nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
If it doesn't need to be connected, don't: Nurse prescribes meds for sickly hospital infosec

Silver badge
Thumb Up

Sterile

"Healthcare without [basic] security is like surgery without sterile instruments,"

Don't think I could put that one better myself. 100% truth there. It's so good and appropriate I am going to steal it and use it myself. Change "Healthcare" for industry of choice if required.

39
0
Silver badge

"If it doesn't need to be connected, don't"

A sane attitude, at last! I thought the entire World went crazy about IoShit.

33
0
Silver badge
Thumb Up

Re: "If it doesn't need to be connected, don't"

This. It applies everywhere, not just healthcare.

22
0

Re: "If it doesn't need to be connected, don't"

So she has prescribed a proscription?

9
0
Gold badge
Unhappy

This stuff doesn't need to talk to the net

So why let it?

And it looks like medical grade IoT s**t is no better than any other kind.

I wonder if the same code monkeys sling this s**t as for the rest of this stuff.

15
0
Silver badge

Some people just need repeated booting. With a size 48.

"But unauthorized people never come into this room, why should it have a password?"

"But nobody knows about this being connected to the internet, so why do I need all this security stuff"

Honestly, kicking is too good for them.

21
0
Anonymous Coward

Re: Some people just need repeated booting. With a size 48.

"But unauthorized people never come into this room, why should it have a password?"

This is the default answer where I work!!!! So infuriating.

Also conversation with a department head last year when reviewing the 2000 odd XP machines they had running a critical app for the business.

"Well it was installed and signed of by infosec as secure, the usbs are disabled and they are all on their own VLAN, why do we need to worry about patching and viruses?"

4
0

Re: Some people just need repeated booting. With a size 48.

There is IT, but not real security department with more then 1-2 security professionals, who will have chance to explain and make good security ...

We need independent security department

1
0
Silver badge

This lady is a breath of fresh air, it's particularly good that she is a nurse as it gives her greater insights into ' on the ground' requirements and what is not necessary.

One of the (many) problems with the NHS is since it was decentralised in the '80s there are too many

SOP s with regard to everything not just IT, it really needs a cohesive approach across the whole of the NHS with regard to how IT related work is managed and carried out and overseen by someone who is a professional who appreciates the consequences of getting it wrong. A set of standards that are more than just advice wouldld be useful.

13
0
Silver badge
Flame

Technology isn't magic

This message still gets ignored.

13
0

HTTPS doesn't solve much

"Since the infection, most hospital websites have moved from HTTP to the more secure HTTPS, according to Milosevic – a move that wouldn't have halted the virus's spread but is indicative of IT staff taking security more seriously."

Or, it's indicative of IT staff fixing the easy and most visible stuff, while leaving gaping holes open elsewhere.

9
0

Re: HTTPS doesn't solve much

It is basic

And if they do nto care about this, how we can be sure that they will care about more important stuff?

We need to build security, from the ground, isn't?

1
0
Silver badge

"Manufacturers tell healthcare pros the equipment should be always connected to some backend, contrary to the advice of security clearing house ICS-CERT and others."

This is where procurement should push back. Make it clear that if equipment has to be connected to a backend without that being a functional requirement then it won't even make it to the long-list. If spurious recommendations that it be connected aren't removed from the bumph it won't make it to the short-list.

8
0

More than NICE to have

NICE (National Institute for Health and Care Excellence) has guidance and standards on infection prevention and control. I believe most hospitals have a person responsible for ithat.

But I couldn't find guidance for infosec (looking under several relevant terms) on the NICE website. If it's there, it's not obvious. Does it need a disaster first?

3
0
pig

Re: More than NICE to have

"But I couldn't find guidance for infosec (looking under several relevant terms) on the NICE website. If it's there, it's not obvious. Does it need a disaster first?"

Yes.

The NHS is, sadly, anything but proactive.

It requires a Wannacry that doesn't suddenly stop, but instead spreads more and destroys/costs more.

Sense wont get change, only public outcry after a disaster.

it's bloody sad it like that, but that's how it is.

3
0
Headmaster

"A graph comparing Dutch and American hospital website security in 2017 ... click to enlarge"

I'm disappointed that El Reg misspelled "embiggen", and left off the full stop.

2
0
Silver badge

Manufacturer : "But it needs to be connected to the internet so it can be patched and upgraded".

Client : "But it works fine as it is; and if it isn't connected to the internet or internal network then it doesn't need further updates. Honestly, it does exactly what we want it to do right now."

Manufacturer : "Yeah but... ummm, errrr, what about our support revenues..."

9
0

Client: " If we look how many time you did update and patch, we didn't even need to be connected to the internet, for sure not 24/7 ;-) "

3
0

This video is restricted, please sign in with a google account... Nice work whoever did that. Nice work.

8
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing