Computer systems at three London hospitals are almost back to normal two weeks after a computer virus forced staff to shut down its network. Computers at St Bartholomew's (Barts), the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green were taken offline on Tuesday 18 November following infection …
What was the cost ?
So: are we going to be told how much this cost to clear up ? Why do people still use MS s/ware in mission critical situations ?
I think that we need to be grateful that no one died through the use of inadequate s/ware.
Windows to infection
What the hell is an important system like that doing with Microsoft-ware on it in the first place? Unimportant sites such as the Job Centres are failing every week. It is expected. It makes us losers that can't get work feel part of the community.
And may we take it as read that had the NHS been specifically targeted, the condition would still be chaotic in several months time?
NRSA (No Reliable Systems Advice) anyone?
"An investigation into how the computer system became infected is ongoing"
They used Windows. Investigation over.
When do they convert to Linux then ?
How much time / money / any other relevant resources could NHS save just by switching to Linux ?
Of course minus the expected flip-ups during the conversion time...
As I remember clearly I haven't had a problem with virus / trojans / spyware since early 1995 when I changed my desktop to Linux.
On top of it since that time I also spent my money only on the hardware.
Since when You have to pay for the Operating System ? U get a computer in the store without the OS an it is just a piece of expensive junk.
I'll go a bit hardcore... how many people have died because there was not enough specialists / cleaners / hardware or drugs to go around and money was spent on rubbish software ?
Is there a double meaning to a BSOD on the life support machine ?
MyTob is soo 2005
Did they not deploy MS05-039 then??
An investigation in to their patching policy and/or OS imaging/deployment would be on the top of my list !
Forget Linux (well, for hte time being) what happened to basic security?
While I am of the opinion that they would be better off using Linux -- I still find it hard to believe that their IT department can't, or aren't allowed to, lock down their IT systems in any way. Group policy should simply not allow executing of Outlook attachments, never mind the fact that any executables should be blocked before they even hit the exchange servers. The other option, of course, is to have an up-to-date anti-malware system in place and keep it patched.
Who the hell is in charge of a system with that many holes? I take it the It security teams and the like are all in the NHS because they were fired from private sector companies for incompetence.
its a people problem
I've dealt with nhs staff (but don't work for them), both general users and their computing staff. Some of their computing staff should not be working in the field. The worst of them (a networking expert) didn't know about the basics (routing, NAT, firewalls), they all walk around with windows laptops, most don't appear to have used anything else. As far as the general staff go the majority of them are computer illiterate, their use of computing equipment is also completely inappropriate, they spend their days surfing the web on machines that should have that capability.
Just my experience, cant speak for the whole of the nhs.
A security cullinder
Ive no doubt they will get hit again, unless they implement some of the advice provided here.
Failing to apply security patches tells me that those responsible are bone idle as its not exactly rocket science.
But as for actually allowing executable attachments through their mail server, well thats just blatant incompetence & those responsible should be held to account for the clean up.
As for the contractors that implemented such junk, they need a career change, these procedures are just basic common sense which they seem to be lacking in spades.
AV used (if any)?
Inquiring minds want to know which AV product the healthtards were using (if any), so that we can all have a jolly good snigger (what's the odds it's Symantec or McAffee?).
...I guess that should be bartards... :)
You are suggesting a system that is to complex for the NHS to use. No Im not one of these saying Linus is to hard for the average users, but its obvious they cant even admin a windows environment. It clear they no nothing about security polices ,group polices.
Multiple problems with NHS IT..
Check the staffing level of the places, compared to what would be expected in commerce. I think you'll find that many NHS IT departments are staffed at about 1/4 or less than the commercially expected minimums on the technical staff.
The perception in NHS management is that IT just happens by magic, and it's not difficult, so why get people to do nothing but switch machines off when they don't work and turn them back on again?
RE: A few items from Above
As someone who works in a Canadian Hospital IT department, I can confirm a few comments from above:
1. The staffing levels mentioned by Juillen, are correct. For example, we have 7000 desktops + servers spread through 3 major locations and a further 20 Minor location, and we have only 3 full time network staff (covering internal network gear, as well as Firewalls/VPN etc). The only thing worse than our understaffing is the overstaffing of PMO at 2-3 PMO for each technical member.
2. Windows vs. Linux, most medical software is built on a Windows platform. Since most of the software has to undergo stringent testing at the government (or government agency level) the vendors select the most wide adopted option (i.e Windows). Additionally any critical changes to the platform such as AV/Security patches updates require retesting so most vendors bypass this process. We can not implement the fixes/updates or we take on the liability of the device. We are starting to undertake architecture that will isolate these devices, but see note 1 above for the related timelines...
Over all, I can sympathize with the issues experienced above, but I am sure that they will learn a fair amount from the error and will hopefully get the funding that is required to make the changes (or at least most of them).
Not withstanding the above, healthcare is a great place to work, as there are many projects that you get to work on that greatly improve the care provided to patients, and this is just not something you can get at any work place.
The rumour going round the hospital is that someone decided not to renew the maintenance on the antivirus software.
A great saving! I'm sure.
Someone earlier mentioned group policies as a way to improve security...
Group policies are fundamentally flawed in their implementation...
Let's bring up the example of the policy which is supposed to prevent you from opening a command prompt.
So you run cmd.exe, and it pops up a message saying your not allowed to do that...
Now in any sensible implementation, it would be the OS which is doing that... But that's simply not the case.
The cmd.exe program itself executes, and within the program itself checks for the presence of a registry key forbidding cmd.exe use, if it finds it then it displays the message and exits. So the OS does nothing to stop you executing the program, the program does its own check.
So what if you run a different command interpreter, say command.com? Yes, that still works, since they didn't implement the same check into command.com.
And if you have the ability to introduce your own binaries, which you almost certainly do, then you can simply execute a modified cmd.exe that has the check removed (very simple with a hex editor, just change the registry key it looks for so it wont be found).
Also, cmd.exe will still let you execute batch files regardless...
And then there's regedit/regedt that will exit, but reg.exe from the commandline will still work, and you could just supply your own regedit.
Same with restrictions on browsing drives, supply your own apps and they bypass the half assed restrictions.
And when it comes to users supplying their own binaries, on a unix machine you would mount all the areas a user could potentially write to (including removable media) with the noexec flag, windows has no equivalent of this and you need to implement third party binary whitelisting...
Now specifically to the mytob worm, this spreads by exploiting the LSASS vulnerability i believe, and the systems were clearly not patched against it. Surely it would have been more sensible, on workstations at the very least, to disable any listening network services... There really is no need for these services to be available to the network, and if you turn them all off even an un-patched machine won't become infected.
Ofcourse the stupid thing is that such complex bloated services ship enabled by default on a workstation OS.
Windows ME anyone?
Yep I have seen a computer, recently as well running Windows ME.....
Feel safe now.....
Paris because even she knows better