"...after being infected by Locky"
Sorry, couldn't help myself
A third (30 per cent) of NHS trusts have been infected by ransomware, with one – the Imperial College Healthcare in London – suffering 19 attacks in just 12 months. According to results of a Freedom of Information-based study, none of the trusts reported paying a ransom or informed law enforcement. All preferred to deal with …
It doesn't seem likely that these criminals are cretins; I doubt they'd spend their time with ransomware if it wasn't turning a profit. Some people must be paying up. Even it none of the NHS trusts are paying up, this just means that the evil ones could improve their targeting, assuming they have any, but it doesn't make them cretins.
"Imperial College Healthcare in London – suffering 19 attacks in just 12 months."
I always liked the saying that experience is a dear teacher but there are those who will learn by no other. If "suffering" means successful attacks it looks as if there are some who won't even learn by experience.
Isn't it time that the hospitals regard allowing this kind of behaviour by staff as a disciplinary and not an IT issue? If $HOSPITAL_EMPLOYEE did something like leave a bag of leaking clinical waste out in a corridor or gossip about patients' illnesses then HR would get involved; I don't see why a negligent act* on a computer should be any different.
*I'm assuming the staff member is opening dodgy attachments and not some kind of "drive by" attack
The majority of NHS staff are not IT literate. I've worked at NHS Trusts where even 20 something consultants, who you might think would be tech-savvy using social media etc. didn't know how to use a tablet.
A lot of the problem is government cuts and decentralisation of IT functions, making each Trust pay for their own IT and security systems so as to show central DoH reduction in costs (e.g. NHSmail which used to be centrally funded but is no longer).
I would ask why the Trust's email systems are allowing the phishing attacks through rather than blaming the users, who are on the most part non-techies trying to care for patients, now wondering whether an email is a phishing attack or not.
"who you might think would be tech-savvy using social media etc. didn't know how to use a tablet."
Oh the unmitigated horror of these unspeakable cretins !!
(So that's what being tech-savvy equates to now) Still they seems to have managed to get to be a consultant whilst still in their 20s. Very little chance of that BTW
"The majority of NHS staff are not IT literate."
Unfortunately this is no longer a sustainable approach.
The previous comment mentioned that all staff will be be aware that they shouldn't leave leaking clinical wast lying about. That doesn't require them to have microbiological knowledge, it just requires them to know what are the appropriate procedures for handling it. The same applies to IT procedures.
"The majority of NHS staff are not IT literate."
That's a bit like saying "Its OK, the driver who mowed down the bus queue of nuns was only a chit of a girl, she didn't know any better."
IT is a tool of the job, if the staff aren't up to using it warn them, train them, then sack them if necessary. Same as a surgeon and a scalpel.
"IT is a tool of the job, if the staff aren't up to using it warn them, train them, then sack them if necessary. Same as a surgeon and a scalpel."
Exactly. It's no longer the 1980s; computers are a fundamental part of most people's (in the West at least, and increasingly so worldwide) lives. It's no longer acceptable to just joke about how hard it is to program a VCR, being unable to use computers means being unable to communicate effectively in the modern world, unable to carry out even the most basic of office jobs, and so on. And, as articles like this show, it's not simply a matter of mildly inconveniencing yourself, the inability to use a computer can, and frequently does, lead to severe consequences. If you screw up with your personal computers, it can lead to all kinds of financial loss and identity theft. If you screw up your employer's computers it can be quite literally a matter of life and death. A doctor who screws up and kills people is fired and possibly jailed. A driver who keeps running people over will be fired and possibly jailed. An office worker who screws up their computer and shuts down a hospital for half a day... giggles about how they don't understand computers and need their teenage son to set their phone for them.
The only way to block all phishing attacks is to block all incoming email.
Over-zealous spam filters can block legitimate emails which, in the NHS context, could have life & death consequences.
So there's two competing criteria, both of which cannot be complied with at the same time:
1: Don't block any legitimate emails
2: Block all spam
Or the flip side, give the IT department a disciplinary for not securing the systems adequately to prevent this happening.
Where was the threat protection software / firewalls to prevent them going to dodgy websites?
Where are the policies preventing the files / links getting in?
Where are the policies to prevent them running these files?
Why are the policies, to monitor out bound traffic and lock the network port if suspicious activity is detected?
It's a collective effort, which requires everyone to do their jobs. After all, you drive a car everyday without doing even the most basic checks.
from my own experience within the NHS it's almost always personal e-mail or infected file brought in via USB. Many places now have control over USB drives but that doesn't stop them being used at home and brought in and if there's weak AV/malware protection on endpoints (hello McAfee) then it typically doesn't catch it in time, if at all.
@ Lost all faith
The answer to all of those questions is this: $$$
These things take resources and money. In our environment (healthcare) we are understaffed and over loaded with projects. Sustained engineering is not a priority, and neither is updating our equipment or software.
So the vastly large and complicated NHS network is vulnerable, not really a surprise.
Now, what do the following NHS arms have in common: Ambulance trusts and the NHS Business Services people? Yes, they can all access data under the new IP Act.
Our data is safe in their hands.
The vast network is basically thousands of silos with decent firewalls etc between them, it's not as if it's a LAN party were they're all trying to play counterstrike together. From my experience they all default to lock down and open access when given a countersigned form to do so - but I can only speak for my own experiences, I've no doubt there's plenty of plonkers in charge of IT kit out there.
Still it's not JANET..
When I see Freedom of Information requests like this, what's the argument for those that don't respond? Is it just by 'the time of going to press' only x from y replied, or is it down to interpretation of some rule or other?
My place is terrified and respond to everything, even when I think we could argue based on commercial sensitivity
"A third (30 per cent) of NHS trusts have been infected by ransomware, with one – the Imperial College Healthcare in London – suffering 19 attacks in just 12 months."
19 times in a year.
Surely people should be learning after the first few times.
What I would like to know is, was the healthcare of any patients compromised because of the ransomware?
Maybe somebody should tell the NHS their are other platforms other than Windows, ones that don't get targeted as much , and some like iOS on an iPad that sandbox things so the silly endusers cannot do as much damage when they do stupid things like open infected zip attachments. Getting the apps they use rewritten for say iOS might be expensive, but long term it must be better and at least they will get the apps updated and not be dependent on IE6. Maybe find the cash by sacking one of the many IT consultants on stupid wages to do nothing but makes more mess. Then they also won't be stuck in this expensive gravy train trap of upgrading Windows at great cost.
... riiiiight,... you've never worked in a large scale environment supporting people who have a job to do that isn't IT, have you? I also don't think you have much of an idea how large the NHS is, or that tablets aren't particularly productive tools for businesses, which for the most part still rely on desktops, and they rely on devolved security and administration models, which means Active Directory. Apple devices are nice and all, but they need separate management, like an MDM solution, which increases costs.
Ransomware no - but Dridex etc? Yes. And don't forget the instant these variants start UPLOADING information after encryption the ICO will be hammered with trusts/CCGs/boards putting their hands up as they're one of the few public or private sectors which reliably reports itself to the ICO for knuckle slapping.
At my own workplace I've had to recover from 2 ransomware attacks over the last few months. Both arrived as an email apparently from a trusted source that the users dealt with regularly, so had no reason to be suspicious of. I scanned the attachment later with 3 different AV packages, and none found a problem.
Very glad that my backups were working well at the time...