A worm attack that forced three London hospitals to shut down their computer networks late last year was entirely avoidable and represented a major failing by the organizations' IT staff, according to an independent review of the incident. In mid-November, the Mytob worm wiggled its way into 4,700 PCs used by St Bartholomew's ( …
Buncefield data knackery
A while ago I was trying to get details out of a hospital over the phone I was told to call back later because all their systems were down, this being down to their prime data storage centre being very near buncefield. When that popped the data centre had to be shut down for a while.
If they were telling the truth then they had no failover site, for that hospital and, I was led to understand, a number of others.
And that thing about disabling updates & win rebooting during surgery. Someone needs to be shot.
Why haven't those upon whose desks the buck stops been fired for cause?
[I know the reason: in modern life, once you are a management drone, you are golden, you are untouchable, and you will never be held to account for failing to do your job. It would be convenient to blame NuLabour, but this malaise extends far beyond Britain.]
How to avoid malware
Talk about a complicated and roundabout way of doing something essentially simple.
Throw away all those 11 recommendations.
Simply install Linux as your operating system.
Ubuntu is free and very easy to install and get going.
If you can burn a CD, you can install Ubuntu.
By its design Ubuntu is safe and uninfectable. The last Linux malware of significance was in 1995.
Firstly, for the most part your Linux machine is invisible to the net, for all ports are closed by default.
Secondly, the Linux model cannot be infected, because no malware can gain administrator privileges.
Ubuntu systems are patched regularly with updates (not just security patches) and that happens in the background.
You very rarely have to reboot your machine.
I am utterly surprised that the medical industry is unaware of the advantages of Linux, and wastes money on buying licences for bad and buggy Windows software.
I'd willing come and demonstarte (for free) ubuntu software at any of your infected hospitals in London. Contact me at CBNorrie AT hotmail DOT com
"Simply install Linux as your operating system."
You forgot step 2:
"Then, simply get all of the specialist software you use re-written for the new OS."
What makes you think the idiots that left the gaping holes would be competent at deploying and securing any OS?
Are you looking for work as you sound desperate?
Reboot during surgery....
"The mass infiltration was allowed to take hold after administrators disabled Windows security updates, which were blamed for causing computers to reboot during surgery."
Oh I love it! I've been tormented by this so many times. My Windows systems can't go more than a few days without a reboot. I've turned automatic updates off so at least I can control when it happens. Not during surgery, for sure.
Always look at the bright side...
For once, a hospital-incubated infection to which patients and staff are immune.
Ubuntu and what?
Ubuntu is an operating system, with a few general purpose programs thrown in. It isn't a suite of bespoke medical record management software. Installing it in all hospital computers will result in them becoming unusable, because they won't be able to run the packages the hospital is using.
That's the same problem I have with the various Linux offerings. They won't run my online poker client. I don't know any poker site that offers a Linux client, and if they did, would it work on Ubuntu, Red Hat, AND Suze? I have dozens of programs that I can't run on Ubuntu. I have a machine set up with it, but I seldom turn it on.
You might as well say that hospitals should run on Macs. Probably dodge the malware just as well, but they still couldn't use their computers for the programs they want to run.
Opensolaris and zfs
Actually an even better option is Opensolaris with the zfs filesystem. This comes with encryption built in along with data integrity checking with every single read and write and automatic repair from multiple parallel data pools if there is a problem. All the user notices is that it keeps working. Isn't that what we should be using in the NHS? But I think the Windows platform was chosen because Mr Blair thought that Mr Gates was the Ultimate in the technology stakes and the NHS now operates in a parallel Universe where Open source software doesn't exist.
Don't forget the current policy has made several organisations very wealthy.
@How to Avoid malware
CBNorrie AT hotmail DOT com
--> hotmail <--
WOW, just WOW...
Well just shows that the civil service has a no termination policy with unsuitable/incompetent staff... which means that your stuck with all the chaff and the system will never ever get better!!!
Cue pouring more money into a system full of wasters (at all levels) which brings down all the good work done by the competent people!!!
General and @Eirronbc
"Additional training to specific staff groups
Command and control arrangements
Administration and documentation within the control room
Categorized identification of Trust priority areas
Register of staff skills that can aid Trust response "
WTF? Surely you fire the people in charge of managing the AV and patching (unless management told them too do it!) and put safe guards in place to prevent it from happening again...?
I know from the fact that you call Ubuntu "uninfectable" that you cannot possibly work in any sort of senior or responsible IT security position, but I'll try to explain anyway:
Not the people, but managing 1000's of machines on a daily basis. Last time I tried Ubuntu I discovered that there were more updates pending than on my Vista boxes...!!!
Ubuntu is expensive. Look into training, testing, support, management etc.
All ports are closed by default. On Vista no malware can gain admin rights either. Updates happen in the background. You rarely need to reboot a Windows server or XP/Vista desktop.
Listen penguin fans - Linux rocks. It's a great platform and I actually enjoy playing with it more than my Windows boxes. However the reason the vast majority of enterprises run Windows as their core platform is simple.... it's easy to manage and there's a shit load of support and applications for it.
It's that simple.
Since XP SP2 it hasn't been insecure out of the box. It automatically updates, it has a firewall and you shouldn't need any vists to the desktop for support. Yeah, it costs. But it's also easy to work with and the admins are cheap. Management is a piece of cake and you KNOW there's an application - with support 24/7 - for nearly any application you need.
Now please CBNorrie@hotmail.com (using a MS account?! [gasps]), get a grip a try to live a little in the grown up business world for a few minutes.
NHS - the real problem
'Computer viruses' will give them another excellent thing to count in the NHS and the joyful challenge of counting them differently year on year to give the impression of progress.
Nu Labour have the previous Tory [mal]administrations beaten hands down on this (see also any other Public Service).
Your houses are made of matchwood and on fire. Do you
1. Put the fires out?
2. Build houses out of something other than matchwood?
3. Set a target to reduce their internal temperatures to 500 degrees C within the next ten years and install air conditioning whose cost excedes the combined value of options 1 and 2?
Paris - because unlike every Health Minister for the last 30 years - she wouldn't pick 3.
Trust me I'm a doctor :-)
to the Linux Zelots
This was not cause by buggy software but by an idiots in management . Look at it this ways. If an Idiot keeps on crashing his car and getting hurt do to him watching TV, the solution is not make the car safer , or design it sop he can watch TV and drive. The solution is you take the idiot out of the drivers seat..
Not computer viruses ;)
No two ways about it.
A static system, doing the exact same job day-in, day-out, should never need security settings changed or patches applied. Windows is clearly not the right OS for the job and if their software won't run on it, what do you want to bet that someone would jump at the chance to write the software needed to keep a frikkin hospital running?
It was not caused by any management or IT person there through their actions or inactions, there should be no need to babysit the OS, except of course they picked the wrong one.
IT starts with a solid foundation, not with a bunch of guys holding tools trying to prop up something that keeps falling down regardless of whether we'd like to blame malware authors as they aren't anything new in this world.
The London Chest Hospital
I'll bet they really feel like boobs now!
Please enlighten us as to which 'perfect' OS you run that never needs bug fixes or security flaws patching. I'm sure we'd all be installing it by the end of the day.
My Linux boxes need updating at least as many times a month as my Windows boxes and often need rebooting because of it, so *please* don't say Linux or you'll lose any shred of credibility you have left.
Back in real life, where people actually need to be able to access resources across networks, send and receive email and generally use the computer on their desk, computer programs have nasty little things that we in the trade like to refer to as 'bugs' which, you may be shocked to learn, need 'patching' or bug fixing when they are discovered.
The worm problem was caused by idiotic management of the resources at hand, if the prats learned how to use the available update services properly then it wouldn't have happened.
Paris, because she lives in lala land with JC.
Replies (mostly anonyymous)to my suggestion of using Linux
I am sure that any decent records keeping software will have been ported to Linux OSes. After all many countries insist their standard Health Ministry software runs on Linux - like the French
If there's a problem you could always run it under Wine
I use hotmail because I have been using it before Gates got his hands on it! I don't see why I should change, if it suits me!
There is any amount of free software 17000 packages that you can use. If you are perverse enough to have a system you claim only works with Windows, you have suffered from Vendor lock-in, and you have only yourself to blame.
Charles Norrie CBNorrie At hotmail DOT com
I hope the gent who wants to play poker on his machine wasn't playing it at work.
If you notice there may be a lot of Ubuntu updates, but Linux systems are updated automatically. In other words when there are improvements to be made they fixed. Unlike Windows when we have to hang around until Gates can be bothered to sent out at SP2, which will take hours to install.
Repairing standard OSes is no work for a main.
And I've been using Computers for 40 years. It took over 20 steps to boot a Ferranti Argus 400!
Not about windows or linux
Its about a lack of understanding somewhere in IT about what can happen if you don't follow AV and patching procedures.
When a hardware firewall failed on one of my contracts, the client demanded that we expose a windows server to the web directly. Ok this was some time ago and i left the company in refusal to do it, but i was reliably informed it was infected / compromised within minutes.
Windows can be made fairly secure and with some effort Linux can be made fairly insecure, but us IT folk have a responsibility to know what the risks are and how to avoid them. We can't expect management monkeys to know if we dont tell 'em.
What on earth?
"Mytob, which also goes under the name MyDoom, was introduced "accidentally" into the network with "no malicious intent," the report concluded without providing details."
Paris Whitney Hilton as even she knows not to bring a virus anywhere near a production ICT system let alone something like a hospitals network.
RE: @ Eirronbc
AC wrote: "Then, simply get all of the specialist software you use re-written for the new OS."
Or, um, just get the database front end rewritten in something other than Visual Studio. That's not hard to arrange. Re-write it in something portable (like Java, say) and you're sorted.
The real problem with the NHS is just general stupidity in certain levels of management, especially when it comes to technology.
My dad used to work for the NHS and he told me a lot of hilarious tales (or not so hilarious, depending on your point of view).
When my dad retired, they still had a DOS machine in his office so that he could run Wordstar. That's all it was used for. No-one had yet approved the purchase of Word or Office for his department (and this was in 2002/2003).
I've clocked the machine my local GP uses and it seems to be running Win3.1.
I'm betting that any software they have that currently only works on PCs will work fine in DOS or Win3.1 'cos that's what it will have been written to run on...
IT in the NHS..
Is not a "high profile" thing. It is underfunded, understaffed, and driven by a "who shouts the loudest" culture. If it's a toss up between doing vital infrastructure work, and making sure that an icon appears on a consultant doctor's desktop, it'll be the icon as the consultant will yell at the directorate that (s)he can't work without it being in exactly the right place. Directorate yell at IT management and threaten until it gets done.
It's not a good place to be if you value your sanity/a comfortable life.
Until you get the support (especially financial) and the head count of staff sufficient to do a task, then the task can't be done.
Try a team of 5 technical people running a site of 4000 PCs, approximately 100 servers (running Windows, Linux, Solaris, Novell, with a mix of vendor apps from a couple of hundred different vendors, and a variety of DB engines). That includes PC desktop support, logistics, security, server admin, network admin, remote access, mail, database, file, hardware, software, management and so on.
To everyone that says "Oh, just run Linux, it'll solve everything".. It can't. Most vendor software won't run on it, so it can't be used. And that needs to be maintained too..
Perhaps this is the same sysadmin as the one we had when configuring a "wiki" for part of the NHS. Initially we had to drive into london every time we made a config change. We asked for remote access and gave him software and ports and originating IP addresses.
His solution - move the machine physically outside the firewall! Yes - infected within minutes. A complete re-install required - and another week or so of our time lost.
IMHO NHS sysadmins are *very* good politicians - we did not specify we did not want the machine moved outside the firewall and that was the most cost effictive solution so NHS policy dictated that this is what he should do - and his head of IT backed his decision.
Sack the Infection Control manager ...
'nuff said ...
heh, two words.
I don't play poker at work. I don't do ANYTHING at work.
"Since XP SP2 it hasn't been insecure out of the box. It automatically updates, it has a firewall and you shouldn't need any vists to the desktop for support. Yeah, it costs. But it's also easy to work with and the admins are cheap. Management is a piece of cake and you KNOW there's an application - with support 24/7 - for nearly any application you need."
Two words: Ha ha.
Not that I'm advocating Linux on all NHS machines, or Windows on all NHS machines. I'm just laughing at the statement you made.
Paper based system
You might as well have a paper based system if you have LINUX. Most of the applications used in the hospitals do not run natively on LINUX and need windows.
I was surprised that their machines were running XP. Not far from there a local Primary Care Trust still uses Win NT/2000.
If the rumours circulating the hospital were true there's not much technology defence from administrators who decide not to pay the maintenance fees for the Anti-Virus. However if that was true I'm sure it would have been made public in the report.