back to article On the NHS tech team? Weep at ugly WannaCry post-mortem, smile as Health dept outlines plan

The WannaCry outbreak has forced the UK's national health service to overhaul its crisis planning to put new measures in place to avoid further crippling cyber attacks. A UK Department of Health and Social Care postmortem on the May 2017 WannaCry outbreak, published on Thursday, repeats the findings of previous UK government …

  1. CAPS LOCK

    Suits having meetings and producing reports is not going to help...

    .... (except to keep them looking busy obv.) the solution is not more management, it's less.

    1. Anonymous Coward
      Anonymous Coward

      Re: Suits having meetings and producing reports is not going to help...

      In this case it is rather the opposite. Most NHS entities treat their technology as an afterthought. Most NHS entities have had their non-"frontline" functions gutted year after year after year. Most NHS entities have no money to spend on anything other than doctors, nurses and drugs.

      And for added fun, there are more NHS entities than you can possibly count. We've got CCGs, hospital trusts, local authorities, "vanguards", private providers and an assorted grab bag of other nonsensical, fractured bodies.

      To properly fix this problem needs central governance. It needs proper funding, co-ordination and long-term delivery. That is impossible without increasing the dreaded "middle management", without spending more money and without reversing some of the last decade's dismantling of our NHS.

      1. Lysenko

        Re: Suits having meetings and producing reports is not going to help...

        Most NHS entities treat their technology as an afterthought

        Really? MRI machines, Electroencephalographs, ultrasound scanners etc. are afterthoughts? I doubt it.

        The problem (I suspect) is that non-IT staff fail to grasp that their new CAT scanner is essentially the same thing as a new laser printer. It is a peripheral and consequently useless junk if the computer it is plugged in to becomes unreliable or non-functional. Ergo, you invest in the computer first and then spend whatever you have left on the best quality peripherals you can afford.

        1. Anonymous Coward
          Anonymous Coward

          Re: Suits having meetings and producing reports is not going to help...

          Yes, the MRI machine as a piece of enterprise technology is definitively an afterthought.

          Thoughts like "How do I ensure this is securely networked", "How do we securely share and archive the records that come out of the machine", "How do I integrate this into our device management platform?" and "Wait, do we even have a device management platform?" all come long, long after someone goes "We need an MRI machine for diagnosis".

          Which is not a bad thing. It is a good thing that our NHS is principally driven by clinical need, rather than buzzwords and political expediency and profit. It is a bad thing that almost all other concerns have been forced out of the organisation's culture.

        2. Doctor Syntax Silver badge

          Re: Suits having meetings and producing reports is not going to help...

          " Ergo, you invest in the computer first and then spend whatever you have left on the best quality peripherals you can afford."

          No. You invest in a system, or maybe an appliance. Choose either term or any other that emphasises the fact that it's the whole that matters. But remember that it's the specialised kit that's the sharp end of the specification. Putting the computer element first is arse about face because these days it's a commodity item, the cheap bit, probably built down to a price and hence the most likely to fail and be replaced, maybe several times during the life of the system.

      2. CAPS LOCK

        "To properly fix this problem needs central governance"

        A. please don't use the word governance, it means management, use management, unless you want to sound like a an NHS manager.

        B. Central management leads to more meetings and more reports, not more action. it actually wastes resources needlessly. If the resources wasted on 'managers' having meetings and driving around in their company cars was redirected to where it's needed the problem would be eliminated.

        1. Anonymous Coward
          Anonymous Coward

          Re: "To properly fix this problem needs central governance"

          "A. please don't use the word governance, it means management"

          No it doesn't. Effective management is just one component of governance, other elements including but not limited to strategy, finance, standardisation, planning and oversight. Almost all of which are lacking from NHS IT, as the report in the article makes plain.

          1. Doctor Syntax Silver badge

            Re: "To properly fix this problem needs central governance"

            "other elements including but not limited to strategy, finance, standardisation, planning and oversight"

            Throw accountability and transparency into the mix as well.

          2. CAPS LOCK

            Effective management is just one component

            Management doesn't include strategy etc now?

            1. ds6 Silver badge

              Re: Effective management is just one component

              Governing is more regulatory, setting standards and acting on them; while managing is sitting in one's office playing Solitaire and reading emails before your next meeting in a long line of endless meetings.

    2. theOtherJT Silver badge

      Re: Suits having meetings and producing reports is not going to help...

      I think suits having meetings might just in this one case actually be exactly what we need. The problem is the occupants of said suits being the right people.

      I would be the first to agree that overspending on managers and underspending on front line services is a genuine problem, but in this case it would seem that the problem is stupid contradictory policies tying the hands of the people who already knew how to fix this.

      If the management took the time to understand what the implications are of having important medical devices connected to the Internet are, and what a rigorous patching regime actually involves, then maybe - just maybe - this could have been avoided.

      Better management, not just more of it, you know?

      1. Mark 65

        Re: Suits having meetings and producing reports is not going to help...

        As previously reported by El Reg and noted in previous national reports, unpatched Windows 7 systems, in particular, rather than residual reliance on long obsolete Windows XP boxes (which crashed rather than further spreading the worm) laid the groundwork for the WannaCry outbreak.

        I'm not sure what more management will get you when the principle problem was "it doesn't matter how well supported your PC OS is if you don't fucking patch it". Additionally the likelihood of having SMB exposed to the wider internet such that it is the suspected initial attack vector shows you don't really know what you're doing.

        If we are talking about managers "taking the time to understand..." we are wasting our time. Anything you try to teach them will always be overruled by an accountant's whimsy or "vendor said X". What you need is a chief architect who has the power to overrule stupid-arsed management decisions. In any business you will always get a shouty twat that gets their own way with a really stupid idea - squeaky wheel and all that.

  2. }{amis}{
    Unhappy

    The NHS

    My mother is a nurse i visited her unit to give her a lift one day and found her and her colleges frowning at their brand new dialysis machine, looking at a xp embedded blue screen of death!

    The hole NHS network is riddled with embedded systems like this that cannot have their os's updated to something that works.

    This problem comes not only from upper management not having a clue but is massively endemic in the suppliers.

    Its the same problem that plagues the Android ecosystem but a hundred times worse and more expensive to fix because of the long lifespan of the kit involved.

    1. Anonymous Coward
      Anonymous Coward

      Re: The NHS

      From the other side of the medical devices showroom.

      It's not our fault it's the regulators.

      Any software upgrade requires us to prove that it is safe. According to our regulator we aren't allowed to let Microsoft roll out updates to our machines until we have checked them. However cybersecurity updates have to be installed immediately. MSFT don't distinguish between them. The machines were air gapped but now we have to network them to meet the cybersecurity update mandate!

      I spent yesterday in a "safety audit" meeting where we had to agree to replace all the video cables on screens in surgeons offices because we didn't have paperwork from the maker showing that the locking screws were ROHSS compliant. These screens, used in the office, have to be "medical grade" - at twice the price - but still come with a warning label saying that they aren't to be used for clinical evaluation.

      1. Lysenko

        Re: The NHS

        Any software upgrade requires us to prove that it is safe. According to our regulator we aren't allowed to let Microsoft roll out updates to our machines until we have checked them. However cybersecurity updates have to be installed immediately.

        Presumably, this means that you discontinued new product development using embedded Windows a decade or so ago and this is a legacy tail problem that will diminish as your newer Linux/OpenBSD/FreeRTOS replacements progressively come online?

        1. }{amis}{
          Linux

          Re: The NHS

          Much as a geek i like the idea of using Linux over embedded windows it does nothing to solve the issue of boxes stuck in corners of the network and not being patched for a decade.

          Even if you started with some super secure locked down Linux / BSD with a decade of no maintenance it will still end up a security nightmare at the end.

          1. Lysenko

            Re: The NHS

            it does nothing to solve the issue of boxes stuck in corners of the network and not being patched for a decade.

            It resolves the problem of not being able to disentangle security patches from other updates and puts you (the device vendor) in complete control of the patch deployment process. You can also test/verify anything coming from upstream down to source code level and debug your own device drivers down to hardware (as opposed to kernel API) level.

            None of that helps if you have a bunch of chancers trying to run the kit indefinitely with no maintenance contracts of course, but that isn't down to the vendor.

            1. Doctor Syntax Silver badge

              Re: The NHS

              "It resolves the problem of not being able to disentangle security patches from other updates and puts you (the device vendor) in complete control of the patch deployment process."

              It doesn't help if the security patches affect system stability. We've had a recent demonstration with Intel's firmware patches being rolled out over both Windows and Linux and then rolled back again.

              There's no silver bullet.

          2. Mark 65

            Re: The NHS

            Much as a geek i like the idea of using Linux over embedded windows it does nothing to solve the issue of boxes stuck in corners of the network and not being patched for a decade.

            and I see little reason for important kit to be widely exposed. Segregated secure networks and all that. My guess is that much of the NHS networks (within and perhaps between hospitals and trusts) are just wide open once you're authenticated on them. Let's be honest here, the *nix/BSD variants are generally more secure by design that Windows. That is just the way it is. Not easily being able to classify your updates is just shitty and unnecessary and it is about time we moved away from vendors that don't give a fuck.

            The NHSbuntu (or whatever it was called) was a sound idea and I think, if anything, this whole debacle highlights that the NHS is easily big enough to support a centralised area of IT expertise to ensure some kind of order, security, compatibility, and efficient purchasing. Leaving things to individual trusts becomes an in-built divide and conquer for vendors and has led to a disparate and dysfunctional landscape in the health sector. Who gives a shit whether doctors and hospitals have little whines and bleats about giving up certain aspects of their control or little budget corners of their empires - the whole thing is funded by the tax payer and it is about time it was done properly.

          3. rh587

            Re: The NHS

            Much as a geek i like the idea of using Linux over embedded windows it does nothing to solve the issue of boxes stuck in corners of the network and not being patched for a decade.

            To play devil's advocate, in the case of a Windows worm doing the rounds it would be fine because the worm would not execute!

            I don't know in the case of WannaCry how much infection happened host-to-host and how much was host-server-host. I imagine there was potential for it to hop VLANs by getting onto file servers and jumping back out. Were those file-servers running something non-windows then any attempt at replication would have been stopped dead.

            None of which excuses them from not having patched the damn things or performing good hygiene like disabling SMBv1 on boxes that did not require them (and indeed any other superfluous services that were unneeded). But diversity like that can be good for network resilience as an additional layer of defence-in-depth.

            I can't think of any reason why you would pay for a Windows Server license to run something as trivial as a filestore in a Windows desktop environment when any *nix/BSD distro will be inherently more resistant to users introducing a Windows nasty (which we're assuming has bypassed normal controls, locked down user permissions, group policy, etc) onto the network.

        2. Anonymous Coward
          Anonymous Coward

          Re: The NHS

          Presumably, this means that you discontinued new product development using embedded Windows a decade ..newer Linux/OpenBSD/FreeRTOS

          Windows embedded is no longer available, there is a windows LTS but we are waiting to find out if it is approved. You can buy medical grade RTOS but ours is a software product for doctors offices. We could insist that each doctor buys a VME crate running VxWorks but there might be some market pushback.

          We started an earlier product on Linux and that is fine with the FDA - but you they treat open source as if it was your product So you are responsible for all testing / security / updates of the entire OS. Plus all the production documentation tracking every source file used to build it all.

          The problem is that the regulators (especially the FDA) have a drug mindset . Every chemical in the drug has to be traceable and any change in the formula requires new tests. So change an element of the GUI and you need to repeat user trials where you have to have 20 Consultant Radiologists test it to show that the safety and effectiveness wasn't changed.

        3. Doctor Syntax Silver badge

          Re: The NHS

          "Presumably, this means that you discontinued new product development using embedded Windows a decade or so ago and this is a legacy tail problem that will diminish as your newer Linux/OpenBSD/FreeRTOS replacements progressively come online?"

          In this context the OS doesn't alter things. If the regulatory framework ties knots in operation the knots will strangle any OS or other S/W component.

          The regulatory framework needs to be fit for purpose.

      2. Anonymous Coward
        Anonymous Coward

        Re: The NHS

        Many moons ago (in the days where there was D in the OS) I had a call from someone who wanted to swap my ancient, heavy, Toshiba laptop, then about 6 years old for a shiny new one. 'Scam' was my first thought - but no. Turns out the old clunker was certified as an integral part of some medical kit, and it was cheaper to round up second hand machines than re-certify them with new kit.

        1. Daniel 18

          Re: The NHS

          Anyone remember NASA hunting 286s on eBay, because that was the chip that was flight certified for the shuttle? Apparently they turned to eBay as salvaged chips from obsolete medical gear started to dry up.

          And despite the extensive certification, they weren't sure the shuttle's systems would survive rolling over to a new year (never specifically certified for that), so they avoided flying a mission spanning December to January.

          Similar issues arise with all sorts of highly certified critical use systems - warship and nuclear power plant controllers, air traffic control systems, nuclear missile launch systems, aircraft, industrial plant controllers, and so on. In many cases, certifying new gear would be impossibly expensive and difficult, particularly where the people who created the originals systems and actually understand the details are retired or dead.

        2. Doctor Syntax Silver badge

          Re: The NHS

          "Turns out the old clunker was certified as an integral part of some medical kit, and it was cheaper to round up second hand machines than re-certify them with new kit."

          OTOH while it might have been certified when new after 6 years it might have been heading for FCS (Fat Capacitor Syndrome) or some other ailment of ageing IT kit. Maybe a H/W certification should be time limited to reasonable life after which it should be replaced. It would build the recertification with a new model and replacement of the installed units into the financial planning of the system.

          In fact, although I was thinking only in terms of hardware reliability when I wrote that building recertification of the computer element into the life of a system would also make provision for updating the OS as well as the H/W.

      3. Anonymous Coward
        Anonymous Coward

        Medical grade screens

        "These screens, used in the office, have to be `medical grade' " - Yes, you need to make sure that the x-ray or histology slide presents EXACTLY the same to the consultant at the hospital and the referring GP. You do not want a critical clinical feature in the image to be hidden by a subtle colour gamut error.

        1. Anonymous Coward
          Anonymous Coward

          Re: Medical grade screens

          Yes, you need to make sure that the x-ray or histology slide presents EXACTLY the same

          To quote from the monitor spec sheet:

          Dependable image quality: Count on accurate DICOM-ready* images for precise clinical review.

          *Not designed or intended for use in primary medical image interpretation.

          So you need to use a certified monitor to view digital x-rays (DICOM is the image standard) but you can't use it for medical interpretation! The FDA have yet to explain to us what you CAN use to view digital x-rays. AFAIK the FDA still don't allow viewing histology slides except through an old fashioned microscope and Mk1 eyeball

      4. tfewster
        Facepalm

        Re: The NHS

        @ Anonymous Coward

        >From the other side of the medical devices showroom. It's not our fault it's the regulators.

        The margin on clinical equipment is high enough for you to absorb the cost of recertifying them against new updates. Especially as the cost is spread across many customers.

        And anyway, that's clinical equipment. There's no excuse for patching the non-clinical computers, and taking "special measures" such as air-gapping clinical systems or pointing them at a "special" WSUS server that only allows approved patches. God forbid that anyone should have to read Microsoft patch notes or divide clients into Test, Live and Clinical for rolling out patches.

    2. Anonymous Coward
      Anonymous Coward

      Re: The NHS

      Unfortunately as far as management is concerned, the risk is not there, it's their supplier's problem that it has an embedded system. Doesn't help the adult or child who's slowly being poisoned and needs to use the dialysis machine when it fails. As long as managers have excuses then all is fine with the world. Of course the nurse who ends up frustrated and eventually quits because 2/3rds of the equipment is broken, her managers don't care and they have to pay to use the car park, which makes their take home pay less than the cleaners (not dissing cleaners, but it's a less stressful job normally).

    3. Anonymous Coward
      Anonymous Coward

      Re: The NHS

      You obviously don't understand embedded. Its not windows xp, just because it looks like it.

      Did it have the write filter component enabled (making it a readonly os)? What components did it use? Did it even have smb????

  3. Anonymous Coward
    Anonymous Coward

    Practical Whitewash

    Plenty of stick applied to the Trusts, but where's the criticism for the utter lack of preparedness on the part of the Department of Health and NHS England?

  4. Alister

    The initial infection was likely through an exposed vulnerable internet-facing Server Message Block (SMB) port 30,

    Hmm, this must be an implementation of SMB that I was previously unaware of.

    The only SMB I know runs on TCP 445 or old-school TCP 139.

    1. monty75

      Some bright spark's idea of security through obscurity?

    2. Anonymous Coward
      Anonymous Coward

      SMB

      Yes, Eternal Blue was a weakness in SMBv1... on port 445.

      Are you saying why was 445 open to the internet?

      I remember on the day this started, the first report I saw was Telefonica in Spain. We ran a Shodan report on their network range and low and behold TCP445 open to hundreds of internal systems. Also a lot of European ISP's will expose 445 to the internet. Shocking but...

      However, the infection vector could have been just as simple as a previously infected machine from wherever being brought onto the NHS network. It only takes one... and then it spreads very rapidly. You get an avalanche effect.

      1. Mark 65

        Re: SMB

        Also a lot of European ISP's will expose 445 to the internet.

        At the end of the day you're responsible for your own perimeter defences. Operate a blacklist rather than a whitelist or whitelist something without adequate thought and it's your issue not your carrier's.

        I suspect there may be an element of bullying/overriding within the NHS - senior X says this has to work so just get it done geek - and whilst it would not be operationally viable to necessarily go to the other extreme it is clear there needs to be a change. The article mentioned "cultural change" and that is the nail on the head for an incident such as this.

        1. Anonymous Coward
          Anonymous Coward

          Re: SMB

          I've not worked on the NHS, but I suspect the problem was amplified by it being a whole load of sub organisations each with their own IT support (and maybe security officer) and a requirement to use TCP 445 between the various parts for file sharing...either that or a poor understanding of the ports required to be open to make stuff work (wouldn't be the first time).

          What should have been a compartmentalised national network wasn't... in some places at least.

  5. Anonymous Coward
    Anonymous Coward

    Piss poor written software

    While I don't have experience of specific medical software, I DO have experience of the software required for the laboratory equipment.

    A bigger bunch of ham-fisted kak-handed shitty software I have not seen.

    They (99% of them) all require admin rights to run, they do not use any form of authentication.

    Their library's are so old that they will not run on anything under 5 years old, and they have never been re-written \ patched in their lives.

    Some of them look like they were written in the original VB!!

    This on equipment that costs 10's if not 100's of thousands of pounds.

    The only way to keep these remotely safe is to keep them on a separate VLAN without access to the wild internet... "Oh but we need remote access and it needs to communicate with our licence server"

    License server??? it only runs THAT HARDWARE THAT WAS BOUGHT WITH WTF do you need a LICENCE SERVER!!

    1. Ken Hagan Gold badge

      Re: Piss poor written software

      "This on equipment that costs 10's if not 100's of thousands of pounds."

      This is a contract failure. Any product that includes software running on COTS Windows boxes or networked machines must come with a guaranteed maintenance period and a line in the contract that says it must run on the patched OS (or in a fully patched LAN) as updated in accordance with Microsoft's schedule until the end of the contract, *because it isn't safe not to*.

      If vendors try to wriggle out by limiting the term of the contract, let them, and then tell your bean counters that they must amortise the full purchase cost over the reduced contract period, *because it isn't safe to use the equipment beyond then*.

      Then sit back and watch as the crap vendors get priced out of the market.

      tl;dr:- Oi! NHS! Grow a pair!

      1. Mark 65

        Re: Piss poor written software

        I think the problem Ken is likely that vendors across the board have some shit that was written eons ago that they are milking the dear life out of. The original authors have most likely departed and nobody wants to have a crack at a re-write due to the huge cost in terms of testing and certification. Thus we arrive at the point where you are in the market for million pound device X or thousands of pounds portable device Y and all of them come with Windows embedded and a shitty VB front end. Your choice is then take it or leave it. I hope this is not the case but from what I have witnessed in terms of dysfunctional front ends I suspect it may be so. The certification part is never going to help modernisation but is a necessary evil.

    2. Tom Paine

      Re: Piss poor written software

      License server??? it only runs THAT HARDWARE THAT WAS BOUGHT WITH WTF do you need a LICENCE SERVER!!

      So it can stop working when the license expires, of course.

  6. Gordon Pryra

    new measures in place to avoid further crippling cyber attacks.

    Would this be actually spending the money on upgrading from XP on ...... upgrading from XP?

    or blaming North Korea for them not spending the money they said they have (multiple times) on upgrading from XP?

    I cry foul, there have been measures in place to avoid crippling cyber attacks for donkeys years. And the NHS has already (on paper anyway) implemented these measures.

    This is just more lies to cover incompetence and outright embezzlement (contracts to your mates for 5 times the market value type of thing)

  7. TVU Silver badge

    The WannaCry outbreak has forced the NHS to overhaul its crisis planning...

    "The WannaCry outbreak has forced the NHS to overhaul its crisis planning to put new measures in place to avoid further crippling cyber attacks".

    In which case, why not adopt NHSBuntu instead of trying to attack it?

    #numpties

    1. kain preacher

      Re: The WannaCry outbreak has forced the NHS to overhaul its crisis planning...

      Yes and switching from MS to FLOsS will fix every thing cause the issue is the software not mind set. I mean cause if they can't find funds to to hire proper MS admins every thing will be fixed by running NHSbuntu, Because the same folks that volunteered to make NHSbntu will give their time to maintain and operate MHSbuntu.. An idiot with a gun that has a safety on it is still an idiot. It will just take them a few seconds longer to shoot them self.

      1. Mark 65

        Re: The WannaCry outbreak has forced the NHS to overhaul its crisis planning...

        To be honest if I had the choice between two unpatched OSes being exposed to the internet (by intent or incompetence) I'd rather it were a linux variant than Windows.

        With regards Because the same folks that volunteered to make NHSbntu will give their time to maintain and operate MHSbuntu I'd imagine that the NHS would willingly pay for support and if not you at least have a system used by one of the World's largest health providers that you could no doubt punt to others.

        1. kain preacher

          Re: The WannaCry outbreak has forced the NHS to overhaul its crisis planning...

          From what I told it's 4 people. I'm not sure that's enough people

  8. jms222

    Proxy ?

    I feel a little pragmatism is called for.

    Sometimes it just isn't realistically possible to get rid of the likes of WinXP or earlier but as long as something goes between it'll be ok. For example if the current system has WinXP with shares then rig up a proxy possibly involving Samba that can intercept things.

    And no DON'T build the proxy on a system loaded with every tool an attacker could possibly want. Use a minimal container.

    1. Ken Hagan Gold badge

      Re: Proxy ?

      A fine suggestion, and one that I suspect is well within the capabilities of the people behind the NHSbuntu project, significantly easier to sell to NHS managers, and sufficiently easy to support that the handful of people concerned might actually be sufficient.

      In fact, perhaps they should create it as a product and start a company to sell it.

      1. Mark 65

        Re: Proxy ?

        If only the Department of Health would stop sending the legal letters...

  9. Doctor Syntax Silver badge

    I think there's a problem here which isn't unique to the NHS. In fact its endemic through just about every business and government body that uses IT.

    It's "we're a medical/banking/insurance/manufacturing/..... organisation, not IT".

    And yet IT is central to whatever they try to do but, because "we're not an IT organisation", they try to outsource everything to the lowest bidder. The essential awareness of risks and opportunities alike is lost. At least it's lost at the top of the organisation, it might not be lost at the coal face but, because those coal face people are on low pay grades and their opinions are worth what they're paid, and because any large organisation has a built-in reality distortion field to ensure cries of distress from below arrive at the top as messages that all's well, that awareness stays at the bottom.

    A Wannacry, a DC outage for a few days or whatever has no effect. It's not perceived as a consequence of top-level decisions or of the corporate culture. It's an external problem, a cleverly contrived attack or a one-off failure of a piece of kit that "we can't plan for". No, you can't plan for it because you've lost the ability to do so. You need to get that ability back because, whether you like it or not, it's one of those things you need to do and do well.

    1. sanmigueelbeer

      we're not an IT organisation

      The Australian Tax Office suffered a series of very high-profile outages in 2016 and 2017. The CIO reasoned to Australians that the organization was a tax office and not an IT organization. This is why they sub-contracted to HPE.

      The problem with this reasoning was that HPE itself didn't know what it was doing nor does it know what it was selling and supporting. Take the case of the last fiasco involving the failure of the SAN. This is an HPE product and sold to the ATO by HPE. It was a "one of a kind". The problem with this "one of a kind" product was the limited number of people who knows how to manage the system.

      The amount of bureaucracy HPE (within HPE) had to pull in order to get someone (anyone!) who knows how to read the manual was sensational. HPE Australia had to plead with HPE America to find someone, put him on a plane and fly him to Sydney.

      Same goes with the Australian Bureau of Statistics and the 2017 Census fiasco. They reasoned that they weren't an IT organization and had given all the decision-making to IBM to come up with a system for the census. And failed. Drastically.

      Organization can't use this excuse. If they can't manage their IT then the decision makers, CIO/CTO, need to move aside and find someone who can.

      1. Anonymous Coward
        Anonymous Coward

        I suspect the CEO should also take a hit as ultimate adjudicator as I suspect they had a say in what happened.

  10. Dante Alighieri

    Medical Grade Monitors

    I use these. Professionally.

    They are pointless unless in a controlled environment <10lux for diagnosis.

    Medical monitors outside this are pointless. Accurate DICOM reproduction is nice. If they are <2MP they are not diagnostic, If they are in an uncontroled environment they are not diagnostic

    Outside of proper diagnostic offices they are an entirely avoidable and unncesssary expense.

    DOI : I have stopped unnecessary over-specced monitors being deployed across an organisation, and also making sure diagnostic screens are available in the appropriate departments with explicit "your environment is non-diagnostic" warnings.

    Many think tha the CT and MR scans are the most details - they aren't 512x512, 10 bit pixel depth. Most bog standard monitors far exceed anything necessary.

    "plain film" x-rays - much more challenging!

  11. sanmigueelbeer
    Thumb Up

    Although not named in the report, cybersecurity researcher Marcus Hutchins, currently awaiting US trial on unrelated allegations of having a past as a criminal hacker, is credited with finding the “kill switch” that limited the spread of WannaCry.

    The US government would like to "thank" Marcus by filing criminal charges for something that is trivial. Had WannaCrypt (that's what I'd like to call this worm) spread reached the US of A, I'm sure the reaction would've been a lot different.

    concluded the failure to apply available patches on Windows systems combined with poor isolation of vulnerable services from the open internet was to blame for a malware outbreak

    These machines can't be patched. Period. Either the vendor has to supply them with updated systems (more money) or these machines need to be behind some kind of IPS/IDS/FW. And this bit alone will make it more complicated because of the inherit risk that these machines require "full access" to the internet "or else".

    Does the report actually detail what NHS will do to fix machines that can't be patched?

    In the end, I guess this report is needed so the governing body can get their act together and appropriate the right resources (more, more money) to the right area.

    Where did NHS "discovered" or "identified" all these money from?

  12. Doctor Syntax Silver badge

    I've spent more time than I'd have liked hanging about NHS outpatient waiting rooms over the last few days. Having nothing better to do (I wasn't the one being treated, just to lay your concerns at rest) I wandered up to look at some of the large message boards scattered lavishly around the hospitals of this particular trust. The applications being run are: a digital clock in the top left hand corner, the trust's name and NHS logo in the top right, a rolling display about booking in and waiting for your turn to be announced across the bottom, a list of who's been called recently in the centre overlaid as required by a large pop-up making a new announcement. It's not exactly a taxing job.

    Out of the 5 I had opportunity to observe three had small alerts announcing that they couldn't find their network drives, click here to fix that. Of these three two were displaying the top of a menu bar at the bottom of the screen, identifiable as some sort of Windows by the top of an IE logo being visible. A fourth display for some reason had the mouse pointer visible in the middle of the screen. The fifth had problems all of its own. The digital clock took a second or two to refresh the figures each minute, the refresh was a variable number of seconds later than its neighbour and the alerts were also a bit later. It looked as if it had something chewing up CPU cycles. Bitcoin mining?

    So the trust, which is, BTW, in dire financial straights having been sunk by a large PFIed new build some years ago, has spent the price of a Windows licence on these and the many other similar displays across multiple outpatient clinics across two hospitals. And running Windows means that they also have some sort of Intel or AMD board bolted on behind them. Even a Mk 1 Pi would scarcely be stretched to do this task at a fair saving on both H/W and S/W.

    1. Mark 65

      Goddammit stop being pragmatic, it is the entire antithesis of health/tax funded purchasing.

      To be fair, if the NHS isn't on a sweet volume licensing deal then someone should be taken out and shot. In aggregate they have massive purchasing power, more so if tagged onto the rest of the Government (education etc).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like