Too little, too late.
The NHS was already promised £350 million a day, and that never materialised. That was also painted on the side of a bus no less, not a paltry e-mail. Don't think many will fall for a poultry £2 mill.
A phishing operation compromised over one hundred UK National Health Service (NHS) employees' Microsoft Exchange email accounts for credential harvesting purposes, according to email security shop Inky. During the phishing campaign, which began in October 2021 and spiked in March 2022, the email security firm detected 1,157 …
The problem isn't the amount of resources, it's the lack of joined up thinking, little empires and the divisions in the health services. NHS England is essentially hundreds of different little companies of various sizes. You won't get the savings or standards at scale as often as we should as so much of it is up to who wants to adopt, many things are not mandatory.
That's a very good point, so many fingers in the pie from large IT consultants trying to ensure joined up approach doesn't happen so they can keep selling at higher margins.
Outside IT there are so many localised policies that the number of hours wasted in maintaining those each year must be enormous per trust when they could be a national policy adopted by all and maintained by a governance group of trusts and regions.
The NHS also has an enormous beauracratisation issue due to the mixture of internal markets and over-management. For example, clinicians already working ridiculously hard have to waste significant amount of time to record their activities, to prove they aren't, er, wasting time. Something that decent local team management could accomplish with considerably more efficiency.
The serious problem is, right at the very top, it's run by Civil Servants.
Who, by their very nature, care more about bureaucracy, form-filling, targets, getting backhanders from suppliers, ensuring they have a highly paid sinecure to retire to and enlarging their department than they do about health, patients, etc...
The NHS is a money pit. Its staff are >80% "administrative" with ~15% actually doing the clinical work of making ill people well again! I cannot fathom how they can spend £145000 pa on a "Diversity Manager".....
If they got rid of 90% of their useless, expensive "Administrators", and the remainder worked on actually doing what the Health Service was set up to do, the UK would be a happier, healthier, wealthier place!
If we include Covid NHS funding the change from 2019 to 2020 (Jan-2020 being when "Brexit" happened) the funding increased from £149 billion to £191 billion so around an £800 million a week increase (https://www.kingsfund.org.uk/projects/nhs-in-a-nutshell/nhs-budget) so the promised £350 Million (a week - it was a week on the bus - https://jonworth.eu/the-two-versions-of-the-350-million-for-the-nhs-slogan/) was more than given.
The 350m was supposed to be financed by Brexit savings, so it emphatically was not given *from the source described*. Having our taxes increased to fund increases instead was not on the side of the bus. Also, "if we include Covid funding"? Pull the other one. Covid was a national emergency; in the same way that actually fighting a war isn't in the defence budget (it's funded by contingency funding from the Treasury) neither is a pandemic in the budget for the day to day running of the NHS. That's leaving aside that billions of that funding was trousered by Tory donors through unlawful contracts - and that was so blatant that the government doesn't dare appeal the verdict.
There was no source defined in the original comment. Whilst it was a national emergency the figures supplied to the NHS far exceeded the additional number on the side of the bus - and if the funding is continued as listed in the link I provided it will still exceed the £350M per week. Would they have done it without the emergency - well that's highly debatable.
As it is, I'm not pulling anything merely providing links to the relevant figures. There are many many things to hit the current bunch of muppetised incumbents with but an outdated and superceded (circa 2016) political advert on the side of a bus isn't one of them.
Last year, the NHS migrated its email service from an on-premises system to Microsoft Exchange Online, which "could have been a factor in the attack," Kay noted.
That's factually incorrect.
Apart from anything else, in UK terms there is no such thing as "The NHS", so to say that "The NHS" does anything as a monolithic unit is wrong straight out of the trap.
Each NHS trust (or territorial/special health board in NHS Scotland) is responsible for its own email provision.
For more than a decade many NHS organisations UK-wide chose to join consortia whereby email provision is done externally by companies such as Accenture (i.e. NHSMail2, which runs on Exchange). This practice has not been universal, but is very widespread and, as a system, NHSMail has been in place in some form or another for well over a decade.
In truth, very few NHS orgs have been purely on-prem for their email for many years now. Even those which maintain on-prem provision also made use of externally provided systems such as NHSMail.
NHS Scotland organizations have, since around autumn 2020, been migrating to M365/EXO from whatever they were using before (mostly NHSMail2). This is part of an overarching contract the Scottish Government has with Microsoft, which also covers other national public sector orgs in Scotland beyond NHSS. I'm not sure if something similar is happening in England & Wales, but if it is then it'd perhaps explain the first part of the statement above.
be grateful she's not john.smith238@nhs.net or jonhsmith165 which both exist.
they have the ability for organisation specific sub-domains, but its a "receive only" alias
e.g. john.smith@<mytrust>.nhs.net
the misdirected email thing is a huge issue
but getting back to the story, it may be 136 NHSMail accounts, but its a wider O365 issue, that all orgs have to face, and NHS mail is too monolithic to handle
NHSMail (nhs.net) is in very widespread use even by those Trusts that do not use it as their primary email, which often hybrid exchange. Phishing mail to nhs.net and nhs.uk mailboxes is at elevated levels since October, but dealing with it is BAU.
I remind you that NHS staff are tired, busy folk. With phishing email becoming increasingly sophisticated, credentials will get shared. They always have and they always will be. That said detection is, in very large part, immediate and easily remedied.
Where possible measures are being taken by Trusts and NHS Digital to prevent email containing suspicious links from arriving in mailboxes.
The wider phishing problem is obvious to anyone with an email account or a device that can receive texts. The NHS is no different than you, or a bank, or any other service provider.
So the article is a bit of a non-story, there is nothing new in it. Assuming the data is not already published, an FOI to NHS Digital will show that, as well as the historical peaks and troughs.
we saw a few of these emails, not on @nhs.net emails, so it might be that they had found there way out of that system and into 3rd parties that work close to the NHS, hardly surprising really.
One that i investigated was a link to an 'encrypted' document PDF, if you clicked the link it took you to an "microsoft" log in page, which looked fairly good apart from the url, and the fact that the PDF had become and .xls
Unfortunately in this instance, the user had already tried to access the file before reporting it to us, so, cue a lot of mail tracking, and contacting all the people that had then been spammed by this account, saying "for the love of Bob, don't open that link", and also a stern talk with the user in question and lots of password resets.
If your security response is 'don't open that link' you have fundamentally failed.
Suppose the pharmacy distributed Smallpox to every member of staff and then sent a memo saying, don't open suspicious vials from the pharmacy.
I bet you also regularly distribute security notices as attachments and .ly shortened links to online training where you need to login with your credentials to access.
Ah yes, my company decided to use a 3rd party for security training a couple of years back.
The training was hosted on the 3rd parties URL, and they'd integrated the login to their site with our company IDs. Thus requiring us to log into this 3rd party site, with our company credentials!
None of this was communicated internally.
Out of the blue, we all got emails direct from this 3rd party, asking us to click a link in the email, and log in using our company logins, in order to access the security training!
The security team were apparently inundated by people reporting it as a Phishing attempt (I also reported it).
They ended up sending out an internal email to clarify this wasn't a Phish, was actually real, and please stop reporting it!
12 months later, still using the same 3rd party, they actually sent out an internal email first to warn people to expect the external email.
Someone really should have got the sack, as this was just incompetence by design!
I've no real issue with them using a 3rd party for the training, but they could have managed the notification email internally, and done something like pass though authentication from an internal company URL then redirect to the 3rd party URL, instead of asking people to log in directly to the 3rd party web site!
That's where I am.
I have never ever shared my work email address with anyone outside of work.
My employer gives it away to random third parties like sweeties. Microsoft, linkedin, slack, amazon, the list appears to be endless.
And then, and this is the kicker, they get another third party to "test" us by sending "simulated" phishing emails. So that's another third party that they shared my PII with. In case anyone asks, I have never ever received a single phishing email other than those "tests".
Given that I'm in France, I rather think that this PII sharing is illegal. We'll see.
-A.
security notices and .ly links in emails. No. Somewhere between generally not and never at all.
maybe our response was too little too late sure, but if I had a vial from the pharmacy that I wasn't expecting and hadn't opened, then got a letter telling me not to, then I wouldn't.
i'm genuinely interested though as to what you would have done differently.
scenario...
internal user receives dodgy email, clicks link, user is sent to dodgy page, enters credentials.
that day, said users account is used to forward same dodgy email to 100+ external users.
our action.
disable user account while investigating further.
contact those 100+ people to warn them that they will have received an email from this user.
contact sender of original incoming email.
would you have preferred us NOT to warn these external companies?
"All of the fake emails were sent from two IP addresses used by the NHS, and the health agency confirmed that both were relays within the mail system used for a large number of accounts."
Hang on, this sounds as though, once the spammers had acquired luser email account credentials, they were able to send mail using the NHS's own mail relays, which implies that the mail relays are accessible from outside the NHS network without requiring a (separately authenticated) VPN connection to actually be able to connect to, and (mis)use, the relays if working remotely (ie, from a location outwith the NHS network). Because you can always trust that someone presenting user credentials from outside your network is definitely who they say they are… Oh dear, that's not very clever. Defence in depth, people! (Or, that they were able to, uhh, worm their way onto a user's computer and send the emails from there, which is even more worrying…)
Yes. Looks like someone sent some bad emails from inside the network.
I somehow doubt that this requires any kind of hacking skills. Just wait for a public-facing staff member to disappear for a few minutes on a comfort break and use their PC for a bit.
-A.