back to article 25% of NHS trusts have zilch, zip, zero staff who are versed in security

A quarter of NHS trusts in the UK responding to a Freedom of Information request have no staff with security qualifications, despite some employing up to 16,000 people. NHS hosptial photo, by Marbury via Shutterstock NHS could have 'fended off' WannaCry by taking 'simple steps' – report READ MORE On average, trusts employ …

  1. MooseMonkey

    How easy is it to hack a fax machine anyway?

    1. WolfFan Silver badge

      You don’t hack a fax, you perform a DDOS attack. Send it lots and lots and lots of spam faxes, run them out of paper and ink/toner/whatever.

    2. Andrew Commons

      How easy is it to hack a fax machine anyway?

      Not that hard apparently. There was a lot of press about it in August of this year. A lot of them come bundled with MultiFunction Devices and you have to tweak a few configuration options to stop them being used as a path into the internal network. This has been the case for quite a few years now.

    3. Anonymous Coward
      Anonymous Coward

      "How easy is it to hack a fax machine anyway?"

      Spoofing sender or receiver identity is trivial. Getting a fax to send to the wrong destination requires a bit more effort and some knowledge of the PSTN but overall, it is not that difficult.

  2. WolfFan Silver badge
    Pirate

    Pay?

    What’s the pay like? As long as the location isn’t somewhere like Hull or Slough, if the pay is acceptable I’d take the job. I suspect that the pay will be... suspect... unless the powers-that-be get appropriate reminders.

    Pirate icon ‘cause, why not? Hoist high the Jolly Roger! Avast ye scurvy NHS swabs, and prepare ye to be boarded!

    1. Anonymous Coward
      Anonymous Coward

      Re: Pay?

      As long as the location isn’t somewhere like Hull or Slough, if the pay is acceptable I’d take the job

      Look what happened at Equifax: A mid level IT staffer was blamed for not patching and got the boot. That person will struggle to find gainful employment in ITSec. Who round here believes that a single IT pro was responsible for Equifax' comprehensive disaster?

      Likewise the NHS. You'd have complexity, resistance to change, unsupportive and incompetent senior management, stuff all resources, and plenty of responsibility with zero power to take the necessary decisions.

      Would you really take the job?

    2. Anonymous Coward
      Anonymous Coward

      Re: Pay?

      No, it would be a horrific job. You would try to do anything like say block USB thumb drives with a group policy, then get a massive bollocking from a surgeon who had “always done that” and eventually figure it wasn’t worth even bothering. It will only change when it’s mandated from the very top and people who refuse to comply start getting sacked.

      1. herman

        Re: Pay?

        Systems should not be vulnerable to USB attacks. Blocking the use of USB media is a case of blaming the user for your own failures. Fix the system so that USB media works and is safe to use.

        1. Anonymous Coward
          Anonymous Coward

          Re: Pay?

          I guess you don’t know much about USB. Any device can claim to be a keyboard and insert keystrokes for example. It’s not just about boobytrapped files anymore. There is no safe way to allow arbitrary USB devices to connect.

  3. Anonymous Coward
    Terminator

    Gosh, another bit of government-related IT waiting for disaster to hit it

    If I was a betting person I'd be laying bets that there will be a really big breach within the next five years in some govt-related area ('really big' meaning hundreds to thousands of deaths).

    1. WolfFan Silver badge

      Re: Gosh, another bit of government-related IT waiting for disaster to hit it

      You’re an optimist. I give ‘em a year.

  4. Anonymous Coward
    Anonymous Coward

    The pay's shit and you're a "middle manager", eternally demonised by the tabloid press, so you're at eternal risk of being sacked.

    Are we surprised?

    1. Insert sadsack pun here

      Daily Mail: "NHS hires more 'MANAGERS' while waiting times INCREASE - and YOU'RE paying for it!"

      Also the Daily Mail: "why did RUSSIAN HACKERS have copies of my CANCER DIAGNOSIS?"

  5. The Nazz

    Hacking made easier.

    Hacker 1 : We should maybe target the NHS, plenty of private details in there.

    Hacker 2 : Hell yeah, why don't we send them a FoI request and see which ones may have poor security.

    Hacker 1 : Good Idea. Hey there's a few here who don't employ anyone or even bother to spend money on IT security. Let's target them first.

    Hacker 2 : Yeah, we'll do it Friday afternoon when no-ones about.

    1. sanmigueelbeer
      Happy

      Re: Hacking made easier.

      Hacker 2 : Yeah, we'll do it Friday afternoon when no-ones about.

      Between the dates of 22 to 24 December 2018 (and follow-up attack from 30 December 2018 to 01 January 2019) is best time to launch an attack. The effects would be astounding.

      NHS may not have enough staff trained in IT Security but what if there is no staff with IT Security knowledge on-shift, on-duty or even rostered during this period and then a hack happened.

      WannaCry(pt) and (not) Petya attacks all happened on a late Friday afternoon. Imagine what would happen when a successful attack happened on the dates mentioned above.

  6. Will Godfrey Silver badge
    Unhappy

    I wish this was a unique situation

    Sadly, at the moment I can't think of a single organisation that has anything like in-house IT security-aware staff.

    1. sanmigueelbeer
      Trollface

      Re: I wish this was a unique situation

      Sadly, at the moment I can't think of a single organisation that has anything like in-house IT security-aware staff.

      Don't worry. That is why they have this role/job outsourced to the likes of Capita or IBM.

      Where is me coat again?

    2. Anonymous Coward
      Anonymous Coward

      Re: I wish this was a unique situation

      Places I've worked have had security aware IT staff ... howver, they were also full of the sort of "I'm a software engineer so I know what I'm doing" sort of employees who's reaction to receiving a phising email is to see what's inside the attachment and then forward it to everyone in the organisation with a "look how clever I am message" explaining that if anyone sees the same attachemnt (that's now been sent to everyone) then they shouldn't open it because it contains <list of attacks>.

    3. Anonymous Coward
      Anonymous Coward

      Re: I wish this was a unique situation

      Some banks are at least trying. The terror is that IT infrastucture which has 'national security' written all over it is far, far less well protected than banks. We're just fucked in so many ways.

      1. Doctor Syntax Silver badge

        Re: I wish this was a unique situation

        "Some banks are at least trying."

        Most banks are very trying.

    4. CrazyOldCatMan Silver badge

      Re: I wish this was a unique situation

      in-house IT security-aware

      And lets also say it here - just becuase someone has a "security qualification" doesn't mean that they are any good at actually doing IT security - it just means they have a qualification..

      Much like the much-despised MCSE[1] - all it proves is that someone has regurgitated their crammed training during an exam.

      [1] Must Call Someone Experienced..

  7. Pen-y-gors

    Security costs

    We all know that security costs, as do so many things.

    For an under-funded trust, when the choice is between spending cash on security training and staff to avoid a (future) data breach, an on spending cash on staff who can stop people dying tomorrow, it's and easy choice.

    Same as any choice - Universal Credit late? Benefits stopped for no good reason? Limited cash? You buy food to stop starving today, and try to forget the risk of being evicted in a few months for not paying your rent.

    Immediate needs outweigh future ones.

    Only answer is more real money for the NHS. If we want it, it has to be paid for.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security costs

      "Only answer is more real money for the NHS."?

      I would look to getting rid of the management overhead first, there are still lots of people without medical qualification in the NHS taking home wages that the qualified are unlikley to ever see.

      You can't just throw money at the NHS you need to make certain the money goes where it should and that means getting rid of the leeches first.

      The whole "running state welfare as a business" was a fail idea in the first place, there has never been any evidence that business practices are cheaper or more effective for state services and until the "business" people are out of the loop then any cash going to the NHS will again be diverted away from what should be the primary goal i.e. healing the public. The best your "lob cash and hope for the best" is going to accomplish isslightly cheaper carparking whilst you wait in a queue that is just as long as it was before the cash injection and will only get longer whilst the money is going everywhere but where it is needed

      1. tfewster
        Facepalm

        Re: Security costs

        > "I would look to getting rid of the management overhead first, there are still lots of people without medical qualification in the NHS taking home wages that the qualified are unlikley to ever see."

        When I worked for the NHS in the 80s as an IT specialist, my salary (low for IT but high for the NHS) put me into a management grade. As such, I was contracted to "work the hours necessary to perform my duties", i.e. long hours and no paid overtime. I regularly made the comment to medical staff that I was an "administrative overhead"; They were polite or smart enough to recognise that my IT skills were valuable.

        I understand what you mean about administrative waste, but most of the administrators are desperately trying to make sure money is spent well. The Government has the same underlying goal, though frequent changes in policy inevitably mean more short-term waste. It's not a simple subject, but it's highly visible.

        1. Anonymous Coward
          Anonymous Coward

          Re: Security costs

          "I understand what you mean about administrative waste, but most of the administrators are desperately trying to make sure money is spent well."

          For many years, I lived around the corner from a senior administrator at a large hospital. We shared a common interest in electronics and tech. He used to go into work 2 - 3 days a week and spent much of his time at home. When they had additional funding from government, he and his colleagues would ensure they each had a pay rise, hired a few more administrative staff in their offices and left relatively little to be passed onto the "front line".

        2. Doctor Syntax Silver badge

          Re: Security costs

          "most of the administrators are desperately trying to make sure money is spent well."

          Most but maybe not all. There are occasional reports in the local press of the non-for-profit business (maybe owned by the local trust but I can't remember the details) or the people it employs to do the work, district nurses etc., having pay squeezed. There are also reports of large pay increases for the top management. Not for profit? Oh yes?

    2. Anonymous Coward
      Anonymous Coward

      Re: Security costs

      But that clearly isn’t true. The NHS is happy to drop a billion here and a billion there with companies like Accidenture and Crapita and get nothing for it, then do it again next year and the next. They have the money.

    3. JohnG

      Re: Security costs

      "For an under-funded trust, when the choice is between spending cash on security training and staff to avoid a (future) data breach, an on spending cash on staff who can stop people dying tomorrow, it's and easy choice."

      The first question they should address is why a bed in an NHS hospital is apparently 4 - 5 times more expensive than for a private patient in a similar German hospital. Similarly, the costs quoted by NHS trusts for various procedures are dramatically more than in Germany. German staff are no less qualified than their British counterparts and earn similar salaries. Equipment costs are the same. Why is there such a large discrepancy?

      The second question should be: why the hell don't they send more NHS patients for treatment in Germany, both to save money and to reduce waiting times/strain on resources?

  8. Anonymous Coward
    Anonymous Coward

    It's okay computer secure themselves

    The real question is why companies and agencies are allowed to even use computers if they have no competent IT staff?

    Oh, computers are just another tool? well that doesn't work to well for Health and Safety and it shouldn't for IT.

    If company security fails were seen in the same light as H&S fails then you can bet that the insurance companies would push for greater diligence.

    Personally I think it should always have been a state requirement of any company storing personal data to insure against IT incompetence along with a fast track court process for claiming inorder to get their lives back. Then the offending company can't just go bust and start a new company when they fkup, the next wouldn't get insured as the directors would still be linked to the payouts from the last company.

    I am all for limited company protection but since directors are not require to prove competence then this would have dealt with most of the IT security security issues over the last 40 years.

    .

    1. Doctor Syntax Silver badge

      Re: It's okay computer secure themselves

      "If company security fails were seen in the same light as H&S fails then you can bet that the insurance companies would push for greater diligence."

      You're right, of course, but I'm not sure this applies to the NHS. Back in my Civil Service days the policy was to "self-insure". That meant that when the lab burned down HMG paid for rebuilding. If the NHS works in this way then that pressure is absent. But I'd like to think the insurance companies would push other businesses a bit lot harder.

      1. Fishwife0001
        FAIL

        Re: It's okay computer secure themselves

        "HMG paid for rebuilding. If the NHS works in this way then that pressure is absent."

        Self insure is at the heart of dealing with all the NHS failures that atract litigation. Hence the NHS culture od never accepting blame. I've been retired for a few yaers but in my experience, hospital management is not afraid to intimidate claimants with statements infering that their action will impinge negitively on cancer care, children's treatment and anything else they can think of to frighten people. Cyber security is a very low level priority. Computers are a tool, just a tool, nothing untoward going to happen. Consider the IT department wanting to make serious inroads into their security. The hospital management has just changed the level of cleaning in the A&E from 24/7 to 3 hours daily. IT wants more money. Lol.

  9. Nick Kew

    It seems to me the question asked doesn't really tell us anything. An organisation might say "none" because it doesn't separate out a specific security role. Maybe it's outsourced, along with other IT functions? And security expertise isn't necessarily associated with box-ticking training and qualifications.

    Not that I'm suggesting they're on top of it. That would indeed seem far-fetched.

    1. phuzz Silver badge
      Stop

      It's worse than that, they were being asked by a security firm (ie this was a PR exercise) if they had any staff who'd had 'security training'.

      So apart from the fact that this is only being reported on because a company's marketing department saw a good way to get attention, it also begs the question, exactly what kind of 'security training' would be useful? All the people I'd trust to secure a system have exactly zero formal training. From my own experience of IT training, although I did learn stuff, the actual certification just showed that you could complete and exam, not that you had any aptitude for the subject.

      So, perhaps the NHS has no competent security staff, or perhaps it has lots who've never had the budget to be sent on an overpriced training course just so they can put a line on their CV saying "security trained". This PR piece doesn't really give us the information to decide.

  10. Destroy All Monsters Silver badge
    Black Helicopters

    But we know the whereabouts of RT staff and all expat RUSEIANS

    So there is no need for alarm about any potential security incidents.

    That cat is in the bag and stays there.

  11. Mike 137 Silver badge

    "no staff with security qualifications ..."

    If that really means no staff with security expertise, than I'm genuinely worried, but in my experience security qualifications do not necessarily equate to security expertise. Practically all "security qualifications" I have investigated in detail consist of cramming sessions followed by multiple choice tests.

    This has become the norm, presumably because it's cheap to deliver, and pitifully low expectations of "expertise" have resulted. As the author of a course that includes a variety or exam questions, I was saddened recently by feedback from a testing centre that candidates struggle with short answer and essay questions despite scoring highly in multiple choice.

    In the real world we need rather a different kind of expertise - to be able first to work out what the question is and then to come up with an appropriate solution without prompting, and to do both reliably under pressure in emergency. The multiple choice "exam" tests the exact opposite - merely the ability to recognise on demand some pre-defined statement you were told no more than a week ago.

    This simulacrum of training and expertise is not restricted to infosec - it has infected the whole domain of risk and compliance. You can, for example, become a "certified EU GDPR practitioner" in five days including 2.5 hours of multiple choice testing, thereby, according to at least one training company, becoming equipped to serve as a corporate Data Protection Officer with the authority to render your employer liable to multi-million euro fines.

    So let's please have more people with expertise, but let's stop selecting them on the basis of bogus qualifications that signify nothing of value.

    1. NeilPost Silver badge

      Re: "no staff with security qualifications ..."

      No qualifications does not mean no-one is doing anything. There will be lots going on from chaotic, to unstructured, to waste of time to great.

      Anyone on here a ‘qualified’ parent???

      ... best call social services in if not :-)

    2. CrazyOldCatMan Silver badge

      Re: "no staff with security qualifications ..."

      So let's please have more people with expertise, but let's stop selecting them on the basis of bogus qualifications that signify nothing of value.

      [Wild applause].

      Sadly, in order to make the case for someone to be employed or promoted, HR departments mostly want to go for the safe option and that's to require them to have qualifications of some sort. It's very rare that an IT-person-with-a-clue is allowed to both write the job spec *and* be part of the interview process.

  12. Doctor Syntax Silver badge

    It would be interesting to see how these results divide between those who were hit with WannaCry and those who dodged the bullet.

  13. Anonymous Coward
    Anonymous Coward

    So why is the situation still so bad 18 months on?

    There is always the good reason and the real reason.

    Maybe the latter is to start a false flag.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like