IT chiefs of UK's massive health service urge vendors to make public security pledge Top cybersecurity officials within the UK government and the National Health Service (NHS) are asking CEOs of tech suppliers to pledge their allegiance to sound security by signing a public charter. The letter refers to ransomware being an "endemic" threat to the NHS, with several disasters hitting healthcare facilities and …
Or you could just mandate national services like the NHS use a national provider. Have it headed up by GCHQ/NCSC. Let them control it.
This fucking nonsense of getting CEOs who exist to make their company's turn a profit to write some meaningless document is just that - nonsense. It won't force them to do anything that requires spending money and time on making it do the job it's meant to do.
Making 8 Pledges on a Charter means nothing.
Why the 8 items are niot already implemented is the problem and a plan to tackle them by ending 2025.
The squeeze on NHS funding and attacking non-frontline staff isn’t helping either. Frontline staff can only do what they do with firm foundations under them.
That’s owned by the Health department’s of all of the Devolved Nations and Westminster DoH and Treasury.
Although there was still much to do… the NHS wasn’t broken @ May 2010.
So after years of repeated ransomware hits, the solution is… a voluntary charter with no legal weight, no procurement benefit, and a self-assessment form sometime in the autumn.
Meanwhile, hospitals cancel surgeries, children's wards are breached, and "board-level incident response exercises" are treated as revolutionary thinking.
It’s comforting to know that while attackers evolve rapidly, our defence strategy is still in the “open letter and LinkedIn post” phase.
It’s garbage.
The 8 Pledges should not even be a thing. They should already either be solved, or be scheduled to complete by say the end of the year.
If nothing else it’s a slam dunk GDPR concern.. and violation for the ones exposed.
All - not most - clinical systems should be by default protected by staff ID cards that are chipped as the 2FA.
However as a Covid vaccinator some NHS trusts - UHCB (Birmingham) as the example in violation of their own HR Policies and Employment contracts were too stingy to even provide Staff ID Cards to Bank staff regardless of them being chipped or not.
Massive cash injection into the NHS to pay for increased IT security!
What do you mean...? Nope?
Oh, of course, they're putting all the extra cash into paying for more staff. No?
What do you mean, "all the cash is going in profits for private health providers who make donations to Labour ministers"?
The more things change ....
All politicians are in it for themselves, no matter their allegiance.
How can someone earning more than 99% of the population seek to accurately represent the interests of those they are supposed to represent?
The problems in the NHS are more fundamental, and they are acting as designed. The HSCA 2012 was designed to break up the NHS, and it has done so. There is no longer an NHS, just 2600+ franchises with the badge and 2600+ boards with their own agendas and pockets to line, just like their paymasters in parliament.
For various reasons, I've recently been doing some work to harden security on a number of pretty non-critical websites that were originally developed 10-20 years ago. They still work fine, they don't hold any sensitive data, but the hackers have got really sneaky over the years. I've been genuinely shocked to see the sort of devious things they're attempting, even before you get to social engineering.
I suspect those in power really have no idea of what this implies. Some hefty investment, obvs, but a change in thinking. Security is not just about blocking attacks, it's about accepting that successful attacks WILL happen at some stage, and building systems to minimise the impact. Does this mean a rethink of the entire network architecture? Probably. Is there money to pay for that - not just in the NHS? I think not.
"Does this mean a rethink of the entire network architecture? Probably. Is there money to pay for that - not just in the NHS? I think not."
Well, you'd hope that plenty of people are now looking the M&S breach and its huge corporate impact, and thinking "that could be us...what do we need to do to make sure it isn't". Then again, back in the real world, the chickens will stop clucking pretty soon after the fox has carried off today's victim, and go back to pecking at the ground because that's their natural instinct.
Huge corporate impact. Really?
Anything in there about the board losing money personally other than through a temp dip in share price?
TBH if the board announce a big security spend the shares would drop more and they'd probably be at bigger risk of being pushed out by shareholders than through the incident.
Internal budgets are cut everywhere and that includes security. Companies like to employ security guys but they don't like to listen to them.
There is no impact on the people that matter from this.
If the ICO get involved they won't do anything publicly for 3yr and after that the £1M fine will get quietly reduced to 50p and a packet of nice biscuits from the M&S food court.
Until the board are personally and directly liable for the impacts and risks on the data subjects resulting from their negligence towards data security nothing will happen.
You me and the ol' lady down the road carry the liablity for corporate infosec failings still.
This from the NHS is a rather pathetic pleading for suppliers to do security things properly, it has no teeth and the NHS carries the liability for suppliers penny pinching. Again unless the suppliers and their boards have their personal wallets in the fire over failings nothing will happen.
Well, they *might* do.
Or the C Levels probably just think "Well if we go all Cloudy, then it'll all be magically fixed - or be someone else's problem". Anyhow, if they start taking it seriously, then the NHS issues just get worse, because how do they compete to bring in (or keep) IT Sec staff - or technical staff in those key areas - on what they can pay for them as the bidding war starts?
1. STOP using windows. For the love of christ, just stop. Macs don't get half as many viruses not because they are more secure, but because there's less of them. And, my god, Microshaft has made a business out of complexity. So, use easier to manage OSs, which can be patched easier, with less people, that are more secure.
2. Mandate 2FA for every single user
3. Hold Applications and OS vendors to account.
Its not a new situation for us either.
However , it was solved (at a great expense of screaming and shouting during what were termed 'meetings' but almost turned into fist fights.... praise the lord for the gift of cattle prods)
We broke our network into 2 networks, with 2 servers.
1 network serves the factory floor, the shop floor laptops use it, the machinery uses it, the CAD packages use it. with everything stored on the floor server.(with backups), the other server (admin) serves the front office, the accounts, the payroll, the email, the customer purchase orders, and QA. Neither are allowed to be linked. CAD files are transported by USB, or we print out the drawings and use the old methods.
Yeah I know we could get infected via USB sneakernet, but beyond encrypting our floor server, the data wont be going anywhere and I doubt nation states want to use a stuxnet worm on us.
I'm sure theres a secure gateway solution to linking the 2 networks (and being an IT site, someone will say "Have you tried XXXXX?") but for now, it solves our problem of legacy OS powered machinery
> they'll just refuse to sell to you
oh no
In the words of Adama, there are computers all over the ship, but they're not networked. I hope part two of this series goes better for the participants. But also just like it, it's as much the vendors that are actually providing the malware.
I don't market a simple solution, just stopping pretending it needs to be this way.
Your post shows you have never managed macOS in a corporate environment.
It's not impossible, but it's a lot of work; the devices aren't designed to work that way.
There is no bulk installation or update mechanism, there is no centrally controlled permissions.
There is no easy way to catalogue and protect a network as a whole, just point solutions.
Windows is EVIL, in a corporate environment, however, it's a necessary one.
In the NHS even more so.
Medical devices are a pain, but it took years to tweak Linux so it could effectively authenticate with the NHS smartcard System, and then they killed the project.
That is not _exactly_ true. It is a lot of work, but is doable. We are a software house and many/most have MACs. However as you said, it is a fair bit of work, but once set up it seems to be fine.
> There is no bulk installation or update mechanism, there is no centrally controlled permissions.
Apps called JAMF and PMC Policies manages this. Forces centralised policies, password rotation, OS updates.
Placing an onus of responsibility on providers only goes partway to solving the problem. NHS users also need to adhere to good security practice. Leaving terminals logged in and unattended is something I seem all too frequently. Staff need to be trained in responsible use of the tools they are given. No more post-its with passwords on!
To be fair there is an argument to be made for making security less onerous for the end-user, but until NHS staff accept their role in securing the NHS estate and have appropriate training, attempts by providers to increase security will be hamstrung.
Correct, and there needs to be a willingness to discipline the staff who don't follow the rules they're trained on. No more "oh, it was a silly mistake" or "anyone could have done it" excuses which make people think it isn't serious. If the system is compromised because "Doctor X" left a password on a post-it, then "Doctor X" should expect to be demoted or fired.
Re: No more post-its with passwords on
Ditch passwords completely. Give all staff an electronic token like one of my banks does.
I need to remember a customer number (not my email address) and then insert a debit card into the token. It spits out a number allowing me to login.
If a bank can afford the initial outlay, I'm sure the NHS can.
Hmm that's a bit harsh but possibly you don't know the working environment.
If you are running back and forward from a computer not sitting at a desk and it constantly locks between visits the time taken to log in adds up through the days and weeks. Add to that in a medical environment returning to a computer to log in might require a change of gloves, additional hand washing each time and the lost time taken to log in become a serious impact.
Services are already so stretched that your medical staff regularly do not have time to go to the toilet during a shift (true story from a friend who has since quit the NHS).
In an NHS trust it might not be unusual to have 20000+ different software applications thorugh the hospital many of which will be old and bespoke. Some might come attached to a machine costing £10M, the trust might need to get 10 or even 20yr use from that machine and it's not going to get software updates for its whole life. There is no money to replace it because the OS has gone EoL, there may not even be a replacement option with a 'modern' OS so you run the kit with EoL software.
IT guys in the NHS are good but they are not magicians, they are underpaid, understaffed, with minimal training and a miniscule budget. Politicians making sweeping gestures about managing supply line threats properly doesn't actually make anything happen
Yeah,
I have a few observations here. The NHS already has a Marking Your Own Homework standards approach, Cyber Essentials Plus. Yet NHS Suppliers, on the whole - certainly from what I see day in day out - take absolutely no notice of many of the provisions on the whole, particularly the IT Sec ones. Another Marking Your Own Homework farce just means more lying on more forms, where's the enforcement, where are the checks. The lack of a question mark isn't a mistake, because it's a rhetorical point, not a question. They don't exist.
Something else that doesn't exist, at least as far as my CyberSec colleagues and my team have ever been able to identify is, when we identify Cybersecurity and/or governance issues - who do we inform? Because when these are raised with the suppliers themselves, the response if - 90% of the time - "Well, no-one else has complained". You can point out that you know for a fact that xyz organization has done as well, not a flying one given "Well, we're not changing it". At this point, we're out of escalation levels.
In other Government areas, a negative Cyber assessment gets the system closed down, until fixed, and this is raised with the Department to instruct all other users accordingly. Because in THOSE areas, it's taken seriously.
This proposal is dross, pointless, pretending to do something, while making damn sure that nothing ACTUALLY changes off the back of it.
No enforcement.
No effective third party assessment
No requirement to take part in order to foist your garbage off on NHS Trusts
No escalation and reporting mechanism
No central vulnerability database and dissemination path
No penalty or recovery model for breeches of the Homework You Marked Yourself
No point whatsoever.
Posting as AC for reasons. Long term lurker etc etc.
Currently I'm a security professional for a national organisation that (A) has close operational ties with the NHS and (B) has stringent legal requirements around data security. Our security policies mandate that our personnel are not permitted to use NHS IT facilities in any way whatsoever; no data transfer using NHS systems, no use of onsite services, no automated information sharing. The NHS is deemed grossly insecure. I can also state confidently that the NHS security breaches that the public are aware of are only the tip of the iceberg, that there have been more security incidents than those reported in the mainstream media.
The problems with the NHS are systemic. Multiple senior IT managers have been appointed without significant IT experience, in one case I know of an appointee was related to another senior manager and had zero IT experience prior to appointment. Another symptom of the problem - one NHS region designed and constructed a brand new 1700 bed flagship super hospital (the UK's largest hospital campus) without making any provision for onsite IT staff and only 'discovered' this when commissioning just prior to the obligatory Royal Cutting The Red Tape.
All of these examples are just symptoms of the real problem - NHS management, or, if you prefer, manglement. As anyone with security experience will tell you, implementation must start with understanding and buy-in at the highest level. Without that there is little chance of implementing a robust security culture.
The reality of the NHS is that it is not a large UK-wide organisation wherein change could be effected by pressure applied at a single point. Rather it is a regionalised collection of trusts/quangos/fiefdoms that are not under any legal obligation to enact robust security. About the only obligation is to get things done as cheaply as possible whilst basking in the reflected glow of 'success'. Additionally if there is a security concern in one area there is no formalised method of passing this along to other areas. Supplier contracts are negotiated on the basis of price (another area to which I can speak directly about the fiascos involved) rather than fitness for purpose assessed against metrics that include performance, security et al. Unless the senior management is culled and replaced with those fit for purpose the NHS will be in an eternal Red Queen race.
tl;dr? It's a sh!tshow that makes BOFH look mundane by comparison.
Asking suppliers to sign up to charter? This is nothing more than performative security, a form of theatre for the easily deluded. Learned, no doubt, by the example of our so-called political masters in Westminster.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
