"A shared digital gateway"
Yet another supply chain attack. Digital supply chains need to be treated as critical infrastructure and held to appropriate standards.
Both National Health Service trusts that oversee the various hospitals hit by separate cyberattacks last week have confirmed they're still in the process of restoring systems. NHS Wirral University Teaching Hospital, which also looks after the nearby Clatterbridge and Arrowe Park hospitals, downgraded its "major incident" to a …
>>If that's the case here the hospitals' suppliers have some tough questions to answer.
Oh sweet innocent child....
No, they won't, in practice, have to answer any questions, tough or otherwise.
They will be paid extra (shovelling yet more tax payers money into the pockets of unelected bureaucratsCEOs) to improve security and their people on mahogany row will get knighthoods (if they haven't got them already)
Not paying is absolutely the right thing to do.
Eventually, the attacks will stop on the NHS (probably not completely because of script kiddies, but the actual damaging ones should stop). Purely, because if your a "professional" why waste your time hitting them, when there is no payout.
The sooner everyone stops paying the better, but that's a dream for another day...
"The sooner everyone stops paying the better, but that's a dream for another day..."
That's fine.
But why aren't health services treated as critical services like the national grid? The sooner the government mandates the same level of security and services to our NHS that it requires from the grid (and others) the better.
Network security workers often only have the experience of working to try and prevent the hacks, that's the normal employment environment, hiring engineers and asking them to try and get something done. In my early days I was trying to prevent my company being hacked but frequently saw potential hacks done in new areas and new ways year after year. So I invested my time (no company approvals at all) to learn how to hack my company, often talking with external hackers and I learned how to hack my company.
The good result was that after I had managed to hack it then I was able to prevent all the hacking and we never saw any more problems - but once I prevented it all then I was moved to another job after being told that hack prevention was no longer needed. Since I'd been hacking everything I kept quiet and moved to a new electronics and software environment - LOL I got a nice new job with no risks.
The vagueness of the language leaves open the possibility that this did stay within the bounds of approved conduct, I.E. learning offensive security from others and applying it on machines where testing had already been approved. However, the vagueness (specifically, things like "after I had managed to hack it then I was able to prevent all the hacking") mean there are several other options, including that basically nothing happened at all.
The original point is sometimes valid. People who are employed to work on security often find that either management has an existing plan for what they're supposed to do or restrictions meaning they aren't able to work on certain areas. Properly securing a system that already exists and spans lots of different groups can be a very difficult task in ideal circumstances, and circumstances are often very restrictive and painful.
I only did the hacking to learn to prevent everything, and made complete internal backups on everything that supported external access every time to make sure I never created problems. Basically learning to hack is normally very helpful when you are working to be safe.
So hiring a expert hacker, after a discussion about the functioning job, might be pretty much close to like being vaccinated.
"Not paying is absolutely the right thing to do."
Yes, it is. But it won't stop future attacks because it enables the attacker to obtain sensitive data, which they can then publish. To other victims, they can then say "look, we're sooo mean that we even published sensitive health data. What makes you think we won't do the same to you if you don't pay up?"
They may not get paid for this particular job, but they gain notoriety and a reputation for publishing anything they don't get paid for. Ultimately, that might encourage other victims to stump up more quickly than ever.
Of course, if nobody paid up, ever, that might help. But I suspect the bad guys would simply change their business model - being a thieving asshole isn't just what they do, it's in their nature.