You don't need cash to call a boycott, Philips is that worlds largest and the leader in LED lighting any one of it's competitors would love a foot in the door, use the companies power against itself...it's commercially unaware people like youself that allow privitisation to begin.
WannaCrypt NHS victim Lanarkshire infected by malware again
One of the UK National Health Service boards hit by WannaCrypt earlier this year has again been infected by malware. The Lanarkshire board manages the Hairmyres Hospital, Monklands Hospital, and Wishaw General Hospital in Scotland, and on Friday had to warn patients that it was only handling emergency cases. Lanarkshire was …
COMMENTS
-
-
-
-
-
Monday 28th August 2017 16:27 GMT Anonymous Coward
NHS may collectively be one of the largest purchasers of this sort of kit in the world ... but each hopsital/authority/etc buys most things indenpendently. Think recently Department of Health got someone to investigate the effects of this and found different hospitals paying wildly different prices for the same things - the main area of commonality was the purchasing managers at most hospitals were reluctant to reveal prices they paid because "the salesman told us we were getting a special deal which we couldn't tell anyone else as they couldn't give everyone the same deal" ... and, of course, these "special deals" were in general anything but special.
-
-
-
Monday 28th August 2017 08:54 GMT robidy
So a basic firewall infront to proxy connections is not possible?
Patching all XP desktops is not possible?
Filtering in bound mail is not possible?
Mandating scans of USB devices is not possible?
You hilight a cultural issue....management need a reality check to fix the culture.
Oh and a national call to boycott Philips for hurting our NHS would soon get some action, that doesn't involve the phrase "you need to buy a new one".
-
Monday 28th August 2017 09:57 GMT Anonymous Coward
If they are still under warranty I'd ask Philips to replace them because they are obviously defective. I'd also add a letter stating that any new networked device tender will include security high in the list - especially because of GDPR.
Then, depending on how they need to be networked, I'd design a way to isolate those XP machines and use a secure "proxy" to transfer the images.
-
Monday 28th August 2017 10:38 GMT Doctor Syntax
"But if we patch they loose their warrenty and CE marking since we're acting against the manufacturer."
Put them on the spot and ask them* if their warranty covers not only malware damage to the unpatched systems themselves but also consequent damage to other systems for malware getting in through unpatched XP and consequent harm to patients.
*Via your legal dept. of course. Potentially being on the hook for large damages is apt to concentrate minds.
-
Tuesday 29th August 2017 07:05 GMT Hans 1
Philips must have a license clause, just like the Windows license reads: The manufacturer or installer, and Microsoft, exclude all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement.
I accept clauses like that from FFS because I can change the software myself for it to become fit for a particular purpose ;-) ... If Philips do not update the software on their medical equipment, then I think hospitals around the world must contact the press ... and the media must do their part. This is, of course, unacceptable.
I would also advise hospitals avoid embedded systems, or demand FFS so they can update as they see fit, worst case, hire a bloke to update the driver for the newest kernel.
-
Tuesday 29th August 2017 07:36 GMT Anonymous Coward
Believe me, critical systems and devices are a different league from generic software. I really hope Philips medical equipment doesn't have such a clause, and nobody accept something like that.
Also, believe me, very few hospitals would update their equipment as they see fit (unless they have a research department capable of doing it, and test it on "guinea pigs"...), or hire the first "bloke" they can find to update a driver, and then maybe kill a patient which would be them a fault of theirs.
As long as you modify a device and kill yourself that's fine, when you put other people in danger it is not.
Any change in such systems require a deep knowledge of the system and understanding the effects of it - and of course, extensive testing. That's what Philips would like to avoid because it has costs, but it can't avoid it any longer.
I believe something like the aviation authorities is needed, when something dangerous is found they mandate changes, and both manufacturers and users must comply within the allowed timeframe.
-
Tuesday 29th August 2017 11:33 GMT Korev
Believe me, critical systems and devices are a different league from generic software. I really hope Philips medical equipment doesn't have such a clause, and nobody accept something like that.
I work in IT in drug research (and in a cancer lab before that), most systems, reagents, etc are specifically marked as "For Research only" to get around all of the regulations. Obviously buying ones "For Diagnostic Purposes" is hugely more expensive due to the regulators. I assume that the scanners etc. have to be certified in the same way.
If they muck up their software in an upgrade to either the controller PCs/Servers, the software and/or the scanner firmware then things can go <a href="https://www.theregister.co.uk/2016/07/03/mri_software_bugs_could_upend_years_of_research/>quite badly wrong</a> so the field is very conservative.
-
-
-
-
Monday 28th August 2017 10:45 GMT Daveytay
The certification probably doesn't let you modify the OS. This means you can't add software, like a decent exe whitelisting AV suite that are available now. Luckily for me, when I was doing some consulting for a Genomics Start-up, there were no such rules. I networked some ABI Sequencers that ran NT4, on something like SP5, about 16 years ago. I backed them up, put NT4 SP6a, the NetWare 5.1 client and pushed the corporate AV NAL which was Symantec's recent purchase from Intel, their pretty good managed AV at the time. I would back those suckers up fairly often because they were the guts of the entire genomics lab. That was a neat job; working with Scientists is cool. I even got to delegate the rebuild of the radio-isotope scintillator that blew a hard drive and the floppy was super clogged with dust to a junior. I told him to glove up. Good times...
-
-
Monday 28th August 2017 09:30 GMT Anonymous Coward
Despite all the money NHS received on new tech in the past 15 years almost none of it was invested in staff. 8 people out of 10 working in IT in NHS have very little interest in the industry (if any for that matter). Those that actually know something are rarely promoted to run a team (or God forbid a whole department). Instead of waiting 5-10 years to go higher up they just change the employer. Also the IT reqruitment processes in most of the NHS are truly bizarre. Someone at some point has realized that this whole NHS IT thing is weird at it would be best to outsourcing it. Outsourcing NHS IT, oh boy, if someone was to write a book about it it would take longer than to finish the Game of Thrones.
-
Monday 28th August 2017 10:19 GMT Roland6
New outbreak or reinfection ...
It will be interesting to see whether they get to the source of this new outbreak.
Wouldn't surprise me to find that this outbreak was caused by someone opening/forwarding an infected file that for various reasons got missed on the clean up from the last outbreak.
-
-
Monday 28th August 2017 16:47 GMT robidy
And what OS would stop it? Linux? MacOS? The one from the terribly nice chap from North of Samsung land? The OS is not the problem...how it's managed is.
Management needs to understand it's okay to have outages because of improvements...but not acceptable because of lack of improvement. The former should not be part of SLAs outside core hours if planned and managed...clearly from Wannacrypt departments CAN manage without those systems when pushed.
-
-
Monday 28th August 2017 21:14 GMT TheElder
It is the users
Social engineering == stupid users. We need to educate the users. Sometimes that just isn't possible.
-
Tuesday 29th August 2017 09:56 GMT Amorous Cowherder
“Due to NHS Lanarkshire IT issues, the staff bank system and telephone are offline and currently unavailable”
Hold on there....
“Due to general NHS IT underfunding and outsourcing to crap offshore services in the east where no one gives a flying crap about the systems their supposed to be running, the staff bank system and telephone are offline and currently unavailable.”
-
Tuesday 29th August 2017 12:28 GMT Anonymous Coward
I.T. Budget
It's been a long time since I worked for the NHS but one of the problems I encountered was that I.T. was only notionally in charge of the I.T. budget. Each department could, and did, buy their own kit often without reference to I.T. As for medical equipment, usually the first time the hospital I.T. department would hear about new kit would be when the "computer bit" broke and an irate consultant demanded it be fixed immediately.
I don't imagine it's changed that much.
-
Tuesday 29th August 2017 12:35 GMT Anonymous Coward
No doubt....
...they've probably outsourced their IT despite being warned it wouldn't be cost affective. No one listens to that and then a few years later bring IT back in house. You loose the skill of current knowledge and the fact most IT on site, will, even need, break SLA just to get stuff fixed. Outsourced companies want their money so will be strike with their SLAs.
To be hit a 2nd time clearly means they never bothered fully fixing it the first time.