Re: Some people just need repeated booting. With a size 48.
"But unauthorized people never come into this room, why should it have a password?"
This is the default answer where I work!!!! So infuriating.
Also conversation with a department head last year when reviewing the 2000 odd XP machines they had running a critical app for the business.
"Well it was installed and signed of by infosec as secure, the usbs are disabled and they are all on their own VLAN, why do we need to worry about patching and viruses?"
This lady is a breath of fresh air, it's particularly good that she is a nurse as it gives her greater insights into ' on the ground' requirements and what is not necessary.
One of the (many) problems with the NHS is since it was decentralised in the '80s there are too many
SOP s with regard to everything not just IT, it really needs a cohesive approach across the whole of the NHS with regard to how IT related work is managed and carried out and overseen by someone who is a professional who appreciates the consequences of getting it wrong. A set of standards that are more than just advice wouldld be useful.
HTTPS doesn't solve much
"Since the infection, most hospital websites have moved from HTTP to the more secure HTTPS, according to Milosevic – a move that wouldn't have halted the virus's spread but is indicative of IT staff taking security more seriously."
Or, it's indicative of IT staff fixing the easy and most visible stuff, while leaving gaping holes open elsewhere.
"Manufacturers tell healthcare pros the equipment should be always connected to some backend, contrary to the advice of security clearing house ICS-CERT and others."
This is where procurement should push back. Make it clear that if equipment has to be connected to a backend without that being a functional requirement then it won't even make it to the long-list. If spurious recommendations that it be connected aren't removed from the bumph it won't make it to the short-list.
More than NICE to have
NICE (National Institute for Health and Care Excellence) has guidance and standards on infection prevention and control. I believe most hospitals have a person responsible for ithat.
But I couldn't find guidance for infosec (looking under several relevant terms) on the NICE website. If it's there, it's not obvious. Does it need a disaster first?
Re: More than NICE to have
"But I couldn't find guidance for infosec (looking under several relevant terms) on the NICE website. If it's there, it's not obvious. Does it need a disaster first?"
The NHS is, sadly, anything but proactive.
It requires a Wannacry that doesn't suddenly stop, but instead spreads more and destroys/costs more.
Sense wont get change, only public outcry after a disaster.
it's bloody sad it like that, but that's how it is.
Manufacturer : "But it needs to be connected to the internet so it can be patched and upgraded".
Client : "But it works fine as it is; and if it isn't connected to the internet or internal network then it doesn't need further updates. Honestly, it does exactly what we want it to do right now."
Manufacturer : "Yeah but... ummm, errrr, what about our support revenues..."