Umm...
1. Machines were vulnerable. Due to no investment.
2. Human error. Because everyone is overworked.
3. Upgrades needed. Because the kit is ancient.
Done.
AC for PM?
UK Parliamentary spending watchdogs at the National Audit Office have launched an inquiry into the impact of the recent WannaCrypt ransomware attack on the NHS. Although not aimed specifically at the NHS, the ransomware nonetheless spread across hospital networks, leaving medical staff unable to access patient data, forcing …
Wrong!
1. Machines were vulnerable. Due to no investment - Actually thats to the previous government (or if the previous government was the same brand, the last government that was nothing to do with us).
2. Human error. Because everyone is overworked. - Something about Brexit and Immigrants and record something or other
3. Upgrades needed. Because the kit is ancient. - IT is our primary focus and we have thrown loads of cash at the usual bunch and achieved loads; look we have a new WordPress site and everything.
4. Vendor lock in. Look we're moving from XP to Windows 8, Oracle and a custom DB! No more being tied in to i.e.6 for us!
"Umm...
1. Machines were vulnerable. Due to no investment.
2. Human error. Because everyone is overworked.
3. Upgrades needed. Because the kit is ancient.
Done.
AC for PM?"
out of my way AC,
1 - apply patches , at no extra cost
2 - get off your arse and apply patches , at no extra cost
3 - The kits fine . No extra cost.
AC2 for pm?
This post has been deleted by its author
"1. Machines were vulnerable. Due to no investment."
One of the largest and longest booms where the public sector expanded at an incredible rate and the money thrown on them was at unsustainable level. Although failed IT systems to replace the previous failed IT system has been a recurring theme for a while now.
"2. Human error. Because everyone is overworked.
Yup. Supporting failed IT projects and terrible systems in a monolithic bureaucracy. I am so glad I dont work in the NHS their systems do seem to be recurring versions of worse than the last one.
"3. Upgrades needed. Because the kit is ancient."
See the answer to 1. Interestingly Tim is running some interesting articles on Forbes at the moment concerning public sector spending. He also does a few concerning underinvestment by government because it isnt flashy to maintain something and the money is promised to other 'gifts' to the electorate.
"This investigation will set out the facts about the cyber-attack’s impact on the NHS and its patients; why some parts of the NHS were affected and others were not; and the roles and responsibilities of key stakeholders and how they responded to the attack."
The investigation will costs millions, be delayed for years, determine nothing and hold no one responsible for anything.
The NHS is incredibly interlinked.
Indeed. And I was fairly shocked to discover (in a previous life, far, far away) that N3 links were very often not firewalled.
Being a paranoid sort, and despite having a 3rd-party N3 link (so quite restricted in access), I nevertheless make sure we had a firewall (even if it was a Cisco PIX box - that was all I had) to manage traffic.
Chatting to some of the BT engineers was fairly instructive - quite a few installs they had done has the N3 router feeding directly into the LAN on-site. The N3 WAN was seen as "Trusted".
That was 10 years ago, so things might have changed.
shirley the NHS email system could run sanitisation software so that all incoming emails are stripped of attachments and in-body links, and the body converted to text.
I'm sorry, Mr Woodnag, but the X-Ray Department is having problems sending me your CAT scan. They've tried a dozen times now, but the attachment doesn't show up.
Perhaps you could come back tomorrow.
Well, an inquiry will be a complete waste of time and tax-payer funding.
We already know everything that an inquiry is going to tell us. We know that Windows XP is out of date, we know that patch management was insufficient, we know that appropriate control measures weren't in place, we know that management of NHS IT is inadequate and so is the money allocated to it. More to the point, we already know what steps need to be taken to resolve these issues.
What the NHS really needs is for someone to go out there and actually pull out their cheque book and invest properly.
"someone to go out there and actually pull out their cheque book"
That someone is the taxpayer, i.e. me. I am also asked to restore student grants, double the size of the armed forces, spend billions on roads, spend billions on guards for driver-only trains, and pay for everybody's grandma to live in a hotel.
Which should I do first?
"Which should I do first?"
Unfortunately some people think all and more and yesterday. Often as long as someone else pays. Everything is of absolute importance until the bill needs to be paid then suddenly the silence kicks in. I do wonder how people have forgotten the lessons of socialism over the many attempts and total failures.
But there seems to be another wave of entitled who want to spend spend spend so I am very sorry friend but people like me and you are going to have to either hide our wallets or have them robbed in the name of the latest fashionable term (e.g. fairness, community, morality, communism, maoism, stupidity).
Sorry but I logged into two geographically separate NHS sites via N3 on Monday and both were infected (one in north wales & one in east Anglia)
I advised the relevant IT contact and was told that the issue was fixed!
So I logged out and asked for the VMs to be sanitised and updated
(The servers are running clinical imaging databases)
I was asked to 'not tell my boss' (which BTW is ME)! so I didn't tell myself
When I logged back in today, both servers are still infected, and the databases have crashed
Based on the DB size and storage locally, both servers completely screwed, so obviously any clinician doing any image storage were off work.
Anon just in case
> I advised the relevant IT contact and was told that the issue was fixed!
You work in/with NHS IT and this surprises you? I'm guessing the systems in question were one of the following:
1. Not known about by IT
2. Known about by IT, but the "business owner" was someone else (i.e. Somebody Else's Problem - we've done everything we can at our end guv)
3. "Fixed" by following some script, but no-one bothered to validate, monitor, or close the security hole afterwards.
Lets wait for the inquiry to find out if it was the end of life OS's that were affected...
The NHS had a massive task to update old applications and systems to move off WinXP and they have made progress (I'll leave it as an exercise for the reader to decide if the progress is good/bad/sufficient). If the older systems had been effectively isolated and weren't hit, that leads to a very different conclusion to the Windows XP
While I don't doubt the NSA is the cause, patches were already available for the issue. Why weren't they applied and how can the NHS address these deficiencies in a way that avoids the impact that we saw with WannaCry.
Finally, MS having Windows XP/Windows 2003 patches that weren't released prior to WannaCry is also dubious in my opinion - while they didn't have to patch these, the nature of the bugs severity, the public disclosure of the bugs and the length of time that the the compromise was present suggests they should have been publicly released patches as soon as they were tested.
After years of deliberation, paper shuffling, and jolly damn good dinners, the inquiry will
1) Avoid any blame whatsoever falling on the persistent and deliberate under-funding of the NHS in pursuit of the Tory privatisation agenda
2) Ignore the good practice of all those NHS Trusts that *weren't* affected by WannaCrypt (most of which is just standard industry good practice anyway)
3) Pay billions to the usual suspects (Fujitsu, Siemens, Capita, etc) for an inadequate 'solution' that will create a single point of attack and/or add another standard on top of all the other standards (https://xkcd.com/927/).
AC as, obviously unlike most commentards, actually working in the sector
"Avoid any blame whatsoever falling on the persistent and deliberate under-funding of the NHS in pursuit of the Tory privatisation agenda"
sorry AC but my local health trust is in financial difficulties almost entirely due to Mr Brown's PFI initiative, which nearly bankrupted it.
Not that you'd know, from the Socialist Worker posters up on the noticeboards talking about evil Tories (including one particularly memorable one last time I was there - that had a large bandage stuck on top of one word just so you'd pay extra attention to the word that rhymes with Hunt). Disgraceful patient noticeboards used for political propaganda - even worse when it's inaccurate political propaganda! Not saying Tory policy even remotely ideal, but the Labour govt responsible for way more than half of that trust's problems, with effects felt daily, ten years after they did it.
to the Head of the Enquiry, pointing out or asking the following.
If you don't have source code to an OS you will have to upgrade on their support schedule, unless you are prepared to spend a lot more money. This will happen regardless of OS supplier.
Why are applications not just written to run on a particular OS (when their main UI is web based, which should be supportable by any browser) but on a particular version of that OS and its browser?
Why don't NHS contracts for specialist software, or computer controlled machinery, include clauses to require suppliers to plan in for migration to newer versions of an OS, or to encourage a server/browser model? Windows 7 is already 2 versions behind Microsoft and that will only get worse.
Software migration is inevitable. Why does there appear to be no planning for it within the NHS, either centrally or at Trust level? If it is going on, why do so few trusts seem to be doing it?
Is it possible to say how many PC's the NHS actually has? How many of them need to be able to run MS Office directly, rather than on a central server? How many of them have to be able to generate Office documents?
It is easy to write a Requirement spec that says the software shall be compatible with future upgrades to the OS and the toolchain.
It is easy for the supplier to assert in a "design document" that the software will be compatible ...
When the upgrade comes you find that actually no thought was put into the design of the product and how it might be updated. Too many "design documents" are nothing more than a restatement of the requirements.
Years ago, when I tried to get authors of design documents to explain how rather than to state what, I was told by management to stop obstructing the project plan.
I did not explicitly state but assumed that such contracts would have "penalty" clauses for failing to plan this in and acceptance tests based on the next version of the relevant OS.
My apologies for not being explicit.
None of them NEED to generate MS Office documents.
As a large quasi government body, ALL documents should be produced using open standards that will survive death of the software provider - which means OpenDocument format - the well defined ISO standard.
There should be a systematic campaign to sack anyone specifying closed document formats for anything remotely relating to the general public, or for documents intended to last more than 12 months.
You are aware that MS gamed the ISO standards process so they could claim a version of MS Office documents is "ISO compliant" ?
No it's BS but they have actually done that.
the question of course is wheather MS Office reads such documents, because that's the other side of this see saw.