't know how many staff they had, but it was a lot, and most staff had at least one computer in their dept. As it was the early 90s, computers were nowhere near as rife as they are now, but they still had a lot of computers, potentially hundreds.

Although my job was invoice processing rather than anything specifically IT related, I ended up doing support on a voluntary basis because our IT staff consisted of 3 people...

Re: Whether or not ...

Bit of both probably

Re: Whether or not ...

We know that Healthcare is being targeted by Nation States. The main issues in critical infrastructure/services is that you don't get downtime to patch the huge IT infrastructure estate (even though NHS England require resolution in 14 days or SIRO risk signoff) so can remain vulnerable for months.

Anything InfoSec: they need to get lucky once, we need to get lucky all the time.

Re: Mouse take

they still use paper.

My old man is in a hospice and the the staff there were doing double entry, once on paper and once in the system.

Re: paper records

Aside from anything else, there are IT systems required for tracking paper records. Yep. I know.

Almost 20 years ago I remember seeing paper records strewn all over the place as a building that was sold off to be turned into flats was just abandoned. I was just there to pull out the network kit. I hope to FSM that those records had been digitised first but I have my doubts.

Re: Who 'Owns' IT?

Equally awful is when Estates and Facilities try and do it.

At least an accountant knows what a PC is!

Re: Who 'Owns' IT?

The "About us" does not list a Director or IT. Nor does it make clear which of the Execs is responsible. Many summaries skirt around the edges of systems.

In my local NHS trust there is a board level director of IT, who is not the director of finance, nor estates.

Re: Who 'Owns' IT?

Ours had a specific IT CEO, the the IT director who was bent as fuck. Told everyone who was on a band 5 (2nd/3rd) engineers at the time they can be replaced with "box monkeys".

To be blunt he was a cunt.

Not forgetting the bribe they took from HP to sign up to the HP contract for laptops.

Re: Advised out-patient procedure

As long as these "type writers" of which you speak can bluetooth to a phone, otherwise people won't know what to do with them....

Re: Seems a bit contradictory

No contradiction. The business continues by not seeing patients, who only clutter up the place anyway.

The issue is that the public (the younger ones) are obsessed with everything being online, app based blah blah. This immediately opens up the attack vectors to the outside world.

This scenario is pushed by the numpties that are in their 40s & 50s that are also bought into this shite. Yes, it can be more convenient but does it save money?

The answer is highly unlikely but hey, I have an App where I can login from a crap mobile device and do "Stuff",

Now add in the next wave of idiocy, making all patient records available to the patient online. If that is not a fat target with a big arrow in the middle I don't know what is.

Currently if you put in a FOIA ( or more correctly DSAR) for you patient records you will get it on a CD, merged into a PDF that is protected.

All that will become available behind whatever crappy security people have with passwords and possible MFA, on the same device.

I also question the value of this data to most. The crucial part in this is that the data is available to all NHS trusts internally so that if you rock up at A&E outside of your area, history is available.

I requested this information because I had a consultant radiologist friend and we wanted to review a CT scan. It came on it's own CD with an application to replay the scan protected by a password.

To most people 99% of the information is useless. To me this just appears to be an an obsession with stuff being online with no concept of the actual use cases.

"Biden and Starmer's recent escalation" as you put was no such thing. It was a response to the major escalation by Russia of widening the scope of the war by deploying the soldiers of a previously uninvolved country within the war zone. Even as an action to level-up the playing field, it still leaves Ukraine on a lower level than Russia.

Whilst I risk censure for going off-topic, you cannot be allowed to get away with making such misleading sweeping statements.

Re: IT incompetence in NHS

The usual Public sector response...

I think you'll actually find that in hospitals, the usual response is to carry on work with whatever is available to allow that work to happen, not to down tools and go for a cuppa.

Re: IT incompetence in NHS

You've clearly never worked in NHS IT

Re: IT incompetence in NHS

> Who (people) administers the Routers and Firewalls?

I do, actually.

At least in one of the Ambulance Trusts that has a few rooms full of people handling 999 calls from members of the public and dispatching vehicles to assist them, etc

As other posters have mentioned, unfortunately the NHS is massive and varied.

MY OWN little section of it has multiple effective layers of security (physical clustered firewalls, software firewalls, internal segmentation between the control room systems and corporate, isolated VLANs, immutable backups replicated off-site, various endpoint protection + anti ransomware + vulnerability scanners, sandboxed remote desktop with MFA for remote access instead of VPNs, etc etc etc) and a pretty knowledgeable (if horrendously understaffed and underpaid) internal IT team to support it all.

But even with all that we're constantly fighting an uphill battle against the powers that be whenever it comes to the latest shiny (what do you mean I can't access DropBox or ChatGPT on my work computer?) and whilst we do run regular phishing exercises there is very little actual effort put into regular staff training and awareness (the less said about the proportion of staff who actually complete their supposedly mandatory annual cybersec e-learning the better).

We're also getting absolutely crippled by red tape and audits. It's a rare week when I don't have to spend at least half of my time putting a fresh set of evidence together, rewording a process/policy document or writing a business case instead of actually investigating and fixing faults or making the existing technical setup more bulletproof.

However we're still in a very good place compared to most of the various smaller sub organisations who just offload their IT on the central hubs. And plenty of hospital medical tech is ancient and will still only talk to old embedded XP kit etc. Supplier supply chain issues are also rife (in last 6 months alone we'd two key suppliers that couldn't connect in to support their on prem systems because some aspect of their cloudy internet guff had been compromised, and our immediate response is to blanket block the entire supplier + if the system REALLY needs support then one of our own techs can setup a supervised screen sharing session).

The central NHS email system is constantly seeing account compromises (shocker, MS 365 with no enforced MFA?) and all the mainland UK NHS organisations are interconnected via the NHS "N3" WAN (with pipes to offshore and Northern Ireland too), so there's an argument to be made that we're really only as safe as the worst trust. Thankfully a lot of trusts (ours included) treat intertrust traffic as potentially suspect and block/screen most of it. Even long before Wannacry we'd cordoned ourselves off from the regional network as much as possible.

It's not all gloom though, I've been in post for over 15 years at this point and things have definitely improved - more knowledge sharing, more investment in preventative tech, more holding suppliers to account for security in their contracts, etc. There is also currently a big push to get contingency arrangements in place for supplier chain attacks - (eg. if your new payroll or staff rostering system is cloud hosted then you must be prepared to lose connectivity to it for months at a time in case the supplier gets hacked and we knee jerk reaction block them). But unfortunately staffing levels and pay are simply in the toilet. My own team is at a quarter capacity and yet we simply cannot hire qualified or even smart+keen people (outside of students and apprenticeship programs) because they know they can work elsewhere for double the pay and less hassle.

Re: Business as usual.

In a good health care system, you'd stay away from hospitals because first line care (GP, pharmacist, carers) catch things before they become debilitating nightmares.

But for reasons I've yet to discover most healthcare systems across nations that used to have great ones, seem to be in decline, with some offering more resistance than others.

It is not just the UK.

Why is it when technology supposedly improves, when education and science improve, that the health care system goes in reverse?

Re: Business as usual.

"Just get painkillers and get on with life."

For those, you must go through a very thorough process to see if you shall be able to have them. Anticipate a 6 week lead time for anything more potent than aspirin.

To get my blood pressure medication, I have to go hat in hand to the doctor for a renewal of my prescription. The cost of the visit is more money than the meds and it's not the sort of thing that gets abused. The first dose was too high and made me feel like shit, but that's not the sort of thing that gets meds abused. I don't get migranes like I used to, but the cost of going to a specialist who looks at my file and asks two or three questions before giving me another prescription for the really expensive stuff that works (and isn't covered) made the whole escapade a financial burden. It's another drug that isn't something you'd take for fun. It's faster and cheaper to get pain killers more informally except you may not get what you ordered which can be problematic.

also, I 'thought' there was a moratorium on attacking health infrastructures ?

Some groups do, can't imagine certain state actors care though. They aren't exactly people known for their morals.