back to article NHS hospitals struggle to hold back the malware tide

Malware infection problems at NHS hospitals are a more serious problem than isolated reports of infestation might suggest, according to an investigation by More4 News. Last November an infection by the MyTob worm created huge administrative headaches at three London hospitals - Barts, the Royal London and the London Chest …

COMMENTS

This topic is closed for new posts.
  1. dave lawless
    Boffin

    makes me so mad

    > A subsequent inquiry blamed a failure to follow basic information security procedures for the infection.

    Blame the poor sods who have to use the shitstorm because their higher-ups chose Windows.

    Imagine a world where the IT consultants blame each other instead of their hapless customers!

  2. Anonymous Coward
    Anonymous Coward

    dictaphone virus?

    ... really?

    ..was it like a virus on a tape like an old commodore 64 program?

  3. Pete 2 Silver badge

    Fifth column

    During the spanish civil war, an invading general had 4 columns of troops ready to take Madrid. He made a radio broadcast (designed to demoralise the inhabitants of that city) to say that he also had a fifth column inside the city, working to sabotage their defences and undermine their efforts.

    It seems to me that this is exactly what a large number of NHS employees are doing. This malware doesn't just magically appear on hospital computers - it gets put there, either through the stupidity and/or laziness of the computer users or by people circumventing security measures.

    Now, I know that the NHS is a big organisation, staffed mainly by low-level administrators and that very few of its employees ever do anything as mundane as looking after ill people, but isn't it about time they all had their internet connections cut off - permanently?

    Until someone can come up with a way to stop employees from working against their companies, just so they can spend their working days goofing around on Facebook and Twitter, I can't see many other alternatives. You never know, if they all got on with their work instead of playing on the internet all day we could probably sack half of them and still end up with a better service than we have now. So maybe wasting their days on pointless surfing is actually a job-preservation scheme. I blame t'management.

  4. john loader

    Malware infecting a dictaphone?

    Wow these bug writers are getting clever - must check my toaster is virus free

  5. Nomen Publicus
    IT Angle

    Simple Fix?

    Stop using x86 CPU based systems.

    While such a policy would not eliminate targetted attacks it would be 100% effective against the general noise on the internet and silly people trying to install random software.

    It would only cost a few billion to implement, hardly noticeable in the waterfall of money being wasted in current NHS IT projects...

  6. Ian Bradshaw
    IT Angle

    But ...

    what to do?

    It's not feasible to test every AV update that is sent out and not get out of date ... and prone to infection ... or leave auto-update on and have all your pcs felled when some vendor screws up.

    Damned if you do and damned if you dont.

  7. Fred 24

    Why are they still using Windoze?

    Yet another example of a failure of common sense!

    The NHS clearly need to source their advise from another vector, and since they cant defend windows, they need to move up to Linux, or any other non-microsoft OS!

    End of!

  8. Jacqui

    Pay peanuts get monkeys

    The NHS used to have some great IT staff. They worked directly for the NHS for quite low pay but loved the job. Then they were seconded to one of the outsourcers took even greater pay cuts, and had to cope with more paperwork and insane PHB.s Many quit for better paid jobs - such as street cleaning or even took jobs as porters in the same hospital!

    Only the PFY "monkeys" are left trying to manage computer systems they officially have no control over but have responsibility for. If they try and fix the problems they get fired, so infections are inevitable and the IT staff get the blame.

  9. Anonymous Coward
    FAIL

    Hidden cost of using Windows

    In all the speeches, fluff and stuff Ballmer and co makes about winders, do they also include the need for antivirus tools, downtime due to virus removal/reformatting/reinstalling and the such?

    And, in contrast to this, what is the figures for Linux?

    Fail - because Winders is.

  10. Anonymous Coward
    Anonymous Coward

    (title)

    And how many of these infections could of been avoided if IE6 had been replaced with IE8?

    Lowest bidder always wins as hidden costs like this surface later... and then they can charge extra for fixing.

  11. Anonymous Coward
    Grenade

    Prepare for the onslaught of the Linux crowd

    Grow up all of you! Stop whining and saing "oh its what they get for using windoze" or whatever. There are multiple reasons for them using Windows that i really cannot be assed to go into right now. I work for a company that works very closely with the NHS most of them are reasonably good and the trusts are all responsible for their own IT systems so anything that happens in these IT related is nothing to do with the NHS. As for Malware. 1 infected USB drive will cause untld havoc. It doesnt even have to be someone who works there either. A patient faking illness just pops it in lets the malware off and leaves! Simple! i'm not removing the burden from anyone here but it seems as always people are quick to flame!

  12. Peter 39

    havoc, eh?

    > As for Malware. 1 infected USB drive will cause untld havoc.

    As long as the PC is running Windows.

    It's about time NHS was honest about TCO rather than just looking at lowball initial-cost numbers.

  13. Julian 16

    And it's set to continue

    " The NHS used to have some great IT staff. They worked directly for the NHS for quite low pay but loved the job. Then they were seconded to one of the outsourcers took even greater pay cuts, and had to cope with more paperwork and insane PHB.s Many quit for better paid jobs - such as street cleaning or even took jobs as porters in the same hospital!

    Only the PFY "monkeys" are left trying to manage computer systems they officially have no control over but have responsibility for. If they try and fix the problems they get fired, so infections are inevitable and the IT staff get the blame.

    "

    Schools are next. Building schools for the future will bring the same standards to IT in schools and all because the country's run by gullible idiots who beleive everything their consultants tell them.

  14. frank ly

    @john loader re. Malware infecting a dictaphone

    "...- must check my toaster is virus free."

    My toaster refused to let me check it and insisted that I have a slice of toast, or alternative toasted bread product.

  15. Gav
    Linux

    Enough of the fanbois

    Do we have to get the delusional witterings of Linux fanbois on every story like this?

    If Linux was the dominant desktop OS do you honestly think that viruses would never, ever happen? In this parallel Linux universe there would still be millions of badly configured and badly maintained computers, controlled by generally clueless users, with similar coding errors being exploited. And fanbois would be still be online claiming that the solution is some other OS.

  16. Doug
    Jobs Horns

    insert bogus personal anecdote

    "Until someone can come up with a way to stop employees from working against their companies, just so they can spend their working days goofing around on Facebook and Twitter"

    You're kidding, since when were people allowed to twitter on NHS patent record systems. Any evidence to the contrary?

    " I work for a company that works very closely with the NHS .. A patient faking illness just pops it in lets the malware off " SNORT !!!

  17. Anonymous Coward
    Anonymous Coward

    The cause of the problem...

    ...I happen to know is (as ever - I seem to type this every two days) that some IT departments let users run as admins. Often this is because of brain dead software which only works this way; this can always be got round, but "Oh just make him a local administrator" is easier. Unfortunately some particularly security dense helpdesk people do this by adding the user to the Domain Admins group.

    I manage the AV for 3500 PCs. The ones for related organisations I don't have full control over are frequently infected by rogue software (seldom worse than adware, fortunately); the ones I took the admin rights off - never gets past the USB stick or the IE cache. I'm willing to bet every one of those trusts infected by Conficker has users run as admin, and that's also the only way a rogue USB stick can cause havoc beyond a single user account.

  18. Lan ser
    FAIL

    @AC 15:34

    Just kinda proved the Linux boys point, if it wasn't windows the a single USB drive still wouldnt infect the whole system.

    As for saying well we need this or that and it only runs on windows then pull your fingers out and port them to a real OS

  19. Anonymous Coward
    Linux

    Title.

    There are a huge amount of twits commenting on this with absolutely no knowledge of the NHS setup. The NHS does not mandate the use of IE6, the choice for its use is down to each trust (ie, county or major hospital.)

    Also, please quit using every single virus outbreak as justification to use linux. Yes, the security of a defualt windows install is rubbish. No, installing Linux is not the solution everywhere simply because the software doesn't exist to be able to do it. The NHS is a point in case, there is no possible way to use linux for the entire of the NHS simply because none of the required apps actually run on it.

    I've run linux myself, I don't really like Microsoft that much and I might use it in a business environment if it was a viable alternative. However, its not. By constantly blanket parroting "use linux" your doing real harm to the chance of linux ever getting ANYWHERE because when someone does suggest using it where it might work, we never manage to find out because people in IT have gotten so used to ignoring idiots sprouting "use linux!" that suggesting it is pointless because you get mentally lumped in the same boat as the idiots and ignored.

    If you would actually start only proposing it only where it can actually be used then you MIGHT just find that linux gets used a bit more. Until then, what your doing just makes professionals that have well reasoned arguments for using it looks like quacks and your helping microsoft far more than they could ever manage with SCO or patent lawsuits in a hundred years.

  20. Mr Blonde
    Happy

    Botnet === Windows

    Most of will solved by Chrome.

  21. Anonymous Coward
    Anonymous Coward

    Its not just the os

    Its also the system themselves, i am not sure of other hospitals but in my local one it has every peice of info, the IP, the login name along with the firewall ip just to name a few, all on the backroun, anyone who gets left alone for a few moments can make a note of this very quickly, using a camera phone or something similar, it seems the hospital is begging for trouble

  22. mark adrian bell
    FAIL

    @fifth_column

    I'm afraid that when you need information on your patient, and your antiquated computers are all busy churning through their daily virus scan with their obviously outdated AV program, you cancel the virus scan. If the scan was scheduled for 0300 instead of 1730, it wouldn't get canceled quite so often. It astonishes me that most employees don't know how to send an email attachment, but they all know how to use ebay of facebook. I'm terrified that anyone can plug a usb drive into any computer in any department and upload or download anything they want. It revolts me that anyone who knows my name can search my medical admission history, blood results, etc from any computer in the system. We have an application that delivers blood test results that is obviously unix based. Lightning fast and it never crashes. We have a new system for tracking patients across hospitals in the local area based on.... wait for it... microsoft access. (I don't work for the NHS, I work in Australia.)

  23. proto-robbie
    Pirate

    Lock-down required

    I work in a large organisation where the default Windows XT PC has no internet access, no user access to the C: drive, no ability to use USB drives and no ability to run unsanctioned executables. It works a treat, although the users moan, and there are work-arounds: ie several different versions of notepad.exe!

    So, why does the average NHS employee with a PC need to access the Internet or USB devices? Recent events have shown just how inadvisable it is to move sensitive data off-site or off a secure network, and I'd be surprised if even the doctors need much work access to the WWW.

  24. Anonymous Coward
    Paris Hilton

    It is sad

    Very,very sad.

  25. Gilbert Wham

    NHS IT

    I've worked in a few hospitals, most of which were primarily still running win2k. As for the rogue usb stick, you'd be lucky to find a usb *port*...

  26. Anonymous Coward
    Anonymous Coward

    So why do they have USB sticks?

    I'm tempted to ask why the computers even have USB ports!

    Every BIOS has the ability to turn the USB hubs off completely - PS/2 keyboards and mice work fine.

    Even assuming that they actually need USB for touchscreens or other hardware, it's very easy to disable USB portable drives.

    There's also no need whatsoever to have access to the Internet.

    And why do they have admin access? The NHS runs almost entirely bespoke software, yes? So make it part of the spec that it must not require admin rights.

    So where are these virii coming from? Ah yes, Idiot management.

  27. Anonymous Coward
    Anonymous Coward

    NHS IT is crazy

    In my experience sites either have good internal admin staff or they contract it out to people like Siemens and the contractors do the bare minimum possible.

    At one site they weren't even backing up their databases due to some disagreement over who's job it was!!!

  28. Anonymous Coward
    Boffin

    @proto-robbie

    A huge and increasing number of applications require internet access. For example, if the ambulance brings you in with poisoning, A&E will use a national system to look it up. As with everything, there are fax and telephone backups to it but clicking on a weblink and typing in a few words is fastest and the result is better than a hard to read fax and more accurate than someone reading to you over a crackly phone line.

    This has to be usable by whoever comes up to treat you. Or do you suggest we all log in with the same name/password?

    There will always be room for improvement but, although money is available for some things, past decisions and cost cuts mean that we are stuck with Windows, IE6 and software used by entire clinical departments that will only work if the user has local admin access.

  29. Anonymous Coward
    WTF?

    So who is to blame...

    Lets blame the users, no lets blame the IT personnel, no lets blame the management for choosing Windows, no lets .... ohh thats all that can be mustered on el reg these days...

    Why don't we have words with the authors of both software items, the OS and a little knee-capping for the virus authors?

  30. Alfazed
    Grenade

    smoke screens up

    Hi Linux users, I mean you too.

    Heads in sand the lot of you.

    It doesn't matter what the OS is if the bean counters won't pay for proper training or staffing levels.

    Now stop wailing and start the hangings !

    ALF

  31. Anonymous Coward
    Thumb Up

    Waiting time is now:

    [....ALL YOUR HEALTH ARE BELONG TO US........ALL YOUR H]

  32. Anonymous Coward
    Anonymous Coward

    @Lan Ser

    A USB stick can only affect the whole system *if the user is an administrator*, just as it could affect a whole linux system if the user had root. The problem is not Windows, it's crappy insecure implementations of it. The main difference is the amount of shitty software which assumes the user is an administrator. This is the vendors' fault, not Windows.

    Do not give users root. Do not make users administrators. Same in both.

  33. kain preacher

    @Lan ser

    As for saying well we need this or that and it only runs on windows then pull your fingers out and port them to a real OS

    Do you think that they write these programs them self ? How do you suggest they port a commercial app? Do think the companies are going to give them the source code?

  34. Mikel
    Stop

    Windows malware

    If only there were a way we could avoid Windows Malware, we could prevent it from causing these failures of these system critical to the protection of life and health.

    >Also, please quit using every single virus outbreak as justification to use linux.

    Why? Does that not neatly solve the problem of avoiding Windows Malware? The Windows environment does not provide some magical health industry benefit to be found nowhere else. It's a window into data and nothing more. There is nothing special about Windows that makes it better for this task. In fact, the existence of a thriving Windows Malware ecosystem as illustrated by the fine article prove it is unsuitable for the task. For all of that, a web front end is all you need for this class of applications. There's no excuse for making it more complicated than that. Outlook integration and Photoshop are NOT required to provide patient care.

  35. David 141
    WTF?

    History and Culture

    Firstly - many hospital systems (patient management etc) are ancient and brittle pieces of software, often designed decades ago, and unable to cope with ugraded and secure systems. They can't run on Linux, and often if you tried to run them without admin rights they would break. This means all the IT systems have to be windows, and all the systems have to be running with full admin rights. The systems can't be easily replaced because the critical data is stored in proprietory formats and can't be exported,

    Secondly, unlike most organisations, in a hospital there are several groups of users who wield far more clout than the most devious BOFH. When a surgeon says bend over, management bends over. Try telling a senior surgeon that they can't access the 'net, or USB drives for whatever the hell they feel like, and see how long you keep your career.

    Medicine has long been dominated by outdated practices and powerful vested interests, it shouldn't be a suprised that this affects IT systems too.

  36. Stuart Halliday
    Megaphone

    The IT staff should be sacked

    Why aren't they using transparent Proxy servers and having proper malware scanners on the Proxy scanning all downloaded files before giving them to the end-users?

    Or is that too simple?

  37. Anonymous Coward
    Headmaster

    USB sticks / RE: dictaphone virus, RE: Malware infecting a dictaphone

    humour aside, yes, it's possible if these dictaphones are USB flash drive memory based - they are therefore just like any other USB storage and can store any files, as well as the sound recordings.

  38. Anonymous Coward
    Anonymous Coward

    Out of interest

    How many ballpoint pens and jotter pads could you buy for £13 Bn,, including of course a discount for bulk buying.

  39. Pete 2 Silver badge

    @History and Culture

    Putting aside the out of date and obsolete systems (thet presumably somehow survived y2K) the issue about senior staff is easily solved - using BOFH "best practices".

    All senior staff are intensely vulnerable to attacks on their professionalism - especially when those attacks are made in public. So when they flounce around and *demand* unlimited web access, give it to them as part of an "enough rope" initiative. Then, provided they are good little boys and girls they keep it - that's fine: they're doing what they said they would. However, once they stray from the path - you've gottem. If their surfing history stars to fill up with dodgy stuff, simply bring them in for a quiet word. Let them know what you've got and make very sure they know they're being blackmailed and that their internet adventures will cease, forthwith. As President Johnson (LBJ) observed: When you've got them by the balls, their hearts and minds will follow".

    However, they're not the main problem. That's the armies of proles, who's jobs have neither tangible outputs nor measurable benefits. Those are the ones who cause the greatest harm, purely due to their huge numbers. Just like a single locust only eats a small amount, a swarm can devastate an entire crop. They're the 99% problem - fix that and the other 1% of unprofessional consultant prima-donnas becomes manageable.

  40. Anonymous Coward
    Anonymous Coward

    @Mikel

    Good grief man, have you ever actually seen a clinical system? Most of them are *not* web front ends, but Windows applications. They would, indeed, need to be ported to Linux and the companies which write them simply do not do this.

    There are other reasons that Windows systems are used. Where are the Linux equivalents of Active Directory, Group Policy, SMS (that's not text messaging, it's System Management Server). How would I push out OpenOffice to 2000 Linux desktops in a week? What tools exist for this? If they're there, tell me what they are. I get silence from the LInux community when I ask these sorts of questions.

    As for apps requiring admin rights, there are two lines of defence against this. The first is to run Process Explorer to find out what permissions and rights are actually required (i.e. look for the Access Denieds) and grant them to users on an "as needed" basis. The second line of defence is to use runas. No reason to let people run as admin routinely. The only thing you can't defend against is the director who knows a lot less than he thinks who insists on being an administrator. But do you think that in your Linux wonderland he wouldn't insist on knowing the root password, and on being allowed to run as root all the time?

  41. Nick Pettefar

    Seems Obvious

    Why not let people put in USB sticks, access the Internet, etc? Just don't let these computers access the internal networks at all. No connection, physical isolation. Standalone Internet computers are the answer, as is a public WiFi for the surgeon's laptop, iPhone, etc.. Keep the secure networks secure. This works for the military and would work for the NHS too if only somebody could see sense.

  42. Anonymous Coward
    Joke

    Is your toaster getting pop ups?

    Anyway, a nurse friend once told me that the hospital is the best place to pick up a nasty infection---apparently this is true for IT systems as well.

  43. Anonymous Coward
    Anonymous Coward

    @ac17:@41

    well most computers have usb ports because 90 of mainboards dont come with ps2 ports anymore and keyboards and mice are generally usb

    but im sorry i worked for the nhs putting out new computers

    it was bloody shocking tbh !

    its non it people in charge that is the major problem

    Anybody with any amount of decision making ability had no IT background i kid you not !!!!

  44. Steven Walker

    Infection control

    If the NHS cannot keep hospitals clean it is not surprising that their computers are also infected.

  45. Anonymous Coward
    Anonymous Coward

    from ex-NHS

    The only reason Windows is rife with malware is that it is the most common. Were it Apple, or Linux, or whatever, you'd see an equally scary amount of malware for the most dominant platform : whatever it is.

    The rest, well... machine require USB for mice and keyboards. The NHS requires Internet access to run non-clinical web-hosted applications from time to time, and email transfers.

    Dictaphones are USB linked audio recorders. Contents of these are transcribed in a cost-effective manner by audio files sent to third party servers. Therefore Internet + USB is required for at least some of these machines.

    Facebook and Twitter are blocked at most, if not all, NHS sites.

    There is no central IT strategy : the NHS is hundreds of similar organisations, all performing roughly the same role, all in very different ways.

  46. A J Stiles
    FAIL

    Big Fail

    If you get someone to write special software for you, then you insist on the Source Code -- it must take a special kind of idiot *not* to do that.

    The whole sorry lot wants ripping up and starting again; and this time, NHS management need to ensure they get every last line of Source Code in the replacement systems. Otherwise it *will* happen again.

    Oh, and "The only reason Windows is rife with malware is that it is the most common. Were it Apple, or Linux, or whatever, you'd see an equally scary amount of malware for the most dominant platform : whatever it is" is just bollocks. Unix (in all flavours) at least has the locks screwed on from the inside. Apache runs two thirds of the Web, yet most webserver attacks are aimed at IIS.

  47. Anonymous Coward
    Pirate

    the USB stick scenario...

    was on an episode of Casualty a bit back. Schizophrenic kid sticks his USB dongle in and all the computers switched off. When I worked for the govt the AV software was out of date by a few years, and folk weren't even told how to scan files for viruses. One operative opened a zip file and almost infected 600 computers. Fortunately IT got there first. Just imagine 600 copies of Sircam (which was still around at the time) emailing itself across approximately 10,000 boxes....

This topic is closed for new posts.

Other stories you might like