back to article NHS WannaCrypt postmortem: Outbreak blamed on lack of accountability

A lack of accountability and investment in cyber-security has been blamed for the recent WannaCrypt virus that hobbled multiple hospital NHS IT systems last month in England, a report by The Chartered Institute for IT concludes. The report, published today, comes following a similar, but more limited attack against UK-based …

  1. Naselus

    "Just over half (53 per cent) of local authorities across the UK are prepared to deal with a cyber-attack, according to a separate survey of over 100 council leaders by management consultancy PwC."

    Which actually means "Just over half of technically illiterate council politicians are too incompetent to understand how vulnerable they are to cyber attack". I honestly doubt there's a single local authority in the whole UK who could actually cope with a serious hacking effort.

    1. Ben1892

      "I honestly doubt there's a single business in the whole UK who could actually cope with a serious hacking effort." FTFY

      Plus business aren't inclined to tell us when they've "been hacked" - tends to make their share prices dive

      1. 2460 Something
        Coat

        There are a good number of businesses that are fully protected against all these recent hacks ... they just use don't use computers....

  2. Dave Pickles

    Chartered Institute For IT?

    That'll be the BCS, then.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chartered Institute For IT?

      And registered professionals means ones who are our members.

      1. Doctor Syntax Silver badge

        Re: Chartered Institute For IT?

        "And registered professionals means ones who are our members."

        Quite. The whole tenor of it - e.g. "assure hospital Boards that computer systems were fit for purpose" - suggests a dedication to the paperwork than the reality. Wouldn't "ensure that computer systems were fit for purpose" have been a better statement?

      2. staggers

        Re: Chartered Institute For IT?

        I have a true propeller head friend at a top computer research lab who says that neither he nor any of his colleagues would touch the BCS with a barge pole. I know he thinks they're something that begins with 't' and rhymes with bats.

        I have no personal knowledge one way or t' other. What's the general opinion here?

        1. wyatt

          Re: Chartered Institute For IT?

          I joined thinking that it may help me out but haven't found a golden egg yet. Having said that I'm probably expecting something to be handed to me rather than me having to work for it..

        2. Adam 52 Silver badge

          Re: Chartered Institute For IT?

          Join the ACM. They attract the best minds in the industry. The BCS attracts the sort of person who writes a report like this.

          1. wyatt

            Re: Chartered Institute For IT?

            Thanks I'll take a look, not heard of them before.

          2. Naselus

            Re: Chartered Institute For IT?

            The BCS is useful for advocating stuff like this, tbh. Attacking it for having the temerity to say that people should patch their systems and hire qualified professionals to avoid being hacked is a bit ludicrous, especially since we've all been saying exactly the same thing for the last two months.

            Organizations will tend to listen to a chartered professional body in a way that they won't listen to unchartered ones. It doesn't mean much for the standards of the actual members, though; you can stick some extra letters after your name and wow clueless PHBs, but no-one's going to regard BCS membership as a replacement for actual experience and qualifications, or see it as a vital component of offering you a job. Can help in a tie-breaker, though, and there's access to discount training through it.

            Plus, having a single professional body to belong to seems to have worked out pretty nicely for the lawyers, accountants, architects, doctors, engineers et al. You know, all the professions who aren't currently watching their jobs get shipped off to India while we're competing each other into a race to the bottom.

    2. macjules

      Re: Chartered Institute For IT?

      Of course there is also the Worshipful Company of Information Technologists .(Motto "tibi sileo eam", or "have you tried to restart it?"), noted for its lack of IT people, but a very good dining hall.

    3. Huey

      Re: Chartered Institute For IT?

      I just get reminded of NYOOPI & ESOOPI.

      So you're a member are you can you actually fix anything that requires more than a power button? Here's two system.ini's from two supposed identical Windows 3.11 machines suppose you go and highlight all the differences between them and see if you can work out why one crashes several times a day and one does not before telling the customer to try turning it off and then on again for the nth time.

  3. Anonymous Coward
    Anonymous Coward

    You have have a million Cyber (euughh) security professionals...

    ..but if the software is out of date, unpatched, unsupported and the users happily click everything you send them, it will make fuck all difference.

    1. Captain Scarlet Silver badge

      Re: You have have a million Cyber (euughh) security professionals...

      Yes but its the perfect time for managers to try and increase budgets and empire build.

    2. Tom 38

      Re: You have have a million Cyber (euughh) security professionals...

      All these trusts had CTOs at the time. You don't need a million, but if the one you get to lead your technological efforts doesn't ensure simply things...

    3. Anonymous Coward
      Anonymous Coward

      Re: Chartered Institute For IT?

      Chartered Institute For IT?

      I'm surprised the NHS didnt use our own made up buzzword departments.

      We have many and layered standards chartersa nd whatnot

      the ISDnetwork is one of them , whatever that is.

      they have put posters up talking about their "Charter for Informatics staff in the NHS"

      1. FlamingDeath Silver badge

        Re: Chartered Institute For IT?

        "ISDN"

        It Still Does Nothing?

      2. another alepot
        Thumb Down

        Re: Chartered Institute For IT?

        "they have put posters up talking about their "Charter for Informatics staff in the NHS"

        I have a German friend who studied "Informatics". Are they taking over the language too? They already own our Railway, it seems...

    4. pleb

      Re: You have have a million Cyber (euughh) security professionals...

      "..but if ... the users happily click everything you send them, it will make fuck all difference."

      It beggars belief, knowing as we do and for as long as we have, that there is a hole in the bucket where water leaks out, we continue to blame the water. Yes, people will click on stuff, and we know - we know - that despite any amount of training it is a statistical certainty that it will continue to happen. There has to be a better solution than blaming the person whose mouse-click brings down the house of cards.

    5. tfewster
      Facepalm

      Re: You have have a million Cyber (euughh) security professionals...

      ...if the software is out of date, unpatched, unsupported...

      You don't need a cybersecurity professional, consultant or industry body to tell you that's bad.

      On the other hand, the Board tends to listen to and fund InfoSec teams, so InfoSec _could_ direct and fund remediation efforts - as long as they don't fall into the trap of just listing the problems without contributing to solutions.

  4. Rob D.
    Meh

    Report?

    Colour me cynical but is there a link to the actual report?

    When the Self-Proclaimed Institute for Fudge confirms that existing fudge-makers are over-stretched and advocates more funding for the making of fudge along with the hiring of more fully-trained fudge professionals, it's wise to at least read a little in to the background.

    (Icon: reserving judgement.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Report?

      Quite , the time for begging for money has gone , now's the time for recriminations , judgemnents and sacking a few people to let me move up the food chain a bit.

  5. Voland's right hand Silver badge

    Wrong Pic

    Should have used Green Wing. Specifically, some of the scenes with the HR department and the computer guy come to mind.

  6. Anonymous Coward
    Anonymous Coward

    NHS WannaCrypt postmortem: Outbreak blamed on lack of accountabilityWindows.

    1. Anonymous Coward
      Anonymous Coward

      Outbreak blamed on...

      The NSA.

    2. Anonymous Coward
      Anonymous Coward

      so you are telling me an 13 year old version of Linux that was rarely patched would of not been an issue ? Any OS that old and with out patching would be just as bad,

      1. truetalk

        You have no idea, we still run Unix systems that are decades old and require next to no maintenance or virus updates. They cause zero headaches, where as windows is a pain in the butt. Why anybody thinks it's a good idea to use windows on a CT scanner is beyond me.

    3. Anonymous Coward
      Anonymous Coward

      I'm not a windows fan but even I wouldn't blame windows for this.

      If you want someone to blame then it's Dave. Dave was born in Russia with Chinese and North Korean parents, he went to university in the Iran and likes to learn all about the exploits that are leaked by the NSA and then use them to try and earn a few bob.

      Everyone knows someone called Dave so he has the perfect cover and will never be found.

    4. Anonymous Coward
      Anonymous Coward

      Outbreak blamed on ....Windows.

      We have 3000 Windows pc's.

      Not a single one affected.

      One of our Linux servers went flat on it's arse the other day.....because Marketing didn't bother to patch Wordpress (they insist on using it, so they deal with it)

      So your point is?

      1. Doctor Syntax Silver badge

        Re: Outbreak blamed on ....Windows.

        "One of our Linux servers went flat on it's arse the other day.....because Marketing didn't bother to patch Wordpress (they insist on using it, so they deal with it)"

        Marketing insist on a particular application. It's had a reputation of having security holes for some time. So IT didn't insist on ensuring it was patched. What's the IT department's role there if it isn't to maintain the IT facilities that users need for their work*?

        *Given that it's marketing "work" is used in its loosed possible sense. OTOH, because it's Marketing they probably need a closer eye kept on them than most.

        1. Anonymous Coward
          Anonymous Coward

          Re: Outbreak blamed on ....Windows.

          "What's the IT department's role there if it isn't to maintain the IT facilities that users need for their work*?"

          We advised they should follow our processes for raising the requests, wait for resources and adhere to the correct regime, including change requests, patch management and business ownership.

          They wanted it now! So went off with a 3rd party, with the blessing of a senior director (lets not even go there) and set it up out of our control.

          Therefore IT refused to take any responsibility for a system we had nothing to do with.

          They still have the option to bring it in house, but that would stop them being able to do what they want, when they want.

          1. TRT Silver badge

            Re: Outbreak blamed on ....Windows.

            "They still have the option to bring it in house, but that would stop them being able to do what they want, when they want."

            Whilst there may be arguments for that being a good thing, if the IT department are stymied from doing what they want, when they want by... say... the beancounters or estates and facilities, then there are naturally frustrations in that. So try to walk a mile in their shoes.

          2. Anonymous Coward
            Anonymous Coward

            Re: Outbreak blamed on ....Windows.

            Apologises I thought from your first post it was hosted in house

      2. Anonymous Coward Silver badge
        Paris Hilton

        Re: Outbreak blamed on ....Windows.

        One of our Linux servers went flat on it's arse the other day.....because Marketing didn't bother to patch Wordpress

        Why does your web server daemon have enough credentials to kill the whole server? I never let wordpress run as even the www user - each wordpress site runs as its own user because it is such a holey PoS that I want some containment.

      3. Anonymous Coward
        Anonymous Coward

        Re: Outbreak blamed on ....Windows.

        Wordpress can run on Windows fine?

        Why are you letting unpatched items connected to the internet items stay on your equipment (I take it you have a CCTV part of any number of botnets as well)?

        As much as I hate Wordpress its normally just a theme with a load of add-ons which normally cause the issues (So backup and hit update, any issues then throw it back at Marketings web designers, don't leave them to manage anything. Their websites always have "NEW WEBSITE" posts up for several years until they replace it with a new one! Only one website where I work can I truly say its regularly updated, because a Marketing agency does it for our Marketing team.)

  7. Anonymous Coward
    Anonymous Coward

    Best thing that's happened in years

    I'm actually being listened to by board execs now and I'm seeing money being added to budgets to help.

    1. SkippyBing

      Re: Best thing that's happened in years

      There's a saying in flight safety* 'Action to prevent the next accident will be taken as soon as it's happened'. Generally it's very hard to convince someone they need to expend funds preventing something they haven't seen happen unless they're well versed in the field. In which case they probably aren't allowed to allocate funding.

      *I mean it may be used more generally in safety but there are so many examples in flight safety it seems apt.

      1. Doctor Syntax Silver badge

        Re: Best thing that's happened in years

        "it's very hard to convince someone they need to expend funds preventing something they haven't seen happen"

        Unless it were established as a general principle in law that those withholding the funds would be held personally responsible when it happens.

        Hint for PowerPointers making a pitch for such funds. Put a picture of a hook in the corner of the template. During the pitch make the occasional reference along the lines of "..and there's the hook". Inevitably someone will ask "What's the hook". "That's the hook your balls will be hanging from if $(predicted disaster} happens".

  8. sanmigueelbeer

    Let me just say that a few days ago someone (or "some group of people") attempted to hack the email system of the British Parliament by doing a dictionary attack ... and they managed to snare a few accounts. Which highlights the lack of industry-standard two-factor-authentication.

    Can I make an assumption, adding the NHS fiasco, that British public network are woefully inadequate of protecting themselves?

    And can I also safely assume that it doesn't take professional hackers to bring the British IT network to it's knees?

    I bet a bored kid armed with LOIC/HOIC can, most likely, cripple some big organization and all the while logged into the public internet.

    I mean, seriously, there are very good IT specialist in UK right now. With HPE and IBM shedding staff, there's going to be a lot of very good people out there. When is the British government going to get their act together and get their $hit together? Is this going to be another Battle of Singapore incident?

    Or maybe the IT Board isn't "fit for purpose" and should be replaced? The report is out. And yet, no one has been held accountable. Yes, there was a lack of funding and investment in IT. And who's fault is that? The authors of WannaCrypt?

  9. adam payne

    "A lack of accountability and investment in cyber-security has been blamed for the recent WannaCrypt virus that hobbled multiple hospital NHS IT systems last month, a report by The Chartered Institute for IT concludes."

    Stop giving trust board members six figure salaries and golden handshakes when they mess up and walk away. That should free up some money for some investment.

    "Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the WannaCrypt ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future,"

    So you need proper training to install Windows updates.

    1. Putters

      "So you need proper training to install Windows updates."

      When a Window update can bork things like ActiveX controls in Excel like it managed to last year (and for that matter, about a year before that), what it could do to mission critical legacy systems is anybodies guess - so in answer to your question, yes, you do !

      Quote from my manager to his director :

      "We are resilient to the same issue with the buttons happening again…

      We’re not resilient to another untested emergency IM release which breaks something else…"

      1. Julian 8 Silver badge

        That's why you have testing phases and an ability to ensure that if you are asked to stop patch KB1234 as it breaks Product A, you can still push KB1234 to all other devices except those that match the criteria

        Also ensure you have an ability to do an emergency push - AKA patch KB1234 to everything NOW, even if it means a percentage of devices crash. What is the best case scenario you are prepared to accept.

        Just needs a little planning and agreement

        To be honest, I am also surprised with some of these companies that they are hit as certainly in the past I had to prove the patching to internal / external auditors and for SOX compliance.

        They would accept small levels of devices not being patched fully or even missing from the relevant systems - especially if at a global / regional level you could prove you were doing all you could and chasing local IT to resolve the issues

        1. Doctor Syntax Silver badge

          "Just needs a little planning and agreement"

          The latter is the more problematic It's just IT getting in the way again right up until it's IT failing to protect us against this.

  10. sitta_europea Silver badge

    Does nobody test anything any more?

    We used to have staging servers. Come to think of it, we still do.

    1. Anonymous Coward
      Anonymous Coward

      Catch 22.......when the estate gets so sprawling, the software so so diverse, it becomes almost impossible* to have a staging server for everything.

      *impossible with reasonable costs.

    2. Duncan Macdonald
      Flame

      Staging servers - Equipment control

      The NHS has a lot of computer controlled equipment that is mission critical (eg CAT scanners). Until (and unless) the supplier of the equipment has confirmed that a particular Windows update is safe, the NHS would be risking the continued use of the vital equipment if it performed an update. (If the supplier has gone out of business or no longer supports the equipment then there is a real problem.) I do not blame the NHS for use of old software for such equipment.

      However the NHS also has a LOT of CRAP OBSOLETE software that relies on things like IE6 and ActiveX because no one ever was prepared to pay for it to be upgraded. This is the fault of the NHS and its paymasters who have left it with insufficient money to handle day to day activities let alone needed software upgrades.

  11. Christian Berger

    But they had Sophos

    And Sophos advertised with "The NHS is totally protected with Sophos".

    I mean they claimed to be able to do something against malware, yet they failed badly. They funneled away money that could have been used for actual security. Shouldn't they get, at least, part of the blame?

    And no, other companies in that field aren't any better. Calling their products snake oil would give snake oil a bad name.

    1. Anonymous Coward
      Anonymous Coward

      Re: But they had Sophos

      I remember having an argument with my old boss (hence AC) about Sophos, that he insisted to renew even though it was crap.

      By default it would write the file to disk and then scan it. By which time it was on the sodding disk, so if Sophos couldn't clean it (as usual) you were left with an infected file on a server (usually).

      The only thing worse I have experienced was a home user with (I think it was) Mcafee that became infected and then offered them to clean the PC for about £70... surly the £50 they spent on your POS software was meant to do that!

      1. Anonymous Coward
        Anonymous Coward

        Re: But they had Sophos

        And then you uninstall McAfee and deal with blue screens from hell.

      2. jrd

        Re: But they had Sophos

        If an infected file couldn't be cleaned, it would be quarantined (made inaccessible) instead, wouldn't it? Then the sysadmin can sort it out. That's how Sophos Anti Virus works on my PC, anyway...

  12. Clive Galway
    Stop

    "Windows XP used on 4.7% of systems"

    Yes, but I am betting that that figure would rise DRAMATICALLY if you were to only include servers.

    A large part of the problem is not keeping workstations up-to-date, it is keeping the servers up-to-date.

    1. Tom 38
      FAIL

      Re: "Windows XP used on 4.7% of systems"

      Really? XP on a server? Win2003 on a server, sure - fuck, even Win2k on a server.

      XP? --->

      1. Clive Galway

        Re: "Windows XP used on 4.7% of systems"

        I worked in NHS IT for a number of years. You would be amazed.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Windows XP used on 4.7% of systems"

          Putting XP on a powerful PC does not make it a server.

          1. Cpt Blue Bear

            Re: "Windows XP used on 4.7% of systems"

            It does in the eys of a whole bunch of muppets.

            The vendor charges extra for servers so they must be special and not at all just a $25 Promise RAID card and an extra drive (HP or might have been Dell) or just extra RAM (Apple). Its magic server dust. It must be true 'cause the salesman told me...

  13. Shaha Alam

    what, the gajillions spent on internal rebranding exercises didnt help?

  14. Shameless Oracle Flack
    FAIL

    Local IT professionals can never keep up, cloud automation is the key.

    This post-mortem report on NHS vulnerability to Wannacry get's it half right.

    The half-wrong part is the suggestion that more cybersecurity professionals will solve the problem. This is incorrect. Individual government or corporate departments cannot in general cope with attacks from the private armies of cyber criminals, much less state-sponsored attacks from e.g. Russian or Chinese governments.

    Localized civil defense is not going to work. Instead, these groups must partner with an ally with the scale and automation firepower to contend with skilled cybercriminals: the ally their looking for are the cloud vendors like AWS, Google, Microsoft, and of course, Oracle.

    The other half of the report was correct, more investment is needed, and that investment should be focused on converting local IT to cloud-managed IT run by global teams of world-class professionals with the right tools and architectures to enable proper security.

    1. tapemonkey

      Re: Local IT professionals can never keep up, cloud automation is the key.

      and theres the rub. In the UK certainly with Government departments there is an ongoing debate as to the legality of Cloud based systems. The fact that most cloud providers are off shore and managed by third parties (the physical boxes containing the data) would put us at odds with the Data Protection Act.

      I work in a IT department in a Government Agency the IT is subcontracted to a large multi (bluish) company who have their own cloud based solutions and this has been mooted and booted numerous times.

  15. Anonymous Coward
    Anonymous Coward

    Can someone explain...

    What the fuck is a registered cyber security specialist?

    Ive been a cyber security specialist for years...*takes a mouthful of tinned dog food because hes poor*...I had no idea such registers existed.

    *Flushes toilet with a bucket of rain water*

    I wonder if the problem is as as simple as going out there and actually recruiting people like me?

    Sure should could use the work and money.

    *takes saucepan off camping stove and makes cuppa*

    Fuck the excuses...just fucking pay us to do our job and allow us to do it independently.

    The main problem, if experience has taught me anything, is C level execs are frightened shitless of independent reports. Especially if the outcome is advising them to spend some money.

    1. Wayland

      Re: Can someone explain...

      ... a registered cyber security specialist. Being registered means you're put on a register.

  16. Mikel

    Blame anybody. Anybody at all.

    Except of course the purveyor of reliably vulnerable software.

    Twice as many people use Android as Windows. Do you get alerts: "For Ned's sake, turn off your phone! They're all being ransomwared!" No.

  17. DoctorNine

    Why so mad?

    We've known, literally for years, that if the NSA et al. mandated backdoors and tools for convenient governmental hacking, that these nasty species would eventually migrate out of their walled gardens, and into the wild. I am genuinely flabbergasted that anyone with more cognitive capacity than the average house pet would even COMPLAIN that the inevitable result of these poorly thought out policies has actually manifested, and damaged things we hold dear.

    Yes of course it did. Now perhaps we can rethink such troglodyte behaviour? Hmmm?

  18. ps2os2

    Easy fix

    Just get rid of all your Windows machines and convert to LINUX. And before the flames get too high, there are plenty of application that will run on Linux.

    1. David Woodhead

      Re: Easy fix

      Just get rid of all your Windows machines and convert to LINUX. And before the flames get too high, there are plenty of application that will run on Linux.

      And plenty that won't. That's the problem.

  19. SnakeyJ

    Don't throw NHS money away in worthless consultancy and reports where boards have neither time to digest or resources to implement doubtful and costly recommendations. Instead fund staff to keep systems updated and ensure known vulnerabilities are not left available for exploit.

    Where's the report that identifies primary infection vector? At our affected GP's this appears to be PCTI Docman EDT systems - someone should be working this backwards to find case zero.

    1. Wayland

      "Where's the report that identifies primary infection vector? "

      Yes blambing poor cybre hygiene for the infection does not tell us what actually happened.

      We know at some point files were lost and screens showed ransom ware but by what mechanism.

      By them ignoring this point they are trying to hide it. It's normal to blame the Russians or Chinese for hacking so I've gotta assume that this is an inside job. If the Russians had to defend themselves against the accusation they may do so by showing who was responsible. If the UK gov did it themselves then saying so would cause a diplomatic incident.

      Think about what happened. On one day hundreds of thousands of NHS computers displayed the WannaCry screen but pretty much no other computers. How many people here had to disinfect a computer of WannaCry that was not to do with the NHS?

      I expect no one. In the past when these things happened we always have one or two customers affected. How can a worm be crafted that does not affect all computers? How does it know it's on an NHS computer? This would not be that hard to do but it would mean it's targeted. Why target the NHS?

  20. Anonymous Coward
    Anonymous Coward

    Inside info -Doctors and Nurses jokes

    No Joke. I have inside info on this. A nurse customer of mine talked about when the WannaCry hit her High Dependency Unit. Each patient is assigned a nurse who sits at a desk at the foot of the bed. The computer is hooked up to all the monitoring gear and software records and assists with reports the nurse makes. Everything such as heart rate, blood pressure, blood sugar, breathing, intravenous etc. Hand given medications are also entered into the computer.

    One day the computers started displaying dirty jokes about doctors and nurses. This would happen randomly on different computers in the ward. The staff accused each other of the prank and the computers continued to work. It was only later that the WannaCry ransom screen started appearing.

    It was obvious that this was targeted at the NHS. What is interesting is that this detail has not come out in the media but I expect anyone with inside knowledge could confirm it. A/C because I expect my customer was not supposed to tell me this.

    Clearly the Institute of Chartered Nerds are doing a cover up with their report. Protecting a computer from attack from the inside is very difficult if the attacker is one of the IT staff.

    If it was an inside job then where to seed the worm so it can get the whole NHS?

    1. FlamingDeath Silver badge

      Re: Inside info -Doctors and Nurses jokes

      Not quite sure what to make of your comment, but I also have suspicions of the timing of this wannacry outbreak, the media response is usually a give away if its an inside job because they ignore glaring uncomfortable facts and sweep them under the carpet (like building 7)

      Lets not forget that this exploit originated from the NSA.

      1. Create problem

      2. Offer already planned solution

      3. Profit

      Welcome to 1984, which was never meant to be an instruction manual

  21. Elmer Phud
    Unhappy

    Rules is rules

    while the frontline staff have to account for every single item used and often have nowhere to put new cases, accountability elsewhere up the food chain seems lacking.

    Homeopathic Health Minister leads to homeopathic management - all eyes on the minutest detail but ignore the wider picture

  22. tapemonkey

    Dont shoot the messenger

    There also needs to be more personal responsibility. Having worked in IT departments in the public sector for some years I see it far too many times. Passwords written on post it notes stuck to screens even in full view of street level windows. Passwords so easy that a child could guess them. Companies even UK Government Agencies using 128bit WEP for WIFI that is so easy to crack a teenager with a smartphone could do it in 10 minutes without even entering the building. Middle management flouting IT security policies and when they are told that it is a breach IT being told to shut up and god forbid you escalate it to senior management because IT will always lose. This will have initially been down to someone opening an email attachment from a dubious sender despite being warned by their relevant IT department not to do so. It will have been in the terms and conditions of their employment that they had to adhere to all IT security policies but they failed to do so. If a user is found to have flagrantly ignored IT security protocols no more pussy footing there needs to be harsher penalties and even jail time when appropriate.

    Dont get me wrong the systems should have been patched and up to date and the fact they were not is unforgivable and the inquests will lay the blame where they see fit for that one but how many times do you have to tell people not to open email attachments.

    One thing I will say I have noticed IT departments do fall down on and MS too is the default setting in Windows needs changing. By default known file extensions are hidden so if you have an attachment come in that is for example invoice.pdf.bat it will only show as invoice.pdf and the user will not be suspicious. Now most email filters block .bat and .exe but I have seen them slip through in fact my own boss was caught just like that with the cryptolocker last year. This should be changed as a matter of urgency by all IT admins because even a USB drive with a dodgy file can slip through this way.

  23. Hans 1
    WTF?

    The Chartered Institute of IT has joined forces with the Patient’s Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber-attack.

    Microsoft ? Dump the losers! With the money NHS spends on MS licensing alone, they could fund a NHS distro, including kernel hackers. I would go for a support team, a bunch of kernel hackers, and a few devs working for the chosen distro ... s/b roughly 10 times cheaper.

    I imagine the discussion:

    NHS: So Mr Slurp, what can we do to avoid this ?

    Slurp: Well, Windows 10, Office 365, OneDrive, no more problems.

    NHS: Oh, Ok, and how much would that be ?

    Slurp: Ohh, it's cheaper, much cheaper, because we get access to all your data and sell it on, as much as possible.

    NHS: Even patient records ?

    Slurp: Yeah, we are already selling the details of every French secondary/college student, but that time, we paid them 30 million ... you see, we have the private personal details of every single kid in secondary school/college in France (including French overseas).

    NHS: Ohh, ok, well, our patient data is surely worth more than that, right ?

    Slurp: Oh, no, here, we are talking kids who will be adults, we get a whole generation ... you have mostly ill people, about to die ... not that interesting ... besides, Ripoff Britain, heard of that ?

    NHS: Well, Ok then ...

  24. Mike 137 Silver badge
    FAIL

    Where's the link to the report

    We're still waiting for a link to the report so we can find out what it really says. Leyden seems to habitually fail to link to the reports he quotes, which is not very helpful. I emailed the Register requesting this at 07:01 today but not a squeak out of them so far.

  25. Anonymous Coward
    Anonymous Coward

    With all the cost pressures the NHS is under it isn't all that surprising to find that IT security, is under funded or not funded at all.

    All the IT experts in the world won't necessarily be able to persuade a semi IT literate Trust board that money is better spent on cyber security than on maintaining ever aging Hospital buildings, or a desperately needed new operating theatre.

    I'm sure at many places cyber security wasn't as important, until it suddenly was.

    I have a lot of sympathy for those IT departments that diligently put together business cases to improve the security of their systems only to have them repeatedly declined (I've been there) - I hope they are all still gainfully employed and now getting the investment they need.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like