back to article UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

UK hospitals have effectively shut down and are turning away non-emergency patients after ransomware ransacked its networks. Some 16 NHS organizations across Blighty – including several hospital trusts such as NHS Mid-Essex CCG and East and North Hertfordshire – have had their files scrambled by a variant of the WannaCrypt, …

Page:

  1. InNY

    There's a f**k load of ignorance on this thread

    Really, there is.

    Why Windows? Thirty years ago Linux was not available... and what did every organization use in the rush to computerize in the mid to late 90's? Oh, that's right it was MS Windows!

    Computerized records, why not use pen and paper? Are you willing to pay for the storage? Are you willing to pay for your records to be mailed/faxed each time you visit another department, let alone another county/country? Or do you like the convenience of phoning in for your prescription (no need to visit the doctor, no need to explain to the receptionist why you need that tablet, no need to fetch your prescription and then take it and wait at the pharmacy) and then fetching it with no other interaction from you?

    Do you like your life saving care to come from people who have access to your medical records and can see you are allergic to anti-histamines or whatever - because it says so on the screen?

    Do you want you medical care provider to provide you with care for the best possible cost and not to be spending your hard-earned tax money on paper, creating forms that don't get completed or filed properly (mainly because the doctor/nurse/filing clerk is so totally over-worked it's mind boggling how and why they actually keep going), just so that you can drop dead because the bit of paper listing your allergy to common-sense was at the back of file, folded up and not at the front open for all to see (as and when they find your records in the huge warehouse; then someone carefully takes each page out and places it in the fax machine; then once they have faxed your records to correct place - "oh dear very famous person, I really didn't mean for your records to go to the local gossip blogger - the numbers are so similar. Never mind dear, I'll try again")

    I know which I prefer. The question you have to ask yourself, do I prefer cost-effective health care or the shambles and inefficiencies of the 1970's?

    Do I want my health care to work?

    Do I want my health care to ensure I live?

    If the answer is yes, then stop banging on about Linux is better than Windows, because they are both the sodding same. Really they are.

    Windows is an OS; Linux is the kernel of a system that makes up an OS. Both do what they do very efficiently and effectively. Do you really think the pure evil hackers of the world would stick to Windows if Linux or Mac or Uncle Bob's OS was more popular?

  2. Rob D.
    Coat

    Mrs Wilkinson, welcome to your new job

    > April 2017, NHS Digital Chair Noel Gordon said: "I am delighted that Sarah is joining NHS Digital at such a pivotal time for health and care as we work hard to empower the system through digital transformation."

    I bet she wasn't expecting this kind of digital transformation.

  3. A_Melbourne

    Well done Microsoft. Cooperating with US intelligence services comes at a price. The Russians, Chinese and so on are moving away from American operating systems and software.

    When is the last time you saw a new Detroit-made car in Europe?

    That is what happens to people who make shoddy products - let alone products designed with integrated faults.

    1. GrumpyOldBloke

      But where is GCHQ? An attack on the realm and the spooks are nowhere to be seen. Where is the government rushing in with a key generation service? How bad does it have to get before this turkey sold as keeping us safe actually starts to fly.

      It is easy to blame the Yanks but the glorious British empire is culpable as well. Now if only we had that magic encryption that is secure but with backdoors.

      1. Anonymous Coward
        Anonymous Coward

        GCHQ will be churning out forest after forest of impenetrable procedures for hapless civil servants to follow regarding the storage of crypto material or somesuch...

        They're short on practical advice or action and usually several years behind the curve e.g. witness numerous Govt Depts that until fairly recently were still lumbered with obsolete Blackberries disabled to virtual uselessness whilst everyone had a personal iPhone/Android devices.

    2. MJI Silver badge

      Cars

      Why would we want to?

      Without leaving the contintent we can have plenty of brilliant cars.

      Why buy a US generic big saloon when you can drive a BMW, Mercedes or Jaguar?

      Why buy a US 4x4 when the best are made in Solihull?

      Sports cars, hello Italy

      Then there are the grand tourers, hatches, estate cars, so many decent ones available.

      No need to go to Yankland

  4. Anonymous Coward
    Anonymous Coward

    May says "no indication" patient records compromised

    Nice 'plausible deniability' excuse... From a kingpin politician who might as well live in the 1800's as regards getting to grips with the current clusterfuck that is net-security / patient-records-privacy (DeepMind etc)...

  5. Anonymous Coward
    Anonymous Coward

    "NHS-CIO: Remove all external access to the HSE's Network to protect the integrity of clinical IT"

    * For how long? Just "over the weekend"... WTF??? Isn't anyone getting the message that the net is toxic... We need to start over with new net security models. What we have isn't working. Its turning semi-apocalyptic...

    * Governments in particular need to stop connecting internal systems to the net in the hope of saving pennies but actually becoming net facing 'marks'... Everyone else needs to seriously consider unplugging too, especially organizations / scada industry etc etc...

    * The Data Wars are already lost to scammers, cybercrims, hackers... But nothing will change while aging politicians pretend to run the show... And since no one even bothered to buy the Shadow Brokers/NSA tools to keep them off the market, expect nothing but more chaos!

    1. Bilious

      Remove all external access?

      Some actually do need to access web mail during working hours, and some do need to extract or enter files on removable media. Research and teaching does not always take place on the same network as the patient records, but both are legitimate and necessary - so data needs to be moved between networks. Material has to be made somewhere, whether at work, during travel or at home. Restrictions tend to making research and teaching overly cumbersome, so there needs to be a compromise between usability and security. This is complex and requires people from different professions working together. My experience is that both IT decision makers and institution leaders ignore it.

      1. Danny 2

        Re: Remove all external access?

        Some actually do need to access web mail during working hours, and some do need to extract or enter files on removable media
        Fair enough, then your employer should provide you with an insulated console for you to browse porn. Or, and this is just a suggestion, why not get internet access in your own home and update your kitty porn videos on your own time.

        This is NHS medical testing systems that have been compromised, I totally expect deaths to come from this hack. There is no debate on the rights of the NHS worker to browse the internet at work.

    2. Anonymous Coward
      Anonymous Coward

      "Remove all external access?"

      What's so wrong with a lock-down of medical / hospital machines regardless of M$ Swiss cheese holes. In the age of cloud why can't a medical pc or app poll / send changes from / to the Cloud on port 80? Everything else remains dead and off-limits! Plus why can't this lock-down be proprietary too, so it isn't on some NSA zero-day hit-list that hackers acquire? Its a reasonable question to ask...

      1. Wayland

        Re: "Remove all external access?"

        I believe this was a co-ordinated attack from the inside, an inside job. Look at who was not attacked as well as who was. I don't believe this worm tunneled in through the firewall, it was already on the LAN. If the LAN was segmented then the worm would need seeding on each segment. It would need seeding at each hospital.

        If this worm came from the Internet then members of the public would have been hit. Although I have seen this sort of worm before, we're not seeing this one on home computers and small businesses.

  6. Jason Hindle

    Oh dear. XP

    So I Googled "Does the NHS still use Windows XP," and quickly found an El Reg atticle from last December. Sounds like the people who think we have too many experts have been ignoring expert advice, again.

    1. Duffaboy
      FAIL

      Re: Oh dear. XP

      There are still big corporate companies running XP it's not just NHS.

      1. Jason Hindle

        Re: Oh dear. XP

        Indeed. Along with IE6 and ActiveX controls. As I've commented elsewhere, there are still cowboys getting away providing browser dependent applications....

      2. the Jim bloke

        Re: Oh dear. XP

        Also many Oz government offices, local councils whatever..

        Not the sexy, high prestige, celebrity government offices, but the nuts and bolts departments that actually have work to do, and a budget that has to be split between maintaining their garbage truck, providing PPE and shovels to lean on for their workers, and stationery and office equipment - which is probably what they use instead of an IT budget.

    2. Wzrd1 Silver badge

      Re: Oh dear. XP

      Oddly, Microsoft sent out a patch for XP.

      Good idea, as this rubish code belongs in a rubbish tip, not a fucking operating system. And to be honest, this shit code likely has existed since the US DoD bought the NT4 source code.

      Blaming the NSA for doing what defense organizations do is idiotic, as they didn't write the shit code, Microsoft did and gave all six major vulnerabilities a free pass, for decades!

      Do research how long the SMB1 stack has existed.

      Hint: SMB1 is nearly as old as our children, who are in their mid-30's. It's nearly 30 years old.

      We have one thing that's over 30, other than our children, our wedding bands. Everything else was either lost, destroyed in a move or damaged beyond repair in moving or normal life.

      Or do we also need to get netbui fixed as well?

      Yeah, I'm *that* old and a bit older.

      Hint, the Queen of England sat 9 years on her throne before I was born, but my earliest memory, beyond a diaper pin jab, when I wriggled and understood what mom was warning me of, was JFK being shot to death.

      This is a case of one complaining of a Model T Ford not running worth a damn on modern gasoline and worse, the valves hammering themselves to death.

      1. Asylum_visitor

        Re: Oh dear. XP

        Funnily enough the last time I used NetBEUI, I was working for the NHS!

        Have an Upvote :)

  7. Anonymous Coward
    Anonymous Coward

    Govt depts and system patching

    During my decade of experience in a Govt dept they were terrible at patching. I've heard that things have improved but during my time there it was normal for systems to be never patched at all or every few years if that. It wasn't lack of finances (they spunked money on all sorts of unnecessary sh1t) just senior management incompetence. I was hoping that the NHS would be better.

    I'm still public sector now but in my current employment it's "patch or die", thank goodness. This generates work but a lot less than not patching for years or until the latest Heartbleed/Shellshock or whathaveyou comes out.

    1. Wzrd1 Silver badge

      Re: Govt depts and system patching

      Not only government. I work for a major corporation, derived from a Fortune 200 corporation.

      This weekend, Saturday being my "Monday", I found major patching for this frigging vulnerability going on.

      Back when I was IASO for a major US military installation, patches of the OS were delayed, at most, by 30 days.

      Net result, due to equally anal retentive antivirus states, the 2008 cyberattack on the US DoD, which was centered on our area, failed.

      Following best business practices also helped. A lot.

      A tad of commonsense also helped.

  8. Anonymous Coward
    Anonymous Coward

    Missing the Obvious

    Has no-one thought that we could just reboot the patients!?

    1. Wzrd1 Silver badge

      Re: Missing the Obvious

      I invite you to lead by example, so that others will follow.

      Let us all know how that works out for you.

  9. Dwarf

    Budgets

    I guess that if the NHS was better funded then they would have the budget to spend on keeping the IT that keeps their business working up-to-date.

    Its a bit rich that Amber Rudd is quoted on the BBC as saying that "the NHS must learn from Friday's cyber-attack and upgrade its IT systems". Surely the fault lays at the door of the of government funding (or the lack of it). Critical public services must be correctly funded - irrespective of which government that happens to be on any given day as they are all as bad as each other in this regard.

    I also believe that key supplier such as Microsoft should be forced to support applications for a longer period of time that reflects the complexity of making significant changes in large enterprises. This is a cost of doing business with such customers.

    1. SloppyJesse

      Re: Budgets

      "Its a bit rich that Amber Rudd is quoted on the BBC as saying that "the NHS must learn from Friday's cyber-attack and upgrade its IT systems". Surely the fault lays at the door of the of government funding (or the lack of it). "

      Not just funding, but also policy when it comes to IT. They DID spend lots of money (12 billion plus?) but it was on white elephant national programme for IT rather than upgrading/securing out dated systems within hospitals.

    2. Wzrd1 Silver badge

      Re: Budgets

      First, there's that entire WSUS thingie that's free.

      Creating a test group, trivial.

      Been there, done that, created the damned program.

      Add in SCCM and assorted other package management software, well, seriously. This is a management complacency issue.

      Now, long fangs are hooked upon many, many, many management asses, not only UK, but throughout the EU.

  10. Anonymous Coward
    Anonymous Coward

    The first rule of business?

    Protect the business ! I think that is attributable to the mafia.

    Good luck to those tasked with having to fix this, you have my sympathies.

  11. Anonymous Coward
    Anonymous Coward

    Ransomware..

    (Let's say what should be said regards Microsoft..)

    Not sure what's worse regards the NHS,

    Annual Microsoft Patch 'Ransomware' v Regular ransomware.

    So much of the money spent on MS licencing could be used to build a proper secure Linux distro/solution for the NHS.

    1. Wzrd1 Silver badge

      Re: Ransomware..

      We have precisely one Windows system in the house.

      The POS from work. An HP EliteBook, with it's cracked NIC port, which isn't considered part of warranty and *why* HP won't be next year's vendor.

      As for Microsoft, the only MS system in the house is the one from work. Although, I do keep one bootable under an obsolete version of Windows to patch assorted other systems that I'd rather throw into the trashcan.

  12. conscience

    Let's hope that if/when the NHS does upgrade their IT systems then it's not with any MS operating system, primarily because there's nothing in Win10 to stop all this from happening again when some future forced update breaks key functionality and/or associated medical equipment needed to run hospitals. Not that the data slurping would allow many/most organisations and businesses to adopt Win10 in any case.

    Neither should the NHS or other government departments/vital services consider purchasing any future vital equipment (e.g. NHS scanners) that relies on MS software in order to prevent a repeat of this dangerous situation.

    Perhaps in future the NHS could set up a new hardware/software platform that is not subject to commercial pressures of forced obsolescence for profit. Their own Linux distro perhaps? Adding any new custom code they require needn't be expensive when shared out between all the NHS and potentially all UK government departments. All built atop some chip/architecture with multiple vendors to avoid any future problems that may arise. All vendors wanting to participate must agree to support whatever they contribute for a very long period of time e.g. several decades minimum. I don't think we can afford not to take control of our important IT, the likes of MS have proved they are not up to the task.

    1. Dwarf

      They don't need their own Linux distro, there are plenty that will already do what they need.

      1. Wayland

        They do need their own Linux distro if only to put in the mechanism for supporting it should the original distro die. The NHS distro could be Debian with some NHS specific tuning. It might even contain WindowsXP virtual machines just to smooth over the transition for things that need rewriting for Linux.

      2. Wayland

        PS most big organisations brew their own Windows distro.

  13. MarkSitkowski

    Seems that Bitcoin only exists to enrich criminals and fund terrorists. Isn't it time to make it illegal to trade bitcoin for real money? Or, better still, shut down any organisation trading in it?

    1. Mister Fluffy

      Not when there is money to be made from 'trading' in Bitcoin.

  14. Archie1954

    Do you remember just who it was that started this whole cyber warfare? Think back several years to the joint US/Israeli stux worm attack against Iran. Yes the same nation whose NSA worm was negligently allowed to proliferate into the Worldwide Net started the whole cyberwar evil. The British healthcare system and all others harmed by these cyber attacks should sue the NSA for gross negligence or willful misfeasance.

  15. Wzrd1 Silver badge

    Irritating

    For one, the NSA didn't write the garbage code that was SMB1. Microsoft did.

    Said code repeatedly passed the excuse for code validation that Microsoft has.

    That the NSA found six vulnerabilities and likely utilized them, well, they're military defense. Do you honestly expect any military organization to give away an advantage?

    This is odd for me, as I have rarely defended the NSA!

    I'll close with, *anyone* who permitted SMB1 protocol to exist on their network needs to be given the sack. Inefficient, network hogging worse that YouTube cat videos and pure rubbish coding has long turned that code to be a top list of first to disable on a baseline configuration. Right next to autorun, which even Microsoft figured out to disable by default. The only damned thing it's not vulnerable to is ping of death!

  16. Mister Fluffy

    2001

    On a side-note, I was told, during an interview without coffee in 2001, that computers were the only way forward in General Practice.

    Personally, I can maintain eye contact with a patient, and make far more detailed hand-written notes than is possible when sitting with a screen in front of me; I wear my watch on my right wrist in order to be able to note the time whilst writing, rather than on my left which demonstrates the time-keeping.

    My concerns regarding the not infrequent network failures were pushed aside, back-up was something that might be occurring, and password sharing was common amongst staff.

    Consultations recorded on computers, generally (and I've reviewed tens of thousands), cut corners, lack detail, and offer little protection to medico-legal challenge.

    The grey suited spectre from the Department of Health was singularly unimpressed when I enquired about long-term work force planning given the numbers of ageing general practitioners, and the increasing number of part-time and female partners.

    I left general practice shortly afterwards and undertook another, expensive, four year training programme.

    Work was far more satisfying, but I still had 'managers' who were far less qualified than I was who insisted on telling me how to run my service to the point of bullying, harassment and false reporting.

    The conflict within the NHS is a workforce that, typically, knows what they are doing (in a grossly underfunded service), and a management that is self-promoting, and does not listen to the concerns of their own staff.

    Add in the duplicity of the government, and the conspicuous absence of the Secretary of State for Health, and you have a system teetering on the verge of collapse.

    I might suggest private health insurance but you're going to get fleeced by the companies concerned.

  17. Anonymous South African Coward Bronze badge

    Windows = virus/worm/trojan petri dish

  18. Anonymous Coward
    Anonymous Coward

    Four systems (two server2003 and two legacy XP systems) patched.

    *touch wood*

  19. Jobacon

    Don't use WINDOZE!

    The answer is: don't use Windows for vital services such as hospitals! Most IT departments hire people who know nothing else. The main problem is that the government always hires the wrong IT companies for its large projects, companies run by megarich businessmen who know nothing about IT rather than smaller companies run by mavens. That is why the NHS computer services have more holes in them than a Gruyère cheese. Remember the millions wasted by the NHS trying to computerise its entire system, only to discover that they were incapable of doing it? The NHS needs its own proprietary operating system that cannot be penetrated by cyberterrorists.

  20. ancient-strider

    TELL ME AGAIN - HOW DO I BACK UP?

    NHS data losses can be expected. They are not willing to pay a decent rate for a decent Tech-team.

    The skilled guys are tech consultants but not for the NHS. And how do two guys keep up with a whole hospital's needs with computing, electronic records, bar-code-only to locate patients hard copy records on miles of shelves....... etc.

    As an ex-admin in the NHS, my wife has first hand experience of the constant fails and crashes, and panics if an operation was about to be cancelled because notes could not be located.

    This crisis is nothing new - just different!

  21. Potemkine Silver badge
    Trollface

    Bloody European Union!

    It's all because of the EU!

    With the £350 millions the EU steals to the NHS each week, the latter could have afford to change its antiquated Windows XP! Luckily in less than 2 years NHS will buy up-to-date configurations, right? ^^

  22. Anonymous Coward
    Anonymous Coward

    This is what you get

    When you still think Windoze is the best.

    It's my personal opinion that if you aren't looking at Linux to replace systems, you're a fucking moron that should be taken outback and shot in the back of the head.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like