back to article NHS could have 'fended off' WannaCry by taking 'simple steps' – report

The UK health service could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings about falling victim to a cyber attack a full year before that incident happened. This was among the findings of an investigation by Blighty's National Audit Office, which today …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Nice to see the bell ends at the NAO including whether the NHS trusts could afford to take those simple steps and that is the issue.

  2. James 51

    Any chance they could include backups and testing a system restore?

    1. Elmer Phud

      but where does the money come form --

      Oh, the numerous failed attempts of doing it all on the cheap but spunking the dosh on 'guaranteed' bonuses - no matter how much of a total fuck-up was made.

      BUT they will STILL blame the 'NHS' and not the ministers who wrap chains around one pot of money while encouraging their mates to have a dip (or two, or three)

      1. Mr Dogshit

        RE: "but where does the money come form"

        What money?

        WSUS = £0

        Configuring a firewall properly = £0

        1. Anonymous Coward
          Anonymous Coward

          Re: RE: "but where does the money come form"

          Sure lets go with £0, they could always get a Nurse to do it.

        2. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

          Re: RE: "but where does the money come form"

          <quote>Mr. Dogshit

          What money?

          WSUS = £0

          Configuring a firewall properly = £0</quote>

          Awesome, hey everyone, he's offering to do it for free! Across the entire NHS!

          Well, you know what they say, you get what you pay for. Shit, in this case. Literally in fact, judging by the commentards name.

          1. Martin Gregorie

            Re: RE: "but where does the money come form"

            Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision. The NHS is top-heavy with useless management anyway, so the savings made by sacking them will more than pay for replacing outdated PCs.

            1. James 51

              Re: RE: "but where does the money come form"

              @Martin, sometimes it's the equipment that the stuff is hooked up to e.g. MRIs, PET scanners, digital x-rays etc etc and if they can only talk to other out of date stuff, you need to keep that out of date stuff at least as middleware.

              1. Martin Gregorie

                Re: RE: "but where does the money come form"

                So, if the makers of MRIs, PET scanners etc can't or wont upgrade them, put an airgap round said devices and the out of date stuff they talk to as an interim measure.

                I know that purveyors of various medical devices have traditionally been, ahem, lax about system security. Others might prefer to call it "wilfully negligent" but I couldn't possibly comment. That said, more general publicity on this topic outside the medical and IT communities together with the odd sueball and much more attention to security on the part of purchasers should get their attention.

                1. wallaby

                  Re: RE: "but where does the money come form"

                  "I know that purveyors of various medical devices have traditionally been, ahem, lax about system security"

                  its got nothing to do with being lax or otherwise. Sometimes these systems wont work with more modern operating systems full stop. I have an SEM that has 2 PCs attached to it, one is XP SP2 - if you try and put SP3 on it breaks the software - these things are so finicky that even putting both PCs on a strip plus so that they share the same earth will cause them to not function properly.

                  The manuf doesn't make software on a newer platform for the SEM, so my options are to spend in excess of £300k on a new instrument or keep the XP SP2 machine running. As I have an out of date OS on the networks its my responsibility to make sure it doesn't cause issues - I isolate it from the internet and VLAN it so it cant see any other parts of my network nor they it. I spend a few quid on software to prevent USB sticks working in it (or baulk them myself by killing the drivers or tweaking the registry) and I'm as safe as I can be.

                  If I let it face the outside world and let users loose on it to read emails or Facebook or websites in gen'l then I deserve everything I get.

            2. RW

              Re: RE: "but where does the money come form"

              "Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision."

              Won't happen. Surely you know that once elevated to the ranks of management, one is untouchable.

              1. Terry 6 Silver badge
                Joke

                Re: RE: "but where does the money come form"

                Deputy-heads will roll. (As they say when the BBC screws up).

            3. Mark Dempster

              Re: RE: "but where does the money come form"

              >Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision. The NHS is top-heavy with useless management anyway, so the savings made by sacking them will more than pay for replacing outdated PCs.<

              I'm afraid that just shows that you don't really understand the issues here.

          2. This post has been deleted by its author

            1. EnviableOne

              Re: RE: "but where does the money come form"

              every sysadmin in the nhs would love to have the time to do this

              they are too busy trying to get all the outdated systems to talk to each other or monolithic integrated systems to retain their delicate balance that keeps them on while still working just about for the user, while at the same time trying to deal with the all important users, changing regulations and unexpected new systems some department has decided to addopt without any change control.

              All of this on stick thin budgets and about 1/10th the staff of an equivalent sized private organisation.

      2. Dan 55 Silver badge

        It was done this morning.

        The NAO report named the Department of Health and the NHS, but since the security minister went on Toady Programme it's all been about the NHS and how lazy they are. Oh, and it was probably Norks, as usual.

        1. Chris King

          There seem to be lots of reports coming out at the moment damning the NHS.

          It's as if someone's trying to say "look, the NHS is failing, but ignore the man behind the curtain screaming that we're starving it of funding - everything will be SO much better when we sell it off to our private sector chums for a fraction of what it's really worth !"

        2. Anonymous Coward
          Anonymous Coward

          "The NHS" isn't even a real thing. Services are delivered by an unholy mess of CCGs, local authorities, "Vanguards" (yes, really), GPs practises and hospital trusts, with little to no geographical or organisational sanity in place.

          Thanks for that by the way Lansley.

          The only body with any kind of claim to being "The NHS" is NHS England, which is a relatively small policy-and-coordination shop sitting directly under..

          The Department of Health.

          Blame the DoH. Blame the minister. Blame his and his predecessor's relentless drive to cut every penny out of the NHS they could.

          1. Anonymous Coward
            Anonymous Coward

            >Blame the DoH. Blame the minister.

            This. This a thousand million times. DoH is (in my opinion) institutionally corrupt and essentially run as a profit centre by the big providers

          2. Anonymous Coward
            Anonymous Coward

            "The NHS" isn't even a real thing. Services are delivered by an unholy mess .....Thanks for that by the way Lansley.

            Let me correct you. My other half has been in the thick of the unholy mess for some years now, and the current structure of the NHS is almost entirely the work of one Tony Blair and his ministerial sycophants, in a series of changes from 2008 through 2012, including the creation of trusts, CCGs, "Agenda for Change" and all the rest. The same bunch of dung-heads who committed to the large and humiliatingly failed NHS IT programs, and the same bunch of dung-heads who committed about £70bn of health service money to poor value PFI contracts.

            So, feel free to blame the Tories, but unfortunately the current structure, performance, IT, and funding arrangements were directly and indirectly the work of the Labour party.

            1. Anonymous Coward
              Anonymous Coward

              and the same bunch of dung-heads who committed about £70bn of health service money to poor value PFI contracts.

              And this very day, Labour MP Meg Hillier, who chairs the Parliamentary Public Accounts Committee, has announced how shocked she is that most of the current PFI "asset owners" are tax dodging international finance houses. Apparently, although the international tax treatment hasn't materially changed from the last Labour government's time in office, "these companies are clearly profiting and paying no UK tax. I don't think that was ever envisaged when PFI was established."

              So stitch that, Guardian reading knobs. Your preferred government created this stinking mess, and now in opposition it wrings its feckless, limp wrists and condemns the very practice that it followed

            2. JamesPond
              Thumb Down

              "the current structure of the NHS is almost entirely the work of one Tony Blair'

              Lets get this correct,

              NHS Trusts started in 1990

              PFI contracts started in 1992

              CCGs were created in 2012.

              Labour were not in power in any of these years.

              NPfIT / CfH was a Labour initiative and whilst it produced some good systems (for example national PACS, ePrescribing), it was not overall good value for money, too top-heavy, the contracts were rushed and there was no accountability.

            3. JulieM Silver badge

              Tony Blair

              Would that be the same Tony Blair who was no longer Prime Minister in 2008, and whose party was not even in Government from 2010?

              1. Danny 14

                Re: Tony Blair

                i find it cute he thinks the NHS is one homogeneous network with a clear chain of management.

            4. Mark Dempster

              >Let me correct you. My other half has been in the thick of the unholy mess for some years now, and the current structure of the NHS is almost entirely the work of one Tony Blair and his ministerial sycophants, in a series of changes from 2008 through 2012,<

              You do realise that the Tories took over in 2010? And one of the first things they did (after promising not to) was to start a top-down reorganisation of the entire setup?

              I used to work in the NHS, and I still do bits of consultancy for them.

      3. Primus Secundus Tertius

        @Elmer

        The money won't come from anywhere until the beancounters' own machines are hacked. Why should they listen to what they regard as unfounded claims designed to grab more of the budget?

    2. Anonymous Coward
      Linux

      Backups and testing a system restore ..

      @James 51: "Any chance they could include backups and testing a system restore?"

      It would be simpler for the NHS to maintain it's own distro and rolled-out patches and upgrades itself, something like NHSbuntu.

  3. Anonymous Coward
    Anonymous Coward

    They will not learn

    The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions. This needs to change...

    1. Steve Davies 3 Silver badge

      Re: They will not learn

      The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions without a hefty price tag and 6-9 months of thumb twiddling, spec writing and procastination(we can't get the staff you know) per patch This MUST change.

      There fixed it for you.

      sometimes, I'm sure that some of us oldies wish for the days of IBM green Screens/3270 and the rest. Life was a lot simpler in those days. I'd guess that even today Z/OS is inherently more secure and robust than any Windows system could ever be. Sigh.

      Now where's my zimmer frame :) :) :wink:

      1. m0rt

        Re: They will not learn

        In terms of infomation retrieval and input regarding text, that is stil a far better solution. That or an ISeries or whatever they calls the AS/400 these days. I5?

        Even if it is a terminal emulator on <insert your OS here>, it would still mean core records are fairly safely stored, acessible and not at the same risk levels. "Shit, WannasobII is here, break out the 3270s guys"

    2. JamesPond
      WTF?

      Re: They will not learn

      "The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions"

      That is easy to say but what is the alternative? Upgrade the servers and workstations to the latest patch without validation? Ok if you are dealing with a desktop running a spreadsheet or wordprocessor. More risky if you are dealing with a workstation that has software manipulating patient data that if it breaks down, or worse, manipulates or displays data in an incorrect manner, could lead to patient safety being compromised.

      Would you be prepared to certify Microsoft's zero-day patch will not affect your clinical software without first going through validation testing?

      I worked on NHS clinical messaging systems for BT that used Microsoft Exchange 5.5 with x.400 messaging as the underlying routing platform. Microsoft released a patch and I found in our test lab that MS had introduced a bug so that in certain circumstances messages could enter an infinite loop and cause the server to crash (in x.400 a message should only loop 255 times before being non-delivered but Exchange was incorrectly re-writing the message ID in the e-mail header so the server couldn't recognise that the message had been received previously). We reported this to MS and stopped NHS sites installing the patch. Without this testing, many NHS end-sites could have been down for days whilst they restored their systems from scratch.

    3. EnviableOne

      Re: They will not learn

      Dispite the government's assections, there is no such thing as the NHS.

      There are 241 seperate NHS trusts that try to get the best deal they can with no backing from the centre

      and any economies of scale or central contracts have been killed (to get the headline off the DoH budget)

      any one of these trusts can try fix it or we go elsewhere, but GE, Siemens, Phillips, Agfa are too big for one trust to affect them and the smaller companies you havent heard of, quite often have nigh on monoploies in there specific area, so if you need this tech you have to use them.

  4. Anonymous Coward
    Anonymous Coward

    Easy to mitigate

    -Patch your o/s monthly

    -Regularly patch your Apps that open files (word/pdf etc) regularly

    -Don't run an o/s or app that is no longer in patching support

    - Don't let Apps connect to the internet to pull down their own updates in an Enterprise environment - test updates in a sandbox first then use your software deployment tools to push out tested updates

    -Run anti-virus & update hourly and AV scan on demand all files

    -Scan incoming email using AV and block .exe attachments

    -Scan and block sites when web browsing using a web proxy and AV scanner

    -Set web browsers to block adverts and flash

    -Use a localhosts file to sinkhole malware and advert sites to 127.0.0.1

    1. Elmer Phud

      Re: Easy to mitigate

      some some dosh on competent IT staff rather than guaranteed bonuses and rises for the 1%?

      1. JulieM Silver badge

        Re: Easy to mitigate

        The NHS is big enough, and its use cases are special enough, to have its own dedicated IT team maintaining its own preferred (read: iron-fistedly enforced) software distribution. In times when the NHS's own computers are running smoothly, they could probably even take on outside work to keep themselves busy.

        Even Sun Microsystems acquired their own office suite and database server so they did not have to pay money to, and rely on the co-operation of, Microsoft.

    2. techdead

      Re: Easy to mitigate

      easy to say, much more difficult to implement in a huge organisation like the NHS, with public money, lack of resource, i.e. IT slaves to do the donkey work, get down time scheduled, manage staff, pay overtime etc., etc. - hard enough in the private sector ("can you do this overnight instead of at the weekend? we don't want to pay your team overtime but they can go without sleep instead"), never mind in a huge public entity

    3. Gra4662

      Re: Easy to mitigate

      "Patch your o/s monthly".... oh the system supplier wont allow you to citing that their system is a medical device, not a computer system

      1. Doctor Syntax Silver badge

        Re: Easy to mitigate

        "oh the system supplier wont allow you to citing that their system is a medical device, not a computer system"

        Which makes a big difference because it carries certifications against it in its original state and it costs time and money to recertify it in its patched state. It's time that whole arrangement was looked at again. Should certification lapse after some interval unless equipment has up-to-date patches?

        1. Anonymous Coward
          Anonymous Coward

          Re: Easy to mitigate

          Which makes a big difference because it carries certifications against it in its original state and it costs time and money to recertify it in its patched state.

          OK. We are where we are, water under the bridge and all that.

          But looking to the future, can I assume that the NHS will be refusing to buy software tied to current versions of an OS likely to be obsolete in something like five years? I'm not suggesting that it be maintained free of charge in perpetuity, simply that when they sign the contract for some long life hardware, they give some serious thought to how it will work when the OS is out of support.

          1. Anonymous Coward
            Anonymous Coward

            Re: Easy to mitigate

            You won’t be buying anything anytime soon. Software companies are completely inept. Inept to the point where some very big players won’t certify minor point updates of OSs for security applications even though there are known vulnerabilities in them.

            The software industry is an utter shambles.

          2. Anonymous Coward
            Anonymous Coward

            Re: Easy to mitigate

            But the contract will probably have been signed by procurement specialists working on the advice of clinicians. No-one actually speaks to IT until the thing is about to be implemented, by which time it’s too late!

          3. Doctor Syntax Silver badge

            Re: Easy to mitigate

            "But looking to the future, can I assume that the NHS will be refusing to buy software tied to current versions of an OS likely to be obsolete in something like five years?"

            It's not a matter of buying S/W alone. It's the complete package of H/W, the custom S/W that works with it (not only the user applications but also drivers) and the underlying O/S.

            The driver bit is a particular problem if you're relying on the manufacturer to update it. After all, they're relying on the underlying O/S driver model not to change in 5 years. Is any OS vendor going to guarantee that? If, for instance, the OS implements vendor signing of the driver that might sound fine now if they've signed the existing driver. But in 5 years time they may simply refuse to sign all 3rd party drivers.

            You also rely on all the parties in what might be a long chain of specialised bits & bobs that went into the device's BoM to play along or even to exist years into the future.

            TL;DR It really isn't that simple.

    4. 97browng

      Re: Easy to mitigate

      How simple it is, I dont know why it has not been done.

      Apart form you have a piece of software that has not been updated for years because it is vitally important yet nobody has the money to upgrade it.

      You cannot put the latest patches for other software/OS on because it will break this very important piece of software. You tell the relevant people you need to update the software and OS to stop a potential security breach but this will break the software. The answer you always get back is 'if it stops working a child might die'.

      And that is where the argument ends, a potential security breach VS a child dying. Yes we all know that the potential security breach could in turn mean all systems are down and more risk to people but it never works.

      Testing in a sandbox is so easy. Ohh wait we support 700+ applications, who is going to test them all, with all possible iterations. It is not possible.

      Add to this that a lot of the software used is very niche and only ever made by one company and you are caught by the short and curlys. You know it is not 'secure' yet it is the only thing that can do what you need.

      Why not make your own software then? Ok we will just hire some more staff to do it (with the imaginary money tree) and then find out that it cannot integrate with what everyone else is using so it is no use.

      I don't work for the NHS (or in the security team) but local government and we get it all the time. People working for either small companies or those that use a very limited amount of applications and need little integration with anyone else have no idea. Try working for the government or NHS where ICT has very little power or budget and has to support hundreds of critical applications that are made by a plethora of suppliers.

    5. Phil Endecott

      Re: Easy to mitigate

      "152 Simple Steps to Stay Safe Online"

      https://www.theregister.co.uk/2017/10/24/googles_security_advice_we_dunno/

      1. Danny 14

        Re: Easy to mitigate

        then you find oncology devices that cost millions and only work on XP. or BMS systems that only work on Win2k (yep! Preston hospital im looking at you) granted the BMS was VLan'd and not routed. the best you can do is vlan or partition off on a private physical network.

        in an ideal world everthing will be patched and upgraded. in the NHS the funds arent there or worse still contracted out so you arent allowed to touch it.

        1. herman

          Re: Easy to mitigate

          Use VLANs and create Data Diodes allowing movement of data one way only between VLANs. This is not rocket surgery.

    6. anthonyhegedus Silver badge

      Re: Easy to mitigate

      Are you trolling?

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy to mitigate

        Its a pity the reg dosent have threaded comments.

        I'm with the OP up there who said WSUS and patching were free and got ridiculed.

        What he meant was that is already in place and paid for and has staff to operate it , also paid for .

        They just didnt push the right buttons , through laziness or inertia.

        This entire thing was down to specific patches released 3 moinths earlier that plubbed the smb vulnerability not being installed . nothing more . except they could also have used a decent firewall instead.

        What I want to know is how what the annual pen tests said , over the years , and how many of the issues raised were acted on.

  5. Anonymous Coward
    Anonymous Coward

    Governments everywhere are the same. The Pols and Burs in charge like to use massive companies as buying from them can guarantee an easy, post last career, income with a company that supplies some service to said software giants.

    Hire a number of OpenBSD developers/system admins, or other Open Source systems people, and get some real expertise in place to secure the networks. (I reference OBSD as I follow its news, others would do.)

    Surely, Government Departments have the buying power to have hardware manufacturers give up hardware details so that proper drivers can be written when required.

    There is the above issue and, in Canada, the Phoenix Payroll System.

    http://www.cbc.ca/news/canada/ottawa/senate-replacing-phoenix-new-payroll-system-rfp-1.4371269

    1. Doctor Syntax Silver badge

      "Surely, Government Departments have the buying power to have hardware manufacturers give up hardware details so that proper drivers can be written when required."

      Medical equipment has to be certified as safe and effective in the markets in which it sells. The NHS is probably not going to be counted as a big enough market to make manufacturers see some UK-only spec. as being worth spending time and money on pandering to; at least not unless they charge a great deal extra for it.

      A better bet would be to pressure the certification authorities to ensure that in order to remain certified equipment has to be maintained reasonably up-to-date. Of course that would be easier if we were part of a larger market such as the EU but in order to make an extra £350m a week available for the NHS (as Boris still seems to insist on) we won't be.

      The likelihood is that imposing a draconian regime of that (or any other) nature would simply result in a good deal of existing equipment being orphaned by the manufacturer declaring it EoL or simply closing down altogether.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like