back to article Looking for scrubs? Nah, NHS wants white hats – the infosec techie kind

The UK's National Health Service will pay white hat hackers up to £20m to protect its IT systems, it announced today. NHS Digital is looking to make a deal with consultants to create a security operations centre, which it says will ensure the safety of staff and patient data nationwide. Speaking to The Telegraph, NHS Digital …

  1. Dr_N
    Thumb Up

    NHS + IT

    Ahhh. A match made in heaven.

    1. Anonymous Coward
      Anonymous Coward

      Re: NHS + IT

      "NHS Digital is looking to make a deal with consultants to create a security operations centre"

      Makes sense. Not many people who are competent would work for the normal NHS IT salary ranges.

  2. eJ2095

    Here comes the Crapita

    They will issue staff with tin foil hats and charge the full 20 million

  3. Anonymous Coward
    Anonymous Coward

    Update your PCs and Antivirus regular, the ones your cant isolate on a separate VLAN.

    Can I have my £20m please

  4. Anonymous Coward
    Anonymous Coward

    What do they need this for?

    1. Set up firewalls correctly

    2. WSUS

    3. Patch your sodding systems

    Your welcome

    1. Just Enough
      Headmaster

      Re: What do they need this for?

      "Your welcome"

      My welcome what?

    2. Anonymous Coward
      Anonymous Coward

      Re: What do they need this for?

      As an infosec already in the NHS. The problem isn't the systems we have IT wise, it's the clinical ones which then force reliance on old version of Java and prevent updates of OS etc being applied.

      You can harp on about "all you need is WSUS" but frankly that's not true, we already have it! We simply can't implement it to any sort of standard as either you want clinicians to have access to patient data quickly and securely or you want OS updates. because these clinical systems are flippin ancient and no matter how hard we scream about it there's no money to replace them and no leverage in contracts signed years ago to force developers to keep on current versions for dependencies.

      Hiring more Infosec staff won't help in a majority of trusts/CCGs as frankly the problem is sitting within clinical systems and old medical devices. WE KNOW THIS. but we're unable to do anything about it as nobody can afford to replace them.

      1. 0laf
        Facepalm

        Re: What do they need this for?

        Yes but you're employed by the NHS in an infosec role so your opinion counts for nothing to the higher management.

        If you want to be listened to you need to quit, pay for some fancy certs, then get rehired as a "Transformative cyber-enablement specialist" (or similar snake oil seller), reword your original advice as shiny shiny marketing guff then jobs a good un. They'll pony up 5x extra to do the job you would have suggested to them in the first place on your original salary.

        Feel free to replace "NHS" with any other public sector body.

        1. Anonymous Coward
          Anonymous Coward

          Re: What do they need this for?

          0laf you have no idea how true this is, I have a friend who works in one of the NHS Scotland Trusts (boards?) who seems to be listened to far more, but even there the speed of change is slow, but at least it is changing.

          1. Tom 38

            Re: What do they need this for?

            3. is most of the problem. Lots of 25+ year old proprietary stuff that either no patches exist for, or the patches that DO exist break other things. Hospital systems are a horrible, horrible mixmash of ancient tech, brand new tech, and duct tape.

            It's no different to corporate IT. We recently "upgraded" to a new outsourced HR solution. It doesn't tick any of the boxes that IT "required" of it (federated SSO, 2FA, device independent, no activex), but it's the choice of the the HR VP so that overrides any other concern.

            Actually we could have had the federated SSO and 2FA, but the beancounter vetoed the extra £3k pa that would have cost us in license fees. Still wouldn't make it work in ¬(IE > 6, IE < 11).

            When your hosted solution requires ActiveX to draw a calendar on a webpage, you know you've made a wrong technical choice...

        2. Biff Takethat
          Thumb Up

          Re: What do they need this for?

          This, 100%

          I asked a friend in one of the big consultancies why NHS managers recruit external consultants at 5x the cost, for things their own staff could do, and his belief is that they're happy to pay just to abdicate responsibility. E.g. if it fails, they're off the hook because they can say they paid top dollar for 'the best'.

          Over the years, I've observed this to be correct more often than not. The last port of call for many senior managers is to consult with their own teams (or even try to manage them). The team then has some salesperson forced on them who extracts their knowledge and then gets 5x the pay for it. Then leaves and the team have to fix the shit they caused anyway.

          I now view a manager employing a consultant as a public admission that they're scared, out of their depth and couldn't care less about wasting public money.

          1. Anonymous Coward
            Anonymous Coward

            Re: What do they need this for?

            "I asked a friend in one of the big consultancies why NHS managers recruit external consultants at 5x the cost"

            In general because that's competitive with paying a market rate salary and benefits for someone who is actually certified, competent and experienced! And is a lot easier to get approved.

      2. Prst. V.Jeltz Silver badge

        Re: What do they need this for?

        because these clinical systems are flippin ancient and no matter how hard we scream about it there's no money to replace them

        You could still use that WSUS that you already have to keep W7 patched up , which would have avoided the little WC accident.

        and no leverage in contracts signed years ago to force developers to keep on current versions for dependencies.

        This does seem to be a lesson that is never learned - or maybe it was an option offered but whichever Public Trough guzzling IT contract Pirate Cartel said - "What? , you want it to work in the future? Thats 4 times the price then."

      3. Matt Schofield

        Re: What do they need this for?

        "Hiring more Infosec staff won't help in a majority of trusts/CCGs as frankly the problem is sitting within clinical systems and old medical devices. WE KNOW THIS. but we're unable to do anything about it as nobody can afford to replace them."

        So like someone with suspected plague, rather than take them out and burn them, isolate and monitor. Or don't do anything and risk the consequences.

      4. Adrian Midgley 1

        Re: What do they need this for?

        Closed source and proprietary.

        It was never necessary to buy that.

        (FLOSS does not guarantee anything I'd updated, it guarantees nobody can prevent you having it updated; interfaced to X etc)

    3. Anonymous Coward
      Anonymous Coward

      Re: What do they need this for?

      3. is most of the problem. Lots of 25+ year old proprietary stuff that either no patches exist for, or the patches that DO exist break other things. Hospital systems are a horrible, horrible mixmash of ancient tech, brand new tech, and duct tape.

      Most of the trusts actually have reasonable endpoint protection on their standard terminals. It's all the non-standard kit (software for a multi-million pound body scanner that has to run in IE6 on a physical device with a parallel/serial port, that just HAS to be networked back to backend database/monitoring server for some bloody stupid reason, etc, etc) that causes problems.

      Sure, a dedicated IT team could airgap or DMZ most of this old horrible insecure stuff, but at the moment the NHS is all for the "centralised" approach "because of cost savings". So often the offsite big team of generalists just patch it into the main network so they can dial into it remotely.

      It's far easier in the smaller (non hospital) trusts.

      I work in one of the Emergency Services trusts. We didn't get hit by any of the recent ransomware attacks - and we haven't actually had a successful malware attack in the past 8 years (the last one that got in was Conficker back in circa 2009). But the main reason for this is because we run our own segment + internet links which are firewalled off from the rest of the NHS network (we have to use some of the central NHS LAN portals, but these are by exception - we don't even talk directly to their DNS servers!). All Internet Access goes through a proxy and all non-whitelisted sites are blocked. USB drives are blocked. Removable Media is blocked. All emails out and in get scanned, with close to 90% of them going into quarantine if they have any attachments on them at all. Automatic Updates get applied automatically one day after patch tuesday (apart from the essential 999 servers which get done manually). We do have some systems which we can't regularly patch for a number of bloody stupid supplier-support-contract-related reasons, but these are kept off our domain on separate VLANs from all our other tech.

      We have a very small onsite IT presence which couldn't cope if we didn't take the "block EVERYTHING, allow by exception" approach.

      I'll echo the previous poster's comments about having to support 7 different versions of JAVA though (one for online banking for the Finance people, one for the ancient legacy Voice Recorder software, one for the New Voice Recorder, one for the Staff Payroll Portal, one for the CCTV, one for the Staff Passcard printer software, and one for the VOIP Phone system portal) - Bleh!

      (Posting anon for obvious reasons...) ;)

    4. Anonymous Coward
      Anonymous Coward

      Re: What do they need this for?

      "3. Patch your sodding systems"

      Then find the latest version of java has bricked 20% of applications. i.e. (and no other browser) is no longer compatible with some critical back end system implemented 15 years ago,, the driver update has stopped a 1/3 of printers working, the TLS 1.0 you've dumped now means you can no longer administer a load of black box equipment..........

      Do I go on why you can't "just upgrade"?

  5. Just Enough
    Boffin

    How often does this need explained?

    "UK's National Health Service"

    *England's National Health Service

    "the safety of staff and patient data nationwide"

    *England wide.

  6. Anonymous Coward
    Anonymous Coward

    And what will CareCERT be doing?

    We actually already HAVE a department of NHS Digital that is supposed to be doing Cybersecurity called CareCERT - so are these guys outsourcing their own work? We pay them to do this. Why are we paying again? The bidding guidance in the tender specifically excludes companies without a turnover of more than 5 x the contract value from bidding.

    So that excludes all but the hugest of the huge. Many of those same few companies have recently performed badly in NHS/Gov contracts (capita, atos), or have recently been pwned themselves (experian)

    #omnishambles

    1. Biff Takethat

      Re: And what will CareCERT be doing?

      Hmm good point.

      CareCERT actually do seem to contribute to the NHS security effort so presumably they'll be toast at some point. Maybe they'll give G4S a call...

  7. Anonymous Coward
    Anonymous Coward

    Chicken and Egg.

    You can't fix all the security problems till it's all under one roof but to put it under one roof you need to fix the security problems.

    1. Prst. V.Jeltz Silver badge

      exactly , currently the many roofs make it look like a shanty town.

  8. Anonymous Coward
    Anonymous Coward

    We need better gatekeepers.

    The problem is not that

    NHS IT cannot be bothered to put patches on.

    Does not know how

    Prefers older software or even

    Can't afford to patch.

    We put patches on where allowed

    We have the same qualifications as everyone else - BSc, HND, Cisco or even(!) Microsoft for example.

    We'd rather have Windows 10 than XP and Linux would be even more fun.

    It would be cheaper to patch.

    If most IT departments had their way, CSC would have been out of the NHS 15 years ago along with the other wastes of public money that kept us on IE6 until a couple of years ago and now keep us off lots other modern ideas - such as non IE browsers and updated versions of Java.

    Someone in authority should put down rules that block recurrences of such stupidity. This may not happen. They may be called DXC now but they are still the same CSC who caused the problems and faulty attitudes.

  9. Anonymous Coward
    Anonymous Coward

    "could have been prevented by the NHS following basic IT security best practice".

    As I mentioned in another thread today , where is this "Best Practice" written down?

    the ITIL manual?

  10. Anonymous Coward
    Anonymous Coward

    Java

    we (this corner of NHS) currently use Java SE 6 Update 39 from 2013-02-01 for all our browser java needs! hooray!

    1. TheVogon

      Re: Java

      "we (this corner of NHS) currently use Java SE 6 Update 39 from 2013-02-01 for all our browser java needs! hooray!"

      So set active content to only run in the Trusted Security Zone in IE and use Group Policy to add only sites you trust to that zone. Job done. That will be £20 million please.

  11. Biff Takethat
    Flame

    Here we go again

    ...this would only be the right solution if the NHS's actual, core security problem was a lack of white hat hacking consultants in some data centre somewhere.

    Yeh, it might be useful in a way, but as everyone who works here knows, just getting the basics right (patching, stop people clicking on stuff they shouldn't, etc, etc) would go a lot further. A lot of the time, the security people already KNOW where the holes are, and don't need expensive consultants to tell them, but they're not supported by senior management (until there's a data leak or virus outbreak when saving their own arse suddenly becomes a top priority).

    And they should wake up and get rid of the ridiculously counterproductive IG Toolkit while they're at it - any NHS organisation can easily pass with flying colours and still be full of holes, so all it does is give senior management an excuse to spend nothing on *actual* security because they scored well on the Toolkit. It's an absolute effing joke and everyone knows it.

    1. hitchslap

      Re: Here we go again

      Probably the most sensible comment I've read on this thread. Get the basics sorted - could not agree more...but without management support then you really are on a hiding to nothing.

      I once did a consultancy gig with an ex-NHS CISO who was about as impressive as Jeremy Corbyn but with less vision.

    2. Anonymous Coward
      Anonymous Coward

      Re: Here we go again

      If your org has level 3 on the toolkit chances are your people are lying about something. It is not easy to reach. Auditors would most likely have a field day with them.

      1. Darth Poundshop
        Facepalm

        Re: Here we go again

        Yes and no. It can be done honestly - in effect, our IG Team ask something like 'can you give us evidence of patching and update regime working'. IT, quite honestly, then supply them with the requested evidence. The auditors then check the IG Toolkit submission against the provided real-world activities and Behold! It's a Pass!

        However, if IG came to IT and asked, 'can you give us evidence of where you're patching and update regime is catastrophic', IT would be able to supply this just as easily.

        In short, auditing is not pentesting, they're all just looking where the light is.

  12. Anonymous Coward
    Anonymous Coward

    I briefly worked for a trust in Scotland, and every single fucking penny had to be spent on patients.

    We were four versions behind on MS Office, had nineteen domains with all the associated clusterfuckery that that entails. NTFS permissions were completely screwed. Ransomeware occurred three times a week.

    The building itself hadn't had a lick of paint since it opened in 1898. The bogs were so bad I used to go across the road to the station to have a shit.

    The Storage Team had a geographically dispersed cluster, the nodes of which gradually got more and more out of sync with each other. That in turn caused Windows Server to keep complaining that it needed to run Chkdsk, but they just ignored it and hoped for the best.

    1. Adrian Midgley 1

      And imagine how many pennies would be spent for

      Libre Office in its successively current versions...

      1. Anonymous Coward
        Anonymous Coward

        Re: And imagine how many pennies would be spent for

        "And imagine how many pennies would be spent for

        Libre Office in its successively current versions..."

        Well firstly you would need to budget for a VDI infrastructure for when they need a version of Office that actually works!

  13. Anonymous Coward
    Anonymous Coward

    Why not build on whats already in-house?

    I've worked as a certified (fancy certs and all) pen tester within the NHS for many years as part of a small team - we pen test our own and other NHS orgs amongst others. Only one of the 20+ organisations we deal with was hit by Wannacry and we raised SMB issues with them a fair while beforehand. Unfortunately it appears that in-house expertise isn't really valued by some national level NHS orgs and outsourcing (presumably at great cost) is the favored approach. Frustrating to say the least, maybe we should just give in and take the higher pay packages on offer in the private sector!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like