back to article British hospitals hit by cyberattacks still battling to get systems back online

Both National Health Service trusts that oversee the various hospitals hit by separate cyberattacks last week have confirmed they're still in the process of restoring systems. NHS Wirral University Teaching Hospital, which also looks after the nearby Clatterbridge and Arrowe Park hospitals, downgraded its "major incident" to a …

  1. Doctor Syntax Silver badge

    "A shared digital gateway"

    Yet another supply chain attack. Digital supply chains need to be treated as critical infrastructure and held to appropriate standards.

    1. Tom Chiverton 1 Silver badge

      Thought was more likely to be poorly secured VPN or remote desktop tbh

    2. Martin Summers

      It will be their remote desktop infrastructure for providing access to clinical systems. Likely someone's credentials were nabbed and there was no 2FA on it.

      1. Doctor Syntax Silver badge

        Apparently this scum favours the CitrixBleed exploit which bypasses 2FA. Patches were available in October last year. If that's the case here the hospitals' suppliers have some tough questions to answer.

        1. 42656e4d203239 Silver badge

          >>If that's the case here the hospitals' suppliers have some tough questions to answer.

          Oh sweet innocent child....

          No, they won't, in practice, have to answer any questions, tough or otherwise.

          They will be paid extra (shovelling yet more tax payers money into the pockets of unelected bureaucratsCEOs) to improve security and their people on mahogany row will get knighthoods (if they haven't got them already)

          1. Will Godfrey Silver badge
            Unhappy

            You forgot a bit

            The security money will be spent on and extra posh dinner event for the management.

  2. lglethal Silver badge
    Go

    Not paying is absolutely the right thing to do.

    Eventually, the attacks will stop on the NHS (probably not completely because of script kiddies, but the actual damaging ones should stop). Purely, because if your a "professional" why waste your time hitting them, when there is no payout.

    The sooner everyone stops paying the better, but that's a dream for another day...

    1. wolfetone Silver badge

      "The sooner everyone stops paying the better, but that's a dream for another day..."

      That's fine.

      But why aren't health services treated as critical services like the national grid? The sooner the government mandates the same level of security and services to our NHS that it requires from the grid (and others) the better.

      1. Doctor Syntax Silver badge

        Because it would cost money?

      2. Anonymous Coward
        Anonymous Coward

        Healthcare services are an essential service in the UK under the Network and Information Systems Regulations 2018. A Competent Authority will have been appointed to oversee their security.

        1. wolfetone Silver badge

          "A Competent Authority will have been appointed to oversee their security."

          Quite clearly not.

          1. Version 1.0 Silver badge
            Boffin

            Network security workers often only have the experience of working to try and prevent the hacks, that's the normal employment environment, hiring engineers and asking them to try and get something done. In my early days I was trying to prevent my company being hacked but frequently saw potential hacks done in new areas and new ways year after year. So I invested my time (no company approvals at all) to learn how to hack my company, often talking with external hackers and I learned how to hack my company.

            The good result was that after I had managed to hack it then I was able to prevent all the hacking and we never saw any more problems - but once I prevented it all then I was moved to another job after being told that hack prevention was no longer needed. Since I'd been hacking everything I kept quiet and moved to a new electronics and software environment - LOL I got a nice new job with no risks.

            1. Tom Chiverton 1 Silver badge

              You might want to go anonymous the next time you admit to breaching the CMA :)

              1. doublelayer Silver badge

                The vagueness of the language leaves open the possibility that this did stay within the bounds of approved conduct, I.E. learning offensive security from others and applying it on machines where testing had already been approved. However, the vagueness (specifically, things like "after I had managed to hack it then I was able to prevent all the hacking") mean there are several other options, including that basically nothing happened at all.

                The original point is sometimes valid. People who are employed to work on security often find that either management has an existing plan for what they're supposed to do or restrictions meaning they aren't able to work on certain areas. Properly securing a system that already exists and spans lots of different groups can be a very difficult task in ideal circumstances, and circumstances are often very restrictive and painful.

              2. Version 1.0 Silver badge
                Happy

                I only did the hacking to learn to prevent everything, and made complete internal backups on everything that supported external access every time to make sure I never created problems. Basically learning to hack is normally very helpful when you are working to be safe.

                So hiring a expert hacker, after a discussion about the functioning job, might be pretty much close to like being vaccinated.

                1. Anonymous Coward
                  Anonymous Coward

                  followed by "Yes, Your Honour."

    2. TheMaskedMan Silver badge

      "Not paying is absolutely the right thing to do."

      Yes, it is. But it won't stop future attacks because it enables the attacker to obtain sensitive data, which they can then publish. To other victims, they can then say "look, we're sooo mean that we even published sensitive health data. What makes you think we won't do the same to you if you don't pay up?"

      They may not get paid for this particular job, but they gain notoriety and a reputation for publishing anything they don't get paid for. Ultimately, that might encourage other victims to stump up more quickly than ever.

      Of course, if nobody paid up, ever, that might help. But I suspect the bad guys would simply change their business model - being a thieving asshole isn't just what they do, it's in their nature.

      1. Anonymous Coward
        Anonymous Coward

        You are assuming that money is the only motivation in these attacks. Certainly there is evidence that the ransom demand in some attacks is a just a cover for the actual objective which is disruption and disinformation. Russian playbook.

  3. Anonymous Coward
    Anonymous Coward

    Chaos Brothers

    Putin isn’t so interested in the cash, he just wants disruption and angst.

    His orange mate is quite different, he wants both.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chaos Brothers

      His Orangeness just wants cash and uses the chaos to get it.

  4. Anonymous Coward
    Anonymous Coward

    Gamekeepers and poachers

    Gamekeepers and poachers have a lot of skills in common. If no one is employing gamekeepers, is it so surprising that there is an increase in the number of poachers?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like