back to article WannaCrypt NHS victim Lanarkshire infected by malware again

One of the UK National Health Service boards hit by WannaCrypt earlier this year has again been infected by malware. The Lanarkshire board manages the Hairmyres Hospital, Monklands Hospital, and Wishaw General Hospital in Scotland, and on Friday had to warn patients that it was only handling emergency cases. Lanarkshire was …

Page:

          1. robidy

            You don't need cash to call a boycott, Philips is that worlds largest and the leader in LED lighting any one of it's competitors would love a foot in the door, use the companies power against itself...it's commercially unaware people like youself that allow privitisation to begin.

        1. Anonymous Coward
          Anonymous Coward

          NHS may collectively be one of the largest purchasers of this sort of kit in the world ... but each hopsital/authority/etc buys most things indenpendently. Think recently Department of Health got someone to investigate the effects of this and found different hospitals paying wildly different prices for the same things - the main area of commonality was the purchasing managers at most hospitals were reluctant to reveal prices they paid because "the salesman told us we were getting a special deal which we couldn't tell anyone else as they couldn't give everyone the same deal" ... and, of course, these "special deals" were in general anything but special.

    1. robidy

      So a basic firewall infront to proxy connections is not possible?

      Patching all XP desktops is not possible?

      Filtering in bound mail is not possible?

      Mandating scans of USB devices is not possible?

      You hilight a cultural issue....management need a reality check to fix the culture.

      Oh and a national call to boycott Philips for hurting our NHS would soon get some action, that doesn't involve the phrase "you need to buy a new one".

    2. Anonymous Coward
      Anonymous Coward

      If they are still under warranty I'd ask Philips to replace them because they are obviously defective. I'd also add a letter stating that any new networked device tender will include security high in the list - especially because of GDPR.

      Then, depending on how they need to be networked, I'd design a way to isolate those XP machines and use a secure "proxy" to transfer the images.

    3. Anonymous Coward
      Anonymous Coward

      Not an ideal solution but have a cdr burner, burn the images and move to a machine on the network with auto run disabled. They should be safe disconnected entirely and you're not risking infection with USB sticks.

    4. Doctor Syntax Silver badge

      "But if we patch they loose their warrenty and CE marking since we're acting against the manufacturer."

      Put them on the spot and ask them* if their warranty covers not only malware damage to the unpatched systems themselves but also consequent damage to other systems for malware getting in through unpatched XP and consequent harm to patients.

      *Via your legal dept. of course. Potentially being on the hook for large damages is apt to concentrate minds.

      1. Hans 1

        Philips must have a license clause, just like the Windows license reads: The manufacturer or installer, and Microsoft, exclude all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement.

        I accept clauses like that from FFS because I can change the software myself for it to become fit for a particular purpose ;-) ... If Philips do not update the software on their medical equipment, then I think hospitals around the world must contact the press ... and the media must do their part. This is, of course, unacceptable.

        I would also advise hospitals avoid embedded systems, or demand FFS so they can update as they see fit, worst case, hire a bloke to update the driver for the newest kernel.

        1. Anonymous Coward
          Anonymous Coward

          Believe me, critical systems and devices are a different league from generic software. I really hope Philips medical equipment doesn't have such a clause, and nobody accept something like that.

          Also, believe me, very few hospitals would update their equipment as they see fit (unless they have a research department capable of doing it, and test it on "guinea pigs"...), or hire the first "bloke" they can find to update a driver, and then maybe kill a patient which would be them a fault of theirs.

          As long as you modify a device and kill yourself that's fine, when you put other people in danger it is not.

          Any change in such systems require a deep knowledge of the system and understanding the effects of it - and of course, extensive testing. That's what Philips would like to avoid because it has costs, but it can't avoid it any longer.

          I believe something like the aviation authorities is needed, when something dangerous is found they mandate changes, and both manufacturers and users must comply within the allowed timeframe.

          1. Korev Silver badge
            Boffin

            Believe me, critical systems and devices are a different league from generic software. I really hope Philips medical equipment doesn't have such a clause, and nobody accept something like that.

            I work in IT in drug research (and in a cancer lab before that), most systems, reagents, etc are specifically marked as "For Research only" to get around all of the regulations. Obviously buying ones "For Diagnostic Purposes" is hugely more expensive due to the regulators. I assume that the scanners etc. have to be certified in the same way.

            If they muck up their software in an upgrade to either the controller PCs/Servers, the software and/or the scanner firmware then things can go <a href="https://www.theregister.co.uk/2016/07/03/mri_software_bugs_could_upend_years_of_research/>quite badly wrong</a> so the field is very conservative.

    5. Daveytay

      The certification probably doesn't let you modify the OS. This means you can't add software, like a decent exe whitelisting AV suite that are available now. Luckily for me, when I was doing some consulting for a Genomics Start-up, there were no such rules. I networked some ABI Sequencers that ran NT4, on something like SP5, about 16 years ago. I backed them up, put NT4 SP6a, the NetWare 5.1 client and pushed the corporate AV NAL which was Symantec's recent purchase from Intel, their pretty good managed AV at the time. I would back those suckers up fairly often because they were the guts of the entire genomics lab. That was a neat job; working with Scientists is cool. I even got to delegate the rebuild of the radio-isotope scintillator that blew a hard drive and the floppy was super clogged with dust to a junior. I told him to glove up. Good times...

      1. robidy

        So why is a firewall proxy a problem?

  1. jzedward

    For those who don't know him, Calum Campbell did not exactly cover himself in glory as CEO of BGH, and left the IT systems there vulnerable to Wannacry (in line with most Scottish NHS trusts). Once you are in the little CEO circle your competence is longer an obstacle to advancement

  2. drewsup

    this, after how much spent on IT upgrade

    oh ya, only 10 Billion....

    https://www.theguardian.com/society/2013/sep/18/nhs-records-system-10bn

    1. Anonymous Coward
      Anonymous Coward

      Re: this, after how much spent on IT upgrade

      That was just the cost of consultancy on new letter heads.

    2. Just Enough

      Re: this, after how much spent on IT upgrade

      That was NHS England. This story is about NHS Scotland. Separate entities with separate systems.

    3. robidy

      Re: this, after how much spent on IT upgrade

      Which to be fair was a Labour born and bred disaster that the Conservative private sector chums seem to be dining out on but failing to fix...I'm unsure which is worse.

  3. Anonymous Coward
    Anonymous Coward

    Despite all the money NHS received on new tech in the past 15 years almost none of it was invested in staff. 8 people out of 10 working in IT in NHS have very little interest in the industry (if any for that matter). Those that actually know something are rarely promoted to run a team (or God forbid a whole department). Instead of waiting 5-10 years to go higher up they just change the employer. Also the IT reqruitment processes in most of the NHS are truly bizarre. Someone at some point has realized that this whole NHS IT thing is weird at it would be best to outsourcing it. Outsourcing NHS IT, oh boy, if someone was to write a book about it it would take longer than to finish the Game of Thrones.

  4. Roland6 Silver badge

    New outbreak or reinfection ...

    It will be interesting to see whether they get to the source of this new outbreak.

    Wouldn't surprise me to find that this outbreak was caused by someone opening/forwarding an infected file that for various reasons got missed on the clean up from the last outbreak.

  5. Anonymous Coward
    Anonymous Coward

    This will continue as long as the NHS uses Microsoft Windows.

    They are not skilled, resourced or funded enough to protect themselves for the issues of a swiss cheese OS

    1. robidy

      And what OS would stop it? Linux? MacOS? The one from the terribly nice chap from North of Samsung land? The OS is not the problem...how it's managed is.

      Management needs to understand it's okay to have outages because of improvements...but not acceptable because of lack of improvement. The former should not be part of SLAs outside core hours if planned and managed...clearly from Wannacrypt departments CAN manage without those systems when pushed.

    2. EnviableOne

      Search NHSbuntu, they are working on it

      1. Anonymous Coward
        Anonymous Coward

        Office, email & chat.

        Yup that looks like a complete suite of everything they use.

    3. Anonymous Coward
      FAIL

      You see that multi-million pound bit of kit? You know the one saving peoples lives, day in day out.

      I've looked in GitHub and the Ubuntu "store" for certified software and you know what, I just can't find it.

      Maybe I can get Dave to knock something up, he's good at that sort of thing.

  6. Snorlax Silver badge
    FAIL

    Find The Head Of I.T.

    ...and SACK THE FUCKER.

    No excuse for being hit a second time, is there?

  7. Anonymous Coward
    Unhappy

    FREEDOM!

    NHS Scotland is a fiasco under the SNP, as is education, the polis, ScotRail, in fact everything the SNP touches turns to dust.

  8. TheElder

    It is the users

    Social engineering == stupid users. We need to educate the users. Sometimes that just isn't possible.

    Civil Servant with no brain

  9. Amorous Cowherder
    Facepalm

    “Due to NHS Lanarkshire IT issues, the staff bank system and telephone are offline and currently unavailable”

    Hold on there....

    “Due to general NHS IT underfunding and outsourcing to crap offshore services in the east where no one gives a flying crap about the systems their supposed to be running, the staff bank system and telephone are offline and currently unavailable.”

  10. adam payne

    At the time, NHS Lanarkshire expected a 72-hour outage, and CEO Calum Campbell attributed the outage to malware, with systems taken offline to contain the outbreak with help from its IT provider.

    Lessons not learnt regarding Malware then.

  11. Anonymous Coward
    Anonymous Coward

    I.T. Budget

    It's been a long time since I worked for the NHS but one of the problems I encountered was that I.T. was only notionally in charge of the I.T. budget. Each department could, and did, buy their own kit often without reference to I.T. As for medical equipment, usually the first time the hospital I.T. department would hear about new kit would be when the "computer bit" broke and an irate consultant demanded it be fixed immediately.

    I don't imagine it's changed that much.

  12. Anonymous Coward
    Anonymous Coward

    No doubt....

    ...they've probably outsourced their IT despite being warned it wouldn't be cost affective. No one listens to that and then a few years later bring IT back in house. You loose the skill of current knowledge and the fact most IT on site, will, even need, break SLA just to get stuff fixed. Outsourced companies want their money so will be strike with their SLAs.

    To be hit a 2nd time clearly means they never bothered fully fixing it the first time.

  13. Tubz Silver badge

    P45's all round for incompetence and big fat pay off's for managers !

  14. clintos

    Lacking knowledge...

    People need go be more vigilant with emails. The cyber attackers are preying on the minds of the people who do not know any better. Train them to spot the hacker

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like