back to article UK health service boss in the guts of WannaCry outbreak warns of more nasty code infections

The UK's National Health Service has learned from last year's WannaCry attack – and started putting in place disaster recovery measures that will allow it to maintain services in the face of an even fiercer assault. The worldwide spread of WannaCry last May hit hospital networks particularly hard and left doctors and nurses …

Gold badge
Holmes

"and started putting in place disaster recovery measures "

At f**king last.

Still does F. All about those CT/MRI/Ultrasound scanners still running Windows XP for which the mfg has F. All plans to update their software.

When the history of security for embedded systems get written the desire for mfg of hardware costing at a minimum £150K to run their software on a soon-to-obsolete (because every version of Windows is obsoleted much sooner than later by MS) with very poor upgrading tools will be looked as one of the worst business practices from the mid 90's to the present day and (probably) beyond.

11
1
Silver badge

Re: "and started putting in place disaster recovery measures "

The only way to deal with IoT, Medical and Industrial systems is: Firewall 'em all, god will recognize his own.

NHS still has not learned the lesson.

6
2

Re: "and started putting in place disaster recovery measures "

Im currently installing on an IL3 network, it isnt hard to do just meeds well documenting. Why more don't work like this I dont know.

1
0

Re: "and started putting in place disaster recovery measures "

The NHS is one of if not the largest purchaser of this kit in the world, two things need to be done -

1. Use a firewall...a Pi could handle this so no need to waste money on expensive Cisco or other branded firewalls.

2. Use the buying power to get the supplier to work for the client...either they pay for the security or the uphrade to support OSes as part of the current contract. Supplier listen to their biggest clients...if that doesn't work ask a Minister to threaten to pull a big contract...make sure you can follow through...this is NHS money for our health and peoples lives not some vanity project.

Simples!

0
1
Silver badge

Re: "and started putting in place disaster recovery measures "

"Firewall 'em all, god will recognize his own."

With critical medical systems even firewalling isn't enough IMO. They should be airgapped, full stop. And any data that needs to be loaded onto or from the systems would have to be done by someone from IT on a virus checked USB stick or CD-ROM, not one of the operators.

0
0
Silver badge

Re: "and started putting in place disaster recovery measures "

"1. Use a firewall...a Pi could handle this "

Meanwhile, back in the real world...

2
0
Silver badge

Re: "and started putting in place disaster recovery measures "

@Robidy

The NHS *should* have massive purchasing power.

It doesn't though. There is no "central" NHS when it comes to purchasing, they operate as separate trusts.

Hospitals in two neighboring trusts may use the same vendor, but they have no leverage in terms of using that fact to get favourable pricing.

E.g. your customer isn't the NHS, your customer is "the north notts healthcare trust" or wherever.

4
0
Anonymous Coward

Re: "and started putting in place disaster recovery measures "

@boltar

And you clearly have no idea of the data sizes / types involved.

MRI images can range from small 4-10GB files up to hundreds of GB. And a scan can comprise thousands of images.

They can't be compressed until after they've been reviewed by a diagnostic clinician as compression chucks out detail which is needed for things like head/cervical spine/whole spine images and then the images have to be retained for comparison with future scans to identify changes and trends.

Time is money - if 50 clinicians have to wait for minutes at a time to access and load every file they need then this creates a secondary impact around compression, data storage and transmission.

It is however entirely reasonable that the infrastructure hosting all of this be secured with ip segregation, traffic inspection and encryption.

I've been inside an MRI scanner and can tell you that its like being in a bin lorry when they start the compactor with all the clanging, whirring and banging; the images don't fit on tiddly usb 2 sticks!

Anon - cos.

0
1
Silver badge

Re: "and started putting in place disaster recovery measures "

"Time is money - if 50 clinicians have to wait for minutes at a time to access and load every file they need then this creates a secondary impact around compression, data storage and transmission."

Minutes at a time? Tiddly USB sticks? The year 2000 called, they want their arguments back.

USB3 has a max rate of 5Gb/sec and USB stick capacity now goes up to 1TB. But if you want more you can have portable hard drives where the sky is pretty much the limit.

"It is however entirely reasonable that the infrastructure hosting all of this be secured with ip segregation, traffic inspection and encryption."

It already was. Worked well didn't it. Protecting the infrastructure is more important than a clinition having to wait a few minutes since without it there is no treatment, full stop.

0
2
Anonymous Coward

WannaCry was a shot across our bows.

A shot across your bows is a miss. I'd say the shot was more like a bulls eye.

9
0
Silver badge

Re: WannaCry was a shot across our bows.

Nah, it just took out the rigging.

The hull is fine, but putting up new masts takes a while and you can't do it under fire.

7
0
Silver badge

as many as 25,000 centres weren't affected.

Ah the old "but think of the 99.99999% of the population my client didn't murder" - defence

11
1
Anonymous Coward

they will not learn...

I am at the hospital regular with various health issues and the IT infrastructure is terrible...

Most computers are running XP sme running 7 and all of them have un-protected usb ports on the PC, You get left alone in the room with the pc, you could easy plug in a rubber ducky or worse and take control of the hospital via a mobile phone !!

6
0
Silver badge

Re: they will not learn...

Taylor said NHS Digital has developed a much more comprehensive disaster recovery plan since the WannaCry attack before embarking on a rigorous, ongoing testing regime. "The thing we’ve done since that is test, and test, and test again... when [anything] does happen, we’ll be in a much better position.”

and the point he's clearly missing is that the whole endeavour was preventable - prevention being better than a cure. Whilst it's essential to have a good well tested back-to-normal-ops plan, patching your shit would be better. Not using legacy operating systems where avoidable would be good and perhaps going for something like a Wyse terminal connecting to server sessions may be advisable (again, where appropriate).

1
0

Re: they will not learn...

Totally agree, prevention is better than cure...ask any nurse or doctor (of medicine).

0
0
Silver badge

Sigh. You don't put in disaster recovery measures because something bad happened. You put them in because something bad might happen.

4
1
Silver badge

Well, yes, that's what they're saying. You should be delighted, not sighing.

1
1
Anonymous Coward

Pay and respect

Pay and respec your IT staff more that would also help. When you get a director stand in front of several engineers and say "My plan is to get rid of all band 5 engineers and replace them with box monkeys. You don't fix anything, you just replace the PC". The room was full of band 5 engineers and he wasn't aware. When told he didn't care. He later got cancer. Shame he never died from it.

When you have a CTO of an NHS IT department that allows his daughter who happens to work there to bypass helpdesk and SLAs.

When you have NHS management ignore you that it would be cheaper for us to buy a hard drive crusher and destory them ourselves than sending them to this 3rd party that will do it. Then one day said 3rd party sell some of said drives on ebay with patient data on. The trust then getting hit with a record fine by the ICO. Only then do they bring in their own hard drive crusher.

When intergration is bad in trust IT departments so much so that you are 2nd line, they are 3rd line. You have learnt how to set static IPs for printers etc and been doing it for several years but then told "no. I know you had to wait 20mins in a&e for me to be free to set the static IP for the blood printer. But you can't do it yourself. This is my job". Dicks.

When you hire me on as a contractor on what you say is more money than what 2nd line are getting yet I still say my contractor rate is lower than I got elsewhere, then the 2nd line guys/gals must be on shit money (again NHS underfunding IT). You then expect me to do project work at that rate. Don't blame me for then leaving.

The same trust had several 2nd line engineers and a few 3rd line leave when I'd just joined for a short contract. Why? Cause pay was shit and not getting any better.

The list goes on.

Under funding IT and incompetent managers are why the NHS will be hit again in the future.

6
0
Silver badge

Re: Pay and respect

And ten thousand other companies that don't do any of those things will be hit as well. Lots of people think they know a foolproof way to secure a network, but every single one of them is wrong.

That's why I'm delighted to see them talking the language of containment and mitigation, not prevention.

0
1
Anonymous Coward

Re: Pay and respect

Its always the same scummy layer on top of the pond ....

SHA's went away to be replaced by Clinical Commissioning Groups - the majority of the key positions went to SHA lifers, but all the hands on knowledge of how and why things worked before was lost.

Trusts restructure and cut staff, the same lifers that manage staff as consumables manage to persevere. And again all the knowledge of how and why gets lost.

Staff who feel they are giving back or showing social responsibility by taking a job in an NHS IT department can't believe the working practices or the calibre of their colleagues - in amongst them are the 'thick skinned and ignorant' who stay in a job far beyond the breaking point of others either because they can cope (thick skinned) or because they're frightened of not getting a job somewhere else (ignorant of their value to an employer, maybe even failing to understand that they are being exploited and treated terribly).

These places are obvious once you realise that HR are there to help the most senior managers escape the consequences of their actions/treatment of staff, misrepresent employee rights and root out dissent and 'trouble makers' that dig their heels in when they see something that's plainly wrong.

When you point out problems, get told they won't be fixed and then held to account for them when they erupt you pretty soon stop noticing problems. That causes stress because knowing that you can't fix problems when you know how to fix them (and prevent them recurring) grinds a little bit off your soul every day - that's you being the consumable (instead of the resource) right there.

Anon cos.

1
0
Bronze badge

Idea?

The NHS bosses should employ the CIA, they're the best placed people to know what the threat landscape looks like, they're it

4
2
Silver badge
Facepalm

North Korea to blame for WannaCry

"Western intel agencies in the UK and US both publicly blamed North Korea for the attack late last year."

Yes, Kim Jong-un is evil and hates NHS patients:

0
0
Silver badge

WannaCry was a shot across our bows.

A shot across the bows is a near miss this wasn't a near miss. Maybe you weren't hit as hard as you could have been but you were still hit.

Taylor said NHS Digital has developed a much more comprehensive disaster recovery plan since the WannaCry attack before embarking on a rigorous, ongoing testing regime

A comprehensive disaster recovery plan is something you should have already had. A rigorous testing regime for your disaster recovery plan is also something that should have already been implemented.

1
0
Silver badge

No, a shot across the bows is a threat, or warning. It's not a miss, because it's not intended to hit.

0
2
Bronze badge

Er, ok if you say so.

"WannaCry was a shot across our bows"

Yes. I'm sure it was (sarcasm meter is at 11).

A "traditional" shot across the bows of a ship does not leave the ship floudnering and sinking. It moves across the bows as a warning.

Admit the truth. Someone shot at your ship, struck it dead on, sent you in a panic and nearly sunk you to the watery depths. Then when you limped back to port, barley floating, you were met with a media frenzy.

Its this mentality that caused your systems to get completley crippled for days. Dismissing your vulnerability as a "shot across the bows" is like a corner shop owner getting robbed at gunpoint, then actually shot and nearly dying in hospital while saying "it was a shot across the bows" when admitting his CCTV system was broken for a year resulting in the police not catching them.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018