Thousands of NHS staff details nicked amid IT contractor server hack The personal information of thousands of medical staff in Wales, UK, were stolen after an IT contractor's server was hacked. Details including names, dates of birth, national insurance numbers and radiation doses of radiography staff were stolen by hackers accessing the UK-based systems of global dosimetry company Landauer. It …
@fruitoftheloon
its up to the trust to ensure their service supplier adheres to all data security standards as if the trust where directly managing the service themselves. They failed to ensure their data was in safe hands. the buck stops at the trust, they can blame whom they want but it was their decision to entrust data in their control with a third party, its up to them to ensure their third party is doing the job properly.
the likely hood is the trust have no clue as to whats involved in securing their data and hoped paying our money to a third party that made the right noises is all that was required. They will likely just pay that same third party more money and hope the problem fades away, still with no idea of what is required to secure our data.
"They will likely just pay that same third party more money and hope the problem fades away, still with no idea of what is required to secure our data."
Just like outsourcing in general then. You can outsource the work and pay the money to some other organisation, but you can't outsource the responsibility, and usually you can't outsource the risk either (that's not what outsourcers do, is it).
News flash even the least-private NHS trusts/boards/CCGs have to work with a lot of private companies and in this case it was the sub contractor of one of those companies (IT supplier to the datacentre) which was responsible for the breach, which was more than likely an automated malware attack using a well known attack vector which WOULD have been blocked if the contractor hadn't disabled malware protection on the server.
The only viable solution would be to have a nationally run monitoring service, which may in the end cost more. From what I gather the cost per trust is fairly small for these dose monitoring badges etc but it's also likely not only to affect NHS but also private companies - who won't tell the ICO.
Think about it, private hospitals and potentially nuclear facilities..
AC,
yup, wifey is a medical physicist, she and her colleagues have these whizzy doo-dah badges that keep track of radioation [wot with all those linear accelerators, and isotopes to hand that are used for cancer treatment]
As to the NHS having a f'ing clue about running it themselves, every trust would do it a different way, with a different supplier, AT MUCH HIGHER COST.
They still insist that all PCs in the trust are kept on 24/7 as there could be a an update that needs dropping on them urgently, I wonder what the marginal cost of 'leccy is for that?
/rant over
"They still insist that all PCs in the trust are kept on 24/7 as there could be a an update that needs dropping on them urgently,"
That's run slightly contrary to their change control management which takes weeks to approve even a simple change.
There's a very good chance the left and right hand aren't aware of each others existence of course.
But why does the monitoring service need names and addresses? Surely a unique ID which links to the staff details held centrally (and the badge ID) is all that's required?
^^ It doesn't but seeing as the unique ID would have to be agreed across NHS Wales, England and Scotland that's a problem, a lot of trusts a lot of boards and a lot of CCGs willing to share data. I agree it's logical but so is the supplier having better IT and information security procedures in place.
They need to track where people work as the radiation dose information has to move with them if they move employer, dangerous stuff radiation.
The unique identify is not agreed nationally, it is agreed by whoever is in control of the hospital's personal dosimetry provision, some of us made certain that the unique identifier was their payroll number, which identifies the individual in the that particular trust but not useable if stolen. For the vast majority of employees there is no need for radiation dose information to be tracked as this is only required by staff who received a high enough dose to be a 'classified worker'. The reason the breach occurred was an employee of the company that provided Landauer with their UK server service did not follow the companies security procedures. The service provided by landauer is actually very good and they are simply a supplier.
It is a requirement that your lifetime dose records are taken. Yes, theoretically you could do it by assigning a separate unique lifetime number that all employers and providers of dosimetry service agree on. In practice, the NI number is it: http://www.hse.gov.uk/pubns/irp2.pdf
Yes, mine too. Also innumerable henchmen who work in secret underground bases in a volcano will also doubtless have had their name and address disclosed.
Meaning, a company that has the means and resources to ensure that something like this does not happen.
Which, subsequently, makes the breach absolutely inexcusable.
Then, of course, comes the laundry list of technical questions, including the most important : was the data encrypted and, if not, why not ?
Given the number of people affected, it would be proper to see the board resign in its entirety regardless of whether there is a proper explanation or not. That, of course, will never happen.
"see the board resign in its entirety regardless"
If resignation doesn't suit them, perhaps they'd like a dose of their own:
https://www.youtube.com/watch?v=A4UxyFuhc9A&t=109
Still, with BannonTrump and MayFarr in charge we don't need to worry about that kind of thing do we.
"The personal information of thousands of medical staff in Wales, UK, were stolen after an IT contractor's server was hacked."
Do you mean the servers were hacked and the records were illegally copied by some unknown entity to an unknown location. What exactly was the nature of the breech and what steps did Landauer take to secure its servers?
Malware installed after anti-malware protection and an "unauthorised firewall change" was made. It seems the firewall change took place some time prior to the attack itself and the malware was your generic get in/copy/try to self-replicate sort so we've no idea if the data has been used or will be.
In truth NHS Wales probably got the same generic BS letter that Scotland and England got, which gave sweet FA detail and then had to chase up the company - only to find out they'd outsourced the handling of the incident to a group of lawyers (Yay america!) who were completely useless when it came to providing information. It took them nearly 2 months to reply to my 5 single questions e.g. Why has it taken you 3 months to tell us our data has been lost?
Anonymous for obvious reasons.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
