back to article NHS could have 'fended off' WannaCry by taking 'simple steps' – report

The UK health service could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings about falling victim to a cyber attack a full year before that incident happened. This was among the findings of an investigation by Blighty's National Audit Office, which today …

  1. Anonymous Coward
    Anonymous Coward

    Nice to see the bell ends at the NAO including whether the NHS trusts could afford to take those simple steps and that is the issue.

  2. James 51

    Any chance they could include backups and testing a system restore?

    1. Elmer Phud

      but where does the money come form --

      Oh, the numerous failed attempts of doing it all on the cheap but spunking the dosh on 'guaranteed' bonuses - no matter how much of a total fuck-up was made.

      BUT they will STILL blame the 'NHS' and not the ministers who wrap chains around one pot of money while encouraging their mates to have a dip (or two, or three)

      1. Mr Dogshit

        RE: "but where does the money come form"

        What money?

        WSUS = £0

        Configuring a firewall properly = £0

        1. Anonymous Coward
          Anonymous Coward

          Re: RE: "but where does the money come form"

          Sure lets go with £0, they could always get a Nurse to do it.

        2. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

          Re: RE: "but where does the money come form"

          <quote>Mr. Dogshit

          What money?

          WSUS = £0

          Configuring a firewall properly = £0</quote>

          Awesome, hey everyone, he's offering to do it for free! Across the entire NHS!

          Well, you know what they say, you get what you pay for. Shit, in this case. Literally in fact, judging by the commentards name.

          1. Martin Gregorie

            Re: RE: "but where does the money come form"

            Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision. The NHS is top-heavy with useless management anyway, so the savings made by sacking them will more than pay for replacing outdated PCs.

            1. James 51

              Re: RE: "but where does the money come form"

              @Martin, sometimes it's the equipment that the stuff is hooked up to e.g. MRIs, PET scanners, digital x-rays etc etc and if they can only talk to other out of date stuff, you need to keep that out of date stuff at least as middleware.

              1. Martin Gregorie

                Re: RE: "but where does the money come form"

                So, if the makers of MRIs, PET scanners etc can't or wont upgrade them, put an airgap round said devices and the out of date stuff they talk to as an interim measure.

                I know that purveyors of various medical devices have traditionally been, ahem, lax about system security. Others might prefer to call it "wilfully negligent" but I couldn't possibly comment. That said, more general publicity on this topic outside the medical and IT communities together with the odd sueball and much more attention to security on the part of purchasers should get their attention.

                1. wallaby

                  Re: RE: "but where does the money come form"

                  "I know that purveyors of various medical devices have traditionally been, ahem, lax about system security"

                  its got nothing to do with being lax or otherwise. Sometimes these systems wont work with more modern operating systems full stop. I have an SEM that has 2 PCs attached to it, one is XP SP2 - if you try and put SP3 on it breaks the software - these things are so finicky that even putting both PCs on a strip plus so that they share the same earth will cause them to not function properly.

                  The manuf doesn't make software on a newer platform for the SEM, so my options are to spend in excess of £300k on a new instrument or keep the XP SP2 machine running. As I have an out of date OS on the networks its my responsibility to make sure it doesn't cause issues - I isolate it from the internet and VLAN it so it cant see any other parts of my network nor they it. I spend a few quid on software to prevent USB sticks working in it (or baulk them myself by killing the drivers or tweaking the registry) and I'm as safe as I can be.

                  If I let it face the outside world and let users loose on it to read emails or Facebook or websites in gen'l then I deserve everything I get.

            2. RW

              Re: RE: "but where does the money come form"

              "Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision."

              Won't happen. Surely you know that once elevated to the ranks of management, one is untouchable.

              1. Terry 6 Silver badge
                Joke

                Re: RE: "but where does the money come form"

                Deputy-heads will roll. (As they say when the BBC screws up).

            3. Mark Dempster

              Re: RE: "but where does the money come form"

              >Thats easy: instant dismissal for all managers who should have sorted out security but didn't. And their bosses for slack supervision. The NHS is top-heavy with useless management anyway, so the savings made by sacking them will more than pay for replacing outdated PCs.<

              I'm afraid that just shows that you don't really understand the issues here.

          2. This post has been deleted by its author

            1. EnviableOne

              Re: RE: "but where does the money come form"

              every sysadmin in the nhs would love to have the time to do this

              they are too busy trying to get all the outdated systems to talk to each other or monolithic integrated systems to retain their delicate balance that keeps them on while still working just about for the user, while at the same time trying to deal with the all important users, changing regulations and unexpected new systems some department has decided to addopt without any change control.

              All of this on stick thin budgets and about 1/10th the staff of an equivalent sized private organisation.

      2. Dan 55 Silver badge

        It was done this morning.

        The NAO report named the Department of Health and the NHS, but since the security minister went on Toady Programme it's all been about the NHS and how lazy they are. Oh, and it was probably Norks, as usual.

        1. Chris King

          There seem to be lots of reports coming out at the moment damning the NHS.

          It's as if someone's trying to say "look, the NHS is failing, but ignore the man behind the curtain screaming that we're starving it of funding - everything will be SO much better when we sell it off to our private sector chums for a fraction of what it's really worth !"

        2. Anonymous Coward
          Anonymous Coward

          "The NHS" isn't even a real thing. Services are delivered by an unholy mess of CCGs, local authorities, "Vanguards" (yes, really), GPs practises and hospital trusts, with little to no geographical or organisational sanity in place.

          Thanks for that by the way Lansley.

          The only body with any kind of claim to being "The NHS" is NHS England, which is a relatively small policy-and-coordination shop sitting directly under..

          The Department of Health.

          Blame the DoH. Blame the minister. Blame his and his predecessor's relentless drive to cut every penny out of the NHS they could.

          1. Anonymous Coward
            Anonymous Coward

            >Blame the DoH. Blame the minister.

            This. This a thousand million times. DoH is (in my opinion) institutionally corrupt and essentially run as a profit centre by the big providers

          2. Anonymous Coward
            Anonymous Coward

            "The NHS" isn't even a real thing. Services are delivered by an unholy mess .....Thanks for that by the way Lansley.

            Let me correct you. My other half has been in the thick of the unholy mess for some years now, and the current structure of the NHS is almost entirely the work of one Tony Blair and his ministerial sycophants, in a series of changes from 2008 through 2012, including the creation of trusts, CCGs, "Agenda for Change" and all the rest. The same bunch of dung-heads who committed to the large and humiliatingly failed NHS IT programs, and the same bunch of dung-heads who committed about £70bn of health service money to poor value PFI contracts.

            So, feel free to blame the Tories, but unfortunately the current structure, performance, IT, and funding arrangements were directly and indirectly the work of the Labour party.

            1. Anonymous Coward
              Anonymous Coward

              and the same bunch of dung-heads who committed about £70bn of health service money to poor value PFI contracts.

              And this very day, Labour MP Meg Hillier, who chairs the Parliamentary Public Accounts Committee, has announced how shocked she is that most of the current PFI "asset owners" are tax dodging international finance houses. Apparently, although the international tax treatment hasn't materially changed from the last Labour government's time in office, "these companies are clearly profiting and paying no UK tax. I don't think that was ever envisaged when PFI was established."

              So stitch that, Guardian reading knobs. Your preferred government created this stinking mess, and now in opposition it wrings its feckless, limp wrists and condemns the very practice that it followed

            2. JamesPond
              Thumb Down

              "the current structure of the NHS is almost entirely the work of one Tony Blair'

              Lets get this correct,

              NHS Trusts started in 1990

              PFI contracts started in 1992

              CCGs were created in 2012.

              Labour were not in power in any of these years.

              NPfIT / CfH was a Labour initiative and whilst it produced some good systems (for example national PACS, ePrescribing), it was not overall good value for money, too top-heavy, the contracts were rushed and there was no accountability.

            3. JulieM Silver badge

              Tony Blair

              Would that be the same Tony Blair who was no longer Prime Minister in 2008, and whose party was not even in Government from 2010?

              1. Danny 14

                Re: Tony Blair

                i find it cute he thinks the NHS is one homogeneous network with a clear chain of management.

            4. Mark Dempster

              >Let me correct you. My other half has been in the thick of the unholy mess for some years now, and the current structure of the NHS is almost entirely the work of one Tony Blair and his ministerial sycophants, in a series of changes from 2008 through 2012,<

              You do realise that the Tories took over in 2010? And one of the first things they did (after promising not to) was to start a top-down reorganisation of the entire setup?

              I used to work in the NHS, and I still do bits of consultancy for them.

      3. Primus Secundus Tertius

        @Elmer

        The money won't come from anywhere until the beancounters' own machines are hacked. Why should they listen to what they regard as unfounded claims designed to grab more of the budget?

    2. Anonymous Coward
      Linux

      Backups and testing a system restore ..

      @James 51: "Any chance they could include backups and testing a system restore?"

      It would be simpler for the NHS to maintain it's own distro and rolled-out patches and upgrades itself, something like NHSbuntu.

  3. Anonymous Coward
    Anonymous Coward

    They will not learn

    The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions. This needs to change...

    1. Steve Davies 3 Silver badge

      Re: They will not learn

      The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions without a hefty price tag and 6-9 months of thumb twiddling, spec writing and procastination(we can't get the staff you know) per patch This MUST change.

      There fixed it for you.

      sometimes, I'm sure that some of us oldies wish for the days of IBM green Screens/3270 and the rest. Life was a lot simpler in those days. I'd guess that even today Z/OS is inherently more secure and robust than any Windows system could ever be. Sigh.

      Now where's my zimmer frame :) :) :wink:

      1. m0rt

        Re: They will not learn

        In terms of infomation retrieval and input regarding text, that is stil a far better solution. That or an ISeries or whatever they calls the AS/400 these days. I5?

        Even if it is a terminal emulator on <insert your OS here>, it would still mean core records are fairly safely stored, acessible and not at the same risk levels. "Shit, WannasobII is here, break out the 3270s guys"

    2. JamesPond
      WTF?

      Re: They will not learn

      "The NHS will continue to do business with software suppliers who will not allow you to add the latest Microsoft security patches to their supported versions"

      That is easy to say but what is the alternative? Upgrade the servers and workstations to the latest patch without validation? Ok if you are dealing with a desktop running a spreadsheet or wordprocessor. More risky if you are dealing with a workstation that has software manipulating patient data that if it breaks down, or worse, manipulates or displays data in an incorrect manner, could lead to patient safety being compromised.

      Would you be prepared to certify Microsoft's zero-day patch will not affect your clinical software without first going through validation testing?

      I worked on NHS clinical messaging systems for BT that used Microsoft Exchange 5.5 with x.400 messaging as the underlying routing platform. Microsoft released a patch and I found in our test lab that MS had introduced a bug so that in certain circumstances messages could enter an infinite loop and cause the server to crash (in x.400 a message should only loop 255 times before being non-delivered but Exchange was incorrectly re-writing the message ID in the e-mail header so the server couldn't recognise that the message had been received previously). We reported this to MS and stopped NHS sites installing the patch. Without this testing, many NHS end-sites could have been down for days whilst they restored their systems from scratch.

    3. EnviableOne

      Re: They will not learn

      Dispite the government's assections, there is no such thing as the NHS.

      There are 241 seperate NHS trusts that try to get the best deal they can with no backing from the centre

      and any economies of scale or central contracts have been killed (to get the headline off the DoH budget)

      any one of these trusts can try fix it or we go elsewhere, but GE, Siemens, Phillips, Agfa are too big for one trust to affect them and the smaller companies you havent heard of, quite often have nigh on monoploies in there specific area, so if you need this tech you have to use them.

  4. Anonymous Coward
    Anonymous Coward

    Easy to mitigate

    -Patch your o/s monthly

    -Regularly patch your Apps that open files (word/pdf etc) regularly

    -Don't run an o/s or app that is no longer in patching support

    - Don't let Apps connect to the internet to pull down their own updates in an Enterprise environment - test updates in a sandbox first then use your software deployment tools to push out tested updates

    -Run anti-virus & update hourly and AV scan on demand all files

    -Scan incoming email using AV and block .exe attachments

    -Scan and block sites when web browsing using a web proxy and AV scanner

    -Set web browsers to block adverts and flash

    -Use a localhosts file to sinkhole malware and advert sites to 127.0.0.1

    1. Elmer Phud

      Re: Easy to mitigate

      some some dosh on competent IT staff rather than guaranteed bonuses and rises for the 1%?

      1. JulieM Silver badge

        Re: Easy to mitigate

        The NHS is big enough, and its use cases are special enough, to have its own dedicated IT team maintaining its own preferred (read: iron-fistedly enforced) software distribution. In times when the NHS's own computers are running smoothly, they could probably even take on outside work to keep themselves busy.

        Even Sun Microsystems acquired their own office suite and database server so they did not have to pay money to, and rely on the co-operation of, Microsoft.

    2. techdead

      Re: Easy to mitigate

      easy to say, much more difficult to implement in a huge organisation like the NHS, with public money, lack of resource, i.e. IT slaves to do the donkey work, get down time scheduled, manage staff, pay overtime etc., etc. - hard enough in the private sector ("can you do this overnight instead of at the weekend? we don't want to pay your team overtime but they can go without sleep instead"), never mind in a huge public entity

    3. Gra4662

      Re: Easy to mitigate

      "Patch your o/s monthly".... oh the system supplier wont allow you to citing that their system is a medical device, not a computer system

      1. Doctor Syntax Silver badge

        Re: Easy to mitigate

        "oh the system supplier wont allow you to citing that their system is a medical device, not a computer system"

        Which makes a big difference because it carries certifications against it in its original state and it costs time and money to recertify it in its patched state. It's time that whole arrangement was looked at again. Should certification lapse after some interval unless equipment has up-to-date patches?

        1. Anonymous Coward
          Anonymous Coward

          Re: Easy to mitigate

          Which makes a big difference because it carries certifications against it in its original state and it costs time and money to recertify it in its patched state.

          OK. We are where we are, water under the bridge and all that.

          But looking to the future, can I assume that the NHS will be refusing to buy software tied to current versions of an OS likely to be obsolete in something like five years? I'm not suggesting that it be maintained free of charge in perpetuity, simply that when they sign the contract for some long life hardware, they give some serious thought to how it will work when the OS is out of support.

          1. Anonymous Coward
            Anonymous Coward

            Re: Easy to mitigate

            You won’t be buying anything anytime soon. Software companies are completely inept. Inept to the point where some very big players won’t certify minor point updates of OSs for security applications even though there are known vulnerabilities in them.

            The software industry is an utter shambles.

          2. Anonymous Coward
            Anonymous Coward

            Re: Easy to mitigate

            But the contract will probably have been signed by procurement specialists working on the advice of clinicians. No-one actually speaks to IT until the thing is about to be implemented, by which time it’s too late!

          3. Doctor Syntax Silver badge

            Re: Easy to mitigate

            "But looking to the future, can I assume that the NHS will be refusing to buy software tied to current versions of an OS likely to be obsolete in something like five years?"

            It's not a matter of buying S/W alone. It's the complete package of H/W, the custom S/W that works with it (not only the user applications but also drivers) and the underlying O/S.

            The driver bit is a particular problem if you're relying on the manufacturer to update it. After all, they're relying on the underlying O/S driver model not to change in 5 years. Is any OS vendor going to guarantee that? If, for instance, the OS implements vendor signing of the driver that might sound fine now if they've signed the existing driver. But in 5 years time they may simply refuse to sign all 3rd party drivers.

            You also rely on all the parties in what might be a long chain of specialised bits & bobs that went into the device's BoM to play along or even to exist years into the future.

            TL;DR It really isn't that simple.

    4. 97browng

      Re: Easy to mitigate

      How simple it is, I dont know why it has not been done.

      Apart form you have a piece of software that has not been updated for years because it is vitally important yet nobody has the money to upgrade it.

      You cannot put the latest patches for other software/OS on because it will break this very important piece of software. You tell the relevant people you need to update the software and OS to stop a potential security breach but this will break the software. The answer you always get back is 'if it stops working a child might die'.

      And that is where the argument ends, a potential security breach VS a child dying. Yes we all know that the potential security breach could in turn mean all systems are down and more risk to people but it never works.

      Testing in a sandbox is so easy. Ohh wait we support 700+ applications, who is going to test them all, with all possible iterations. It is not possible.

      Add to this that a lot of the software used is very niche and only ever made by one company and you are caught by the short and curlys. You know it is not 'secure' yet it is the only thing that can do what you need.

      Why not make your own software then? Ok we will just hire some more staff to do it (with the imaginary money tree) and then find out that it cannot integrate with what everyone else is using so it is no use.

      I don't work for the NHS (or in the security team) but local government and we get it all the time. People working for either small companies or those that use a very limited amount of applications and need little integration with anyone else have no idea. Try working for the government or NHS where ICT has very little power or budget and has to support hundreds of critical applications that are made by a plethora of suppliers.

    5. Phil Endecott

      Re: Easy to mitigate

      "152 Simple Steps to Stay Safe Online"

      https://www.theregister.co.uk/2017/10/24/googles_security_advice_we_dunno/

      1. Danny 14

        Re: Easy to mitigate

        then you find oncology devices that cost millions and only work on XP. or BMS systems that only work on Win2k (yep! Preston hospital im looking at you) granted the BMS was VLan'd and not routed. the best you can do is vlan or partition off on a private physical network.

        in an ideal world everthing will be patched and upgraded. in the NHS the funds arent there or worse still contracted out so you arent allowed to touch it.

        1. herman

          Re: Easy to mitigate

          Use VLANs and create Data Diodes allowing movement of data one way only between VLANs. This is not rocket surgery.

    6. anthonyhegedus Silver badge

      Re: Easy to mitigate

      Are you trolling?

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy to mitigate

        Its a pity the reg dosent have threaded comments.

        I'm with the OP up there who said WSUS and patching were free and got ridiculed.

        What he meant was that is already in place and paid for and has staff to operate it , also paid for .

        They just didnt push the right buttons , through laziness or inertia.

        This entire thing was down to specific patches released 3 moinths earlier that plubbed the smb vulnerability not being installed . nothing more . except they could also have used a decent firewall instead.

        What I want to know is how what the annual pen tests said , over the years , and how many of the issues raised were acted on.

  5. Anonymous Coward
    Anonymous Coward

    Governments everywhere are the same. The Pols and Burs in charge like to use massive companies as buying from them can guarantee an easy, post last career, income with a company that supplies some service to said software giants.

    Hire a number of OpenBSD developers/system admins, or other Open Source systems people, and get some real expertise in place to secure the networks. (I reference OBSD as I follow its news, others would do.)

    Surely, Government Departments have the buying power to have hardware manufacturers give up hardware details so that proper drivers can be written when required.

    There is the above issue and, in Canada, the Phoenix Payroll System.

    http://www.cbc.ca/news/canada/ottawa/senate-replacing-phoenix-new-payroll-system-rfp-1.4371269

    1. Doctor Syntax Silver badge

      "Surely, Government Departments have the buying power to have hardware manufacturers give up hardware details so that proper drivers can be written when required."

      Medical equipment has to be certified as safe and effective in the markets in which it sells. The NHS is probably not going to be counted as a big enough market to make manufacturers see some UK-only spec. as being worth spending time and money on pandering to; at least not unless they charge a great deal extra for it.

      A better bet would be to pressure the certification authorities to ensure that in order to remain certified equipment has to be maintained reasonably up-to-date. Of course that would be easier if we were part of a larger market such as the EU but in order to make an extra £350m a week available for the NHS (as Boris still seems to insist on) we won't be.

      The likelihood is that imposing a draconian regime of that (or any other) nature would simply result in a good deal of existing equipment being orphaned by the manufacturer declaring it EoL or simply closing down altogether.

  6. Headley_Grange Silver badge

    Easy Isn't It

    In a similar vein, the NHS could improve the lives of thousands of people by doing their operation tomorrow instead of making them wait. All they have to do is operate on them.

    Wow, who knew that making things better could be so easy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Easy Isn't It

      Wow, who knew that making things better could be so easy.

      If you think about that from a workflow perspective, it is actually much easier than the NHS make out.

      From time to time queues build up, that's life. But if you can't clear them, then by definition they build towards infinite length, until they are limited by patients dying before treatment. We have a bit of that, but not much, so on average the NHS is treating people at the rate that new cases arise. With a bit of better resource planning, getting the queues down isn't that hard, its just some basic maths.

      I'm sure the doomsters will object violently to this post, whining endlessly about how the Torys are to blame for everything but that's the reality. Either you have ever increasing queues, or you at some point have to match the treatment volumes to the new case origination rate. And if you can do the latter, then the simple trick is to do that sooner, before you build up this huge backlog. Everyday production companies address and resolve this problem, the NHS could do a whole lot better - as one example, if they are importing international locums, make them into a mobile task force, instead of doing it at the individual trust level.

      1. Charlie Clark Silver badge

        Re: Easy Isn't It

        If you think about that from a workflow perspective, it is actually much easier than the NHS make out.

        Yeah, juat get out your stop watch and do a time and motion study… Funding for the NHS has been cut in real terms since 2010 and due to cuts elsewhere in social care some hospitals have seen significant increases in their workload without a commensurate increase in resources, And there's them Europeans who're leaving the service after everything Blighty has done for them.

      2. Headley_Grange Silver badge

        Re: getting the queues down isn just some basic maths

        "With a bit of better resource planning, getting the queues down isn't that hard, its just some basic maths."

        The maths is easy, but the numbers that go into the maths are a tad more difficult to come by. It takes 7 to 15 years to train doctors and surgeons. It takes 3 to 10 years to train a nurse. How many hip operations will be needed in ten years' time? How many critical care beds and nurses will be needed ? How many social care beds, etc., etc.? We need those numbers, and all the other ones, together with they way we distribute them around the country, and some definitions for standard work. Then the maths is easy and we can start working today to feed the right number of trainees into Uni and building the hospitals to have the right capacity in the NHS in about 10 years time. As long as the spec. doesn't change.

        Sure, you could manage the NHS like a production line or a project and I'm sure that a Friday night pubstorm could come up with the treatment equivalents of MRP, pull, flow, kanbans, buffers, scrums, sprints, EV, etc. (pick your buzz space). Maybe the hospital could hold a stock of healthy grans so that when they haven't got the capacity to treat yours they could just send you home with a healthy gran from the buffer stock :-)

        Anyone really interested in this subject should try to get hold of "Transforming Health Care" by Charles Kenney.

        1. Doctor Syntax Silver badge

          Re: getting the queues down isn just some basic maths

          "The maths is easy, but the numbers that go into the maths are a tad more difficult to come by."

          The easiest thing of all, once you get into lead times of 5 years and over, is to kick it all down the road into the next government's territory.

  7. Martin an gof Silver badge

    What went right elsewhere?

    This attack seems to have hit England hard, but not the other devolved areas - my wife works in the NHS in Wales and although they did endure some "lock down" (emails in particular were blocked for a while) they didn't have the major disruption seen in England. Wales is just as cash-strapped as England, so what did they do differently?

    Also slightly annoyed to hear an "expert" on Today this morning basically blaming XP, when in this instance is appears as if it was W7 that suffered the most.

    M.

    1. iron Silver badge

      Re: What went right elsewhere?

      It would be nice if the article used correct and consistent terminology. It starts off talking about NHS England but then lazily falls into talking about the UK. As you say Wales did not seem to be as badly hit and they are part of the same NHS as England. Then you have Scotland which has its own NHS with different policies and practices.

      El Reg journos - THERE IS NO NHS UK!

      1. Martin an gof Silver badge

        Re: What went right elsewhere?

        Wales did not seem to be as badly hit and they are part of the same NHS as England

        No they are not. Health is one of the devolved areas and NHS Wales is completely separate (as far as I'm aware) from NHS England. From what I see, the structure is a lot "flatter" than in England, with seven Local Health Boards, rather than innumerable tiny bodies.

        Funding, however, is subject to the whims of the UK government which effectively means the English government. Health is one of those areas where it sounds as if Welsh (and Scottish etc.) MPs should not have a say on English policy (the so-called West Lothian question), but as I understand it the Welsh government grant as calculated by the somewhat out-of-kilter Barnet Formula is directly related to spending in England, thus if English MPs decide to reduce NHS funding in England, a proportional amount is removed from the Welsh Government grant, even if the policy in Wales is to maintain or increase funding for the NHS. Money then has to be transferred from other budgets.

        Education is another devolved area where the structure is different in Wales to England.

        M.

        1. Anonymous Coward
          Anonymous Coward

          Re: What went right elsewhere?

          somewhat out-of-kilter Barnet Formula is directly related to spending in England, thus if English MPs decide to reduce NHS funding in England, a proportional amount is removed from the Welsh Government grant,

          England has the lowest per capita health spending in the UK, and the lowest per capita public spending in general. Personally I'd be more than happy to give the Scots the independence some of them crave, and to FORCE independence on Wales. Be interesting to see how the Scots and the Welsh would cope with that.

          1. Danny 14

            Re: What went right elsewhere?

            probably quite well without the huge pork barrel defence budget.

          2. Anonymous Coward
            Anonymous Coward

            Re: What went right elsewhere?

            Scots would likely be OK (and I'm a Scot against independence), if they get in bother just give Russia a shout, they'd love to station some boats in the deep waters up north no doubt.

      2. Doctor Syntax Silver badge

        Re: What went right elsewhere?

        "As you say Wales did not seem to be as badly hit and they are part of the same NHS as England."

        No. They even keep separate records of the GPs working in Wales. I discovered a whole bundle of fun around that when I was trying to keep a unified database for a service provider. A GP moving from one English practice to another or one Welsh practice to another wasn't too bad. But when they were going to move across the border..

  8. ThePhantomBovine

    It's all so simple..

    GP's could take the simple step of seeing their patients. Surgeons could take the simple step of operating on all the patients on their list. Consultants could take the simple step of seeing and treating all the patients on their list. Domestics could eliminate hospital outbreaks by taking the simple step of cleaning the hospital. You could go on indefinitely with gross oversimplifications of 'what was needed', but as always the prerequisites to achieving the 'simple' steps are usually not as straight forward. All departments within hospitals are plate spinning, and when one of those plates falls, it's all too common to see scapegoating of those with no control over the number of spinning plates because it all comes down to money and power over how it is spent.

    1. tfewster
      Facepalm

      Re: It's all so simple..

      Sure, but if you're spending money on triaging, queue management systems, backlog reporting etc. you're addressing the wrong problem - put that money into healthcare instead!

      Oh, and using the cases of specialised clinical systems and scheduling server patching as excuses for not patching desktops doesn't wash. ("NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems.")

  9. Amos1

    None of the comments directly touched on the initial infection vector so here it is: STOP PUTTING YOUR SERVERS DIRECTLY ON THE INTERNET.

    Shodan showed that both NHS and Telefonica had servers with every default port open to the Internet, including SMB. Perhaps some well-meaning obsolete not-competent-for-this-position manager overrode the techies with a "But the file share requires a username and password so just do it!"

    1. sebbb

      The big thing on the spreading of malware is not really servers facing internet, but the N3.

      You see, N3 is a giant private WAN with 10/8 addressing with a whole bunch of ports wide open between NHS bodies (including SMB 139). Private companies (like the one I'm working for) connecting to N3 must have separate firewalling in place. In fact, we were not affected at all and were still able to access data on the ERS just fine.

    2. Anonymous Coward
      Anonymous Coward

      [quote]None of the comments directly touched on the initial infection vector so here it is: STOP PUTTING YOUR SERVERS DIRECTLY ON THE INTERNET.[/quote]

      Couldn't have said it better. If you want your systems hacked then stick them on the interwebs.

  10. Anonymous Coward
    Anonymous Coward

    I work in the NHS

    We'd not have been hit if our CRAP ITY supplier hadn't told us certain ACLs were in place when they clearly weren't, then ending up with some of our sites having NONE following that same CRAPI-TYA company making changes which resulted in them being wiped.

    We'd literally have not been affected at all.

    1. MrRimmerSIR!

      Re: I work in the NHS

      Good to hear from someone on the inside. The key here is that it is not possible to lock down the apps or OS on an individual machine, so the bext that can be done is to have firewalls and other access control mechanisms in place.

      And when a supplier fails to do what they claim to have done, there should be penalty clauses invoked to make sure they don't fail again. I wonder if said crap company has had moneys withheld? (yes, that was a rhetorical question, I think we know the answer).

      It's all very well blaming "the NHS" or "the DOH", but both organisations are made up of people. Again, accountability should mean the pen-pushers responsible for the failures should be personally liable.

      1. JamesPond

        Re: I work in the NHS

        Having worked for both hospitals and for IT suppliers to the NHS across a lot of different NHS England hospitals, there is a huge variation in how IT services are delivered and their professionalism.

        The best I've seen are in-house staff who were reasonably well looked after and had down-to-earth managers with reasonable IT and management skills (many originally trained in the armed forces). The worst I've see are where

        a) IT services are outsourced to a very big blue company who won't react until they have a purchase order

        b) outsourced to tiny local companies with insufficient resources to handle anything but the normal day-to-day 'my pc won't boot' fault and find it difficult to retain skilled staff.

        c) in-house staff are badly managed by maniacal leadership who are only concerned in advancing up the ladder and think that staff motivation has a 1:1 link with how loud they can shout.

        Unfortunately in my experience, there are a lot of very competent and dedicated indians (small i) being lead by incompetent chiefs. I have seen first hand that once you are in the NHS, it is a job for life unless you actually kill someone and where the only way to 'get rid' of someone useless is to promote them.

        1. Angry IT Monkey

          Re: I work in the NHS

          Outsourcing usually comes down to a complicated lowest bidder / jobs for the boys formula that doesn't include quality. Over the years I've come across so many clangers from these bargain-basement companies that I'm sure they just drag random people in from the street to implement critical projects dealing with people's lives/health/money/future.

          Sadly I can't post any without being identified at work and I'm not quite ready to retire...

          @JamesPond - it's not just tiny local companies, I've dealt with huge national and global IT companies that struggle beyond "My password needs resetting" including a very big blue one.

          1. ecofeco Silver badge

            Re: I work in the NHS

            I'm sure they just drag random people in from the street to implement critical projects dealing with people's lives/health/money/future.

            Oh they do. I've been that random person off the street working on those projects. Yes, more than one.

        2. Anonymous Coward
          Anonymous Coward

          Re: I work in the NHS

          Oh god 3 is so accurate to where I work.

      2. Headley_Grange Silver badge

        Penalty Clauses

        "And when a supplier fails to do what they claim to have done, there should be penalty clauses invoked to make sure they don't fail again"

        Penalty clauses are unenforceable in English law.

        Liquidated damages are allowed, provided that that the damages are a true reflection of the losses incurred. Liquidated damages are limited to the amount set out in the contract.

        I think the NHS would struggle to contract for services if they tried to reflect the potential true costs of a major cock up in the liquidated damages. Some of the companies I have worked with simply add the liquidated damages to the contract price to ensure that they are covered, meaning that if the supplier performs well the customer, effectively, incurs the cost of their performing badly!

      3. Doctor Syntax Silver badge

        Re: I work in the NHS

        "I wonder if said crap company has had moneys withheld?"

        Or prosecuted for fraud if they've claimed and received payment for something they haven't done?

  11. Just Enough
    Facepalm

    Which is it??

    "WannaCry cyber attack and the NHS in England, focused on the impact on Britain's health service"

    Did no-one spot the obvious mistake in this statement? Which was it, England or Britain?

    1. katrinab Silver badge

      Re: Which is it??

      Both, as people from other parts of the UK do get sent to England for some things that aren’t provided locally, and people in England sometimes get sent to Scotland when there is no capacity in England. Also, people who live near the borders sometimes cross them to get to the nearest facility.

    2. Bernard M. Orwell

      Re: Which is it??

      "Which was it, England or Britain?"

      You have to bear in mind that, according to most media, England IS Britain. That's certainly part of the problem, but its also worth remembering that to Parliament, England is London, and everything else is "The Northern Powerhouse" (Pardon me whilst I vomit from the patronization) or "bloody Europe".

  12. Anonymous Coward
    Anonymous Coward

    Not to worry....

    Brave Dido will save us!

  13. Anonymous Coward
    Anonymous Coward

    "These include developing a response plan setting out what the NHS should do in the event of a cyber attack; ensuring organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action); and ensuring that organisations are taking the cyber threat seriously. "

    So, not quite frontline operations, not quite senior leadership..

    Sounds like middle management to me! Can't be having any of that in the NHS. No sir. Doctors and nurses only please, and the less of those the better!

  14. Aodhhan

    Welcome to gov't run health care

    Wait time to:

    - See your family physician 14-30 days

    - Consult to a specialist 4-7 months

    - Have a CAT Scan: 2-6 months

    - Get a MRI Scan 5-10 months

    - Patch server systems 18-32 months... maybe.

    1. JulieM Silver badge

      Re: Welcome to gov't run health care

      But at least you don't have to pay for the privilege.

    2. ecofeco Silver badge

      Re: Welcome to gov't run health care

      Which is STILL a damn sight better than the U.S. medical industry.

  15. This post has been deleted by its author

    1. Fatman
      Joke

      "motivations"

      <quote>One word: Lazy

      or

      Two words: Lazy and complacent incompetent.</quote>

      There!!!

      FTFY

  16. steviebuk Silver badge

    Blame Jeremy *unt

    He's ruining the NHS and am sure he's been sent in to privatise it from within.

    1. ecofeco Silver badge

      Re: Blame Jeremy *unt

      That is indeed the mission of most conservative politicians. Destroy government from within then blame government so that they can privatize it.

      For their friends of course.

  17. JulieM Silver badge

    It's a mess

    There are mission-critical apps in use right now which will only run on an obsolete OS, because they use the same insecurities exploited by malware for their legitimate business logic; and cannot be rewritten to work in a more secure environment because the Source Code is lost, due to the original supplier having gone out of business.

    The only way to weed them all out is going to be to replace every piece of software with something for which the Source Code is available. Unfortunately, that is unlikely to happen, as it will lead to a blame game -- and too many people are getting fat on caging up Source Code anyway.

    1. Doctor Syntax Silver badge

      Re: It's a mess

      "and too many people are getting fat on caging up Source Code anyway."

      That can be stopped by insisting on escrowed source code.

  18. h4rm0ny

    It's always "simple steps".

    That's what most computer security - "simple steps". But you have to complete a hundred of them and the attacker only has to find the single one you missed. With hindsight you can almost always point back at something and say "this wasn't done". Yes, but how many people were doing how many things?

  19. david 12 Silver badge

    Repeated repeated repeated warnings

    So they had warned people about patching, but their warnings were hidden/disguised by the noise about getting rid of XP.

    Ironic that it happened in the NHS, given that the medical system is well aware that warning overload leads to people ignoring warnings. Most drug-interaction AI systems are turned off because they generate so many drug-interaction warnings. More obvious to the lay-person, walk through any hospital and count the beeping patient monitoring systems.

  20. ecofeco Silver badge

    Many breaches could have been prevented

    Many network breaches could have been prevented but this would mean that people who are not from the right schools, families and backgrounds might actually be smarter than the ones with the "right connections."

    And that just will not do.

  21. Doctor Syntax Silver badge

    Having touched on certifying equipment in previous comments, here's a suggestion answering some points made about businesses providing support services.

    Require services to be certified. If, as in a previous comment, ACLs weren't in place, the service provider loses its certification and must pass its contracts over to another provider.

    And I don't mean simple ISO 9000 box ticking. The service actually being provided gets unannounced spot checks to see what the reality is.

  22. GruntyMcPugh Silver badge

    "Department of Health and Cabinet Office wrote to trusts saying it was essential they had "robust plans" to migrate from old software, such as Windows XP, by April 2015."

    Interesting, because I had an interview for an IT role at an NHS Trust Hospital in November 2015, and they were still talking about moving to Windows 7, and hadn't started.

    I now work in local govt, and we're well into our Windows 10 rollout, and are migrating patching from WSUS to SCCM.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like