Not just the UK, I was in a rather nasty vehicle accident just over a year back in a not so foriegn hospital, and I ended up in a burns unit in a isolated room with its own aircon etc for two months while bits grew new covering skin and I was attended to by aliens with just their eyes visible, and while I was in there, I saw a few things that made my hair curl a bit. First the machine that went ping that hooked onto me, was networked back to a central nurses station so if anyone popped off, they could rush in to their rescue which was awkward as I kept pulling the ping sensors off when asleep. This connected to a in room display with a rubber keyboard (so it could be disinfected daily) in the room itself also for staff to enter extra data taken or food/drugs administered during regular observations in room into some central database of stuff done to each person. I was given the printouts from my records on discharge, it was pretty impressive to read.
I was quite surprised to see a nurse able to pop onto their facebook account using the obs entry computer one night, especially as the machine was unpatched XP, and the machine that went ping ran windows 98...
Also I was permitted a tablet and a smartphone after I agreed to use brand new devices and that they could be passed through decontamination protocols. I was not allowed to use wifi under any circumstances as use of it would disrupt their local equipment signalling network but 4g was ok. I bluetooth shared my tablet to the phone after some rooting activity to get out and get some sanity saving connectivity. On one occasional I accidentally switched the wifi on for a few seconds, and it managed to find a open ap and sign onto it before I pulled it down as quick as I could.
Towards the end of my stay I was able to get up out of bed and they brought in people to do various bits and bobs and maintenance to the system to make sure the room was ready for the next unlucky occupant, and one such repair involved someone reflashing the first alert button systems, which turned out to be a single board computer with a ethernet connection behind a lcd panel in the wall connected to the big red button. Chatting to the engineer like y'do, they had reflashed it externally to try and resolve the false alerts before deciding the issue was hardware in the room related, he showmed me how to make it cycle the lcd display to show ip info and version and stuff from button combo's on the panel itself, great, really interesting, no credentials required. And a very recognizable network topology too :-)
Given the machine that went ping had outbound connectivity, I wouldnt mind betting that system had it too and not just to the mothership for reflash purposes. All gluing the infrastructure with that central database of very very personal information at its core...
If your curious, I'm all growed back now, but I have some cool leg, torso and arm scars that I tell children at the swimming pool was from when I was attacked by a man eating great white shark as I poked its eyes out to escape :D
At the end of the day, I was there to be helped, there's no way I would take my curiosity further or try to make any of the excellent staff's jobs harder, and indeed there's no way I'd risk the legal repercussions of taking any of my concerns further without a contract covering engagement to do so.
I think that there's a real dearth of people with the security & testing mindset not being allowed into the operational areas because of a fear of what they might find in what is a already overstretched and underbudgeted area without the resources to address fixes, and that is leaving vectors open that could be shut for smaller expenses without making anyones job more difficult because with patients they already have enough grief to start with. And I have no idea how that network is seperated out, but if its arch'd the way it appeared to be from 3rd party observations, someone with security architectural experience needs involving too.
So I read things like this from derby con and nod my head, life's rich tapestry has yielded a similar experience...
Posting anon, but some people will know me from the above alone.
Biting the hand that feeds IT
