Underfunded or underskilled?
Or out sourced?
One of the UK National Health Service boards hit by WannaCrypt earlier this year has again been infected by malware. The Lanarkshire board manages the Hairmyres Hospital, Monklands Hospital, and Wishaw General Hospital in Scotland, and on Friday had to warn patients that it was only handling emergency cases. Lanarkshire was …
Utter childish nonsense, they lost several managers especially in their IT area last year, not sure why the press isn't investigating that to be honest as I bet it's full of juicy gossip.
Half a department management team doesn't leave unless there's panic setting in about something.
Lost key staff last year (police involvement allegedly)
Outsource part of the key infrastructure to companies that we all know and love.
Run their own e-mail service, not the national NHSMail solution
Lots of other guff that sounds like a poorly run service, especially when you consider they've had months to get this sorted and clearly haven't.
Anyone else betting there's a lot of XP kicking about? Seems odd that this one would be affected when other scottish trusts aren't.
"Hitting the phone and rostering systems sounds pretty esoteric"
Not really and most probably they both are managed by, or depend upon databases in, Windows machines.
Real question is what had (not) been done since WanaCry exposed unpatched machines and flat/open internal networks allowing havoc to ensue. I suspect that any Word macros uses that were not disabled by group policy are a symptom of the first ailment...
Just what sort of total fucking scum bastards target a hospital? I can only hope that they die slowly, horribly and just for good measure, painfully.
And where the fuck are the people at GHCQ when we need them? They seem perfectly capable of tracking everyone of us, so why can't they seem to track down the pond life bottom feeding twats that do this type of thing?
Please don't tell me that people shouldn't open this type of what I assume was an attachment to an email. If I worked as a doctor, nurse or in patient records, for example, I can't put my hand on my heart and say that I would not open an attachment called "patient report". Can anyone?
Ok. Rant over.
Actually, if it were targetted at hospitals, I'd almost think that was better. Some grievance against the medical community in the mind of an inadequate kiddie, lashes out in revenge.
But in fact it's probably totally indiscriminate, fire off at random in the mall, see what happens just for kicks kind of mentality. Oh, I hit a hospital, lol.
> And where the fuck are the people at GHCQ when we need them?
Er, 'bout that. Maybe you don't want to look at where the Wannacry miscreants stole that exploit from. I'm sure GCHQ would love to give them a stern talking to, just as soon as they finish handing over all the security researchers who have been assisting in other investigations.
>Please don't tell me that people shouldn't open this type of what I assume was an attachment to an email.
You should open whatever arrives in your inbox within a corporate environment without a care - any IT bod or system which relies on you to do otherwise is not fit for purpose.
They will be well aware of the issues but a combination of legacy kit that can't just be upgraded (Scanners running XP, and likely connected PCs also requiring XP), no resourced to mitigate through isolation and a belligerent staff who won't stoop to carrying out awareness training, will all add up to an ongoing risk form repeated attacks.
Plus public sector IT has been an easy target for cuts for years. It was down to the bone years ago and they've still gone further. You can't reconfigure massive networks at the drop of a hat with two apprentices and a co-opted janitor. Even when the politicians wave their mighty soundbite wands.
"Still, I would like to see how the budget was spent..."
Item 1. Office refurbishment for the management including new desks/chair/blinds and new paint(Ok it had only been done 2 yrs previously but it was starting to look worn out)
Item 2. New PCs for the management, because they were starting to look worn out (the arrow on the return key was faded)
Item 3. Training the management to use the new PCs
Item 4. Getting several contractors to re-install windows after 1 of the managers gets a virus
Item 5. Several surveys of NHS trusts to find out how they coped with viruses(hotel stays and full expenses included... strange how the surveys were during the summer and in Cornwall/West Wales)
Item 6. Drawing up a report for the senior NHS manglement recommending that the NHS increases the number of in-house IT staff, making a disaster backup plan and training all staff to use the NHS computer systems properly
Item 7. Buying a shredder and inserting said report into it as thats cheaper and quicker than doing item 6.
There... I think that just about covers it
"legacy kit that can't just be upgraded"
I usually point out the the "legacy" system is the one that's earning the money and therefore can't, as you point out, be easily upgraded. But if indeed this was spread by Word attachments on email there is every reason to treat Word as legacy which can and should be replaced.
And, to forestall those who witter about "training to use this [allegedly] really difficult" LibreOffice then the training costs* for such a transition should be set against the costs of the obviously needed training for sanitary handling of email attachments.
*Really? It's not exactly difficult. It's a long time since I used Word but I don't remember it being that hard to flip between one and the other; they seemed pretty similar. Maybe the difference between the ribbon and the classic interfaces made LibreOffice a harder transition until the recent update which provided an optional ribbon. And in any case, those using the ribbonised version of MS Office must have either swallowed the training costs when that was introduced or let staff struggle untrained when they had the much less disruptive alternative of OO or LO.
Ask my trust in an FOI how much they spend on cyber security and the figure will be around 1 million.
In reality it's me and half my time is devoted to other things thanks to IT staff leaving and not being replaced.
Cyber security is no doubt on the priority list but that doesn't mean it gets backing from management (essential!) or funds (vital!)
"Cyber security is no doubt on the priority list but that doesn't mean it gets backing from management (essential!) or funds (vital!)"
So this is your list , not their list . See , what youre thinking of is a "wish list", aka "Pipe Dream" thats where your security is.
"A couple of hours later on Saturday morning, it posted an update requesting that people avoid visiting emergency departments unless absolutely necessary."
No chat and free tea in Lanarkshire then ?
What exactly do people go to emergency departments for if not emergencies ? And shouldn't they be addressing that problem all the time rather than just when the IT systems are broken ?
Its because they can't get to see doctors at primary care. In the Brit NHS access to primary care / GPs is basically rationed by bureaucracy. In order to see a doctor you have to jump through complicated administrative processes that typically require the patient to be intelligent, well enough to be able to handle the processes and have plenty of spare time.
The reason for this, of course is that Brit health care is free at point of delivery and theoretically unrationed, so the demand is almost unlimited. Supply, on the other hand, is very limited. Any kind of overt rationing is politically unacceptable*. The result is rationing by bureaucracy, since no-one can think of anything better.
Not that anyone has chosen rationing by bureaucracy, its just all that anyone can think of to control the demand. The alternative might be doctors booked up for months ahead, which is equally ridiculous.
*Its politically unacceptable, because Labour (=vaguely left) governments have a big soundbite of 'the evil tories are trying to destroy your NHS', so daren't be seen introducing demand management themselves, whilst Conservative (Tory=vaguely right) governments are desperately trying to avoid looking like evil tories destroying the NHS, so won't do anything either.
"Not in Clydebank I can't."
Baws. You have the RAH and QEUH. Honestly, folk in Clydebank seem to think they are entitled to their own A&E for some strange reason. I live in Clydebank, so I'm aware of what's going on. And no, you can't get one at the Golden Jubilee as it's (a) not fit for that kind of scenario and (b) doesn't belong to the local health board.
I replied to a post which stated "The Scottish NHS is run differently and I can see a GP within 24 hours if I need to."
Where did I mention A&E, or the post that I responded to? Oh it didn't, ergo yer a bawbag
I'm in England and my GP practice still runs open surgery sessions in the mornings so I can turn up and will get to see a GP (possibly having to wait a while). They used to do this for all their surgery sessions but a few years back changed the afternoon/evening to "pre-booking" - I suspect this was a result of the NHS patient surveys that were around at the time which asked people who'd visited GPs to report on how easy it had been to book there appointment and an answer of "I didn't have to book as I just needed to turn up and ask to see a GP" didn't fit into the ratings scheme.
NHSScotland is different.
You can walk into a hospital ED (not A&E btw) or minor injury unit any time you want and get treatment if they deem it necessary. THEY being the clinicians not management nor the government who have nothing to do with it.
The problem is the number of drunks, druggies, unsocial idiots who keep emergency services busy, not management.
My hospital has two Philips CT scanners running XP. We've got in touch with Philips and they're forbidding us from applying any windows update (Even the WannaCry patch).
They need to be networked because you need to get the images to other systems. But if we patch they loose their warrenty and CE marking since we're acting against the manufacturer. So... that sucks.
"being run (down) by a Government who want to privatise the NHS and who have their snouts in the trough of private medicine?"
Go read JinC's comment above. He's already nailed this political garbage. You know as well as I do that no party dare touch the NHS in the way you suggest and this is an over-used piece of claptrap that Labour drag out at every opportunity. And as JimC says, it inhibits everybody from trying to improve the situation the NHS has got into.
>Go read JinC's comment above. He's already nailed this political garbage. You know as well as I do that no party dare touch the NHS in the way you suggest and this is an over-used piece of claptrap that Labour drag out at every opportunity. And as JimC says, it inhibits everybody from trying to improve the situation the NHS has got into.<
No, YOU are wrong. There are many documented cases of in-house NHS services being barred from tendering for services in favour of private companies - and even cases where the internal bid came in cheaper, but was still rejected.
Plus you have people like Richard Branson buying up everything he can, & suing the NHS if he then doesn't win a tender operation.
When you introduce profit-making motives to any public organisation you will inevitably find that either service levels drop or costs increase (or both!) in order to keep the private provider in business.
NHS may collectively be one of the largest purchasers of this sort of kit in the world ... but each hopsital/authority/etc buys most things indenpendently. Think recently Department of Health got someone to investigate the effects of this and found different hospitals paying wildly different prices for the same things - the main area of commonality was the purchasing managers at most hospitals were reluctant to reveal prices they paid because "the salesman told us we were getting a special deal which we couldn't tell anyone else as they couldn't give everyone the same deal" ... and, of course, these "special deals" were in general anything but special.
So a basic firewall infront to proxy connections is not possible?
Patching all XP desktops is not possible?
Filtering in bound mail is not possible?
Mandating scans of USB devices is not possible?
You hilight a cultural issue....management need a reality check to fix the culture.
Oh and a national call to boycott Philips for hurting our NHS would soon get some action, that doesn't involve the phrase "you need to buy a new one".
If they are still under warranty I'd ask Philips to replace them because they are obviously defective. I'd also add a letter stating that any new networked device tender will include security high in the list - especially because of GDPR.
Then, depending on how they need to be networked, I'd design a way to isolate those XP machines and use a secure "proxy" to transfer the images.
"But if we patch they loose their warrenty and CE marking since we're acting against the manufacturer."
Put them on the spot and ask them* if their warranty covers not only malware damage to the unpatched systems themselves but also consequent damage to other systems for malware getting in through unpatched XP and consequent harm to patients.
*Via your legal dept. of course. Potentially being on the hook for large damages is apt to concentrate minds.
Philips must have a license clause, just like the Windows license reads: The manufacturer or installer, and Microsoft, exclude all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement.
I accept clauses like that from FFS because I can change the software myself for it to become fit for a particular purpose ;-) ... If Philips do not update the software on their medical equipment, then I think hospitals around the world must contact the press ... and the media must do their part. This is, of course, unacceptable.
I would also advise hospitals avoid embedded systems, or demand FFS so they can update as they see fit, worst case, hire a bloke to update the driver for the newest kernel.
Believe me, critical systems and devices are a different league from generic software. I really hope Philips medical equipment doesn't have such a clause, and nobody accept something like that.
Also, believe me, very few hospitals would update their equipment as they see fit (unless they have a research department capable of doing it, and test it on "guinea pigs"...), or hire the first "bloke" they can find to update a driver, and then maybe kill a patient which would be them a fault of theirs.
As long as you modify a device and kill yourself that's fine, when you put other people in danger it is not.
Any change in such systems require a deep knowledge of the system and understanding the effects of it - and of course, extensive testing. That's what Philips would like to avoid because it has costs, but it can't avoid it any longer.
I believe something like the aviation authorities is needed, when something dangerous is found they mandate changes, and both manufacturers and users must comply within the allowed timeframe.
Believe me, critical systems and devices are a different league from generic software. I really hope Philips medical equipment doesn't have such a clause, and nobody accept something like that.
I work in IT in drug research (and in a cancer lab before that), most systems, reagents, etc are specifically marked as "For Research only" to get around all of the regulations. Obviously buying ones "For Diagnostic Purposes" is hugely more expensive due to the regulators. I assume that the scanners etc. have to be certified in the same way.
If they muck up their software in an upgrade to either the controller PCs/Servers, the software and/or the scanner firmware then things can go <a href="https://www.theregister.co.uk/2016/07/03/mri_software_bugs_could_upend_years_of_research/>quite badly wrong</a> so the field is very conservative.
The certification probably doesn't let you modify the OS. This means you can't add software, like a decent exe whitelisting AV suite that are available now. Luckily for me, when I was doing some consulting for a Genomics Start-up, there were no such rules. I networked some ABI Sequencers that ran NT4, on something like SP5, about 16 years ago. I backed them up, put NT4 SP6a, the NetWare 5.1 client and pushed the corporate AV NAL which was Symantec's recent purchase from Intel, their pretty good managed AV at the time. I would back those suckers up fairly often because they were the guts of the entire genomics lab. That was a neat job; working with Scientists is cool. I even got to delegate the rebuild of the radio-isotope scintillator that blew a hard drive and the floppy was super clogged with dust to a junior. I told him to glove up. Good times...
Despite all the money NHS received on new tech in the past 15 years almost none of it was invested in staff. 8 people out of 10 working in IT in NHS have very little interest in the industry (if any for that matter). Those that actually know something are rarely promoted to run a team (or God forbid a whole department). Instead of waiting 5-10 years to go higher up they just change the employer. Also the IT reqruitment processes in most of the NHS are truly bizarre. Someone at some point has realized that this whole NHS IT thing is weird at it would be best to outsourcing it. Outsourcing NHS IT, oh boy, if someone was to write a book about it it would take longer than to finish the Game of Thrones.
It will be interesting to see whether they get to the source of this new outbreak.
Wouldn't surprise me to find that this outbreak was caused by someone opening/forwarding an infected file that for various reasons got missed on the clean up from the last outbreak.
And what OS would stop it? Linux? MacOS? The one from the terribly nice chap from North of Samsung land? The OS is not the problem...how it's managed is.
Management needs to understand it's okay to have outages because of improvements...but not acceptable because of lack of improvement. The former should not be part of SLAs outside core hours if planned and managed...clearly from Wannacrypt departments CAN manage without those systems when pushed.
“Due to NHS Lanarkshire IT issues, the staff bank system and telephone are offline and currently unavailable”
Hold on there....
“Due to general NHS IT underfunding and outsourcing to crap offshore services in the east where no one gives a flying crap about the systems their supposed to be running, the staff bank system and telephone are offline and currently unavailable.”
It's been a long time since I worked for the NHS but one of the problems I encountered was that I.T. was only notionally in charge of the I.T. budget. Each department could, and did, buy their own kit often without reference to I.T. As for medical equipment, usually the first time the hospital I.T. department would hear about new kit would be when the "computer bit" broke and an irate consultant demanded it be fixed immediately.
I don't imagine it's changed that much.
...they've probably outsourced their IT despite being warned it wouldn't be cost affective. No one listens to that and then a few years later bring IT back in house. You loose the skill of current knowledge and the fact most IT on site, will, even need, break SLA just to get stuff fixed. Outsourced companies want their money so will be strike with their SLAs.
To be hit a 2nd time clearly means they never bothered fully fixing it the first time.
Biting the hand that feeds IT © 1998–2019