back to article UK Parliament launches inquiry into NHS WannaCrypt outbreak

UK Parliamentary spending watchdogs at the National Audit Office have launched an inquiry into the impact of the recent WannaCrypt ransomware attack on the NHS. Although not aimed specifically at the NHS, the ransomware nonetheless spread across hospital networks, leaving medical staff unable to access patient data, forcing …

  1. Anonymous Coward
    Anonymous Coward

    Umm...

    1. Machines were vulnerable. Due to no investment.

    2. Human error. Because everyone is overworked.

    3. Upgrades needed. Because the kit is ancient.

    Done.

    AC for PM?

    1. Anonymous Coward
      Anonymous Coward

      Re: Umm...

      Wrong!

      1. Machines were vulnerable. Due to no investment - Actually thats to the previous government (or if the previous government was the same brand, the last government that was nothing to do with us).

      2. Human error. Because everyone is overworked. - Something about Brexit and Immigrants and record something or other

      3. Upgrades needed. Because the kit is ancient. - IT is our primary focus and we have thrown loads of cash at the usual bunch and achieved loads; look we have a new WordPress site and everything.

      4. Vendor lock in. Look we're moving from XP to Windows 8, Oracle and a custom DB! No more being tied in to i.e.6 for us!

    2. Anonymous Coward
      Anonymous Coward

      Re: Umm...

      "Umm...

      1. Machines were vulnerable. Due to no investment.

      2. Human error. Because everyone is overworked.

      3. Upgrades needed. Because the kit is ancient.

      Done.

      AC for PM?"

      out of my way AC,

      1 - apply patches , at no extra cost

      2 - get off your arse and apply patches , at no extra cost

      3 - The kits fine . No extra cost.

      AC2 for pm?

      1. Anonymous Coward
        Anonymous Coward

        Re: Umm...

        "apply patches , at no extra cost"

        No extra cost because the already overworked IT staff will have to do unpaid overtime?

        1. Richard 26

          Re: Umm...

          No extra cost because the outsourced suppliers just aren't the kind of people who do the minimum their contract will let them get away with.

      2. Anonymous Coward
        Anonymous Coward

        Re: Umm...

        1. Don't spend money on infrastructure and grind the NHS to the ground ready for privatisation.

        2.Demoralise the staff with stagnant wages so they leave.

        3.Hand out 1 DUP to stay in government even though you have no money.

        AC3 for PM?

        oh wait I already am.

        1. Anonymous Coward
          Anonymous Coward

          Re: Umm...

          AC1 here.

          AC2-3 if I give you a billion* can we form the coalition of cowards?

          *Dogecoin / Reddit Gold

    3. This post has been deleted by its author

    4. codejunky Silver badge

      Re: Umm...

      "1. Machines were vulnerable. Due to no investment."

      One of the largest and longest booms where the public sector expanded at an incredible rate and the money thrown on them was at unsustainable level. Although failed IT systems to replace the previous failed IT system has been a recurring theme for a while now.

      "2. Human error. Because everyone is overworked.

      Yup. Supporting failed IT projects and terrible systems in a monolithic bureaucracy. I am so glad I dont work in the NHS their systems do seem to be recurring versions of worse than the last one.

      "3. Upgrades needed. Because the kit is ancient."

      See the answer to 1. Interestingly Tim is running some interesting articles on Forbes at the moment concerning public sector spending. He also does a few concerning underinvestment by government because it isnt flashy to maintain something and the money is promised to other 'gifts' to the electorate.

  2. adam payne

    "This investigation will set out the facts about the cyber-attack’s impact on the NHS and its patients; why some parts of the NHS were affected and others were not; and the roles and responsibilities of key stakeholders and how they responded to the attack."

    The investigation will costs millions, be delayed for years, determine nothing and hold no one responsible for anything.

  3. Woodnag

    Close the attack vector

    Colour me naive, but shirley the NHS email system could run sanitisation software so that all incoming emails are stripped of attachments and in-body links, and the body converted to text.

    1. Anonymous Coward
      Anonymous Coward

      Re: Close the attack vector

      It didn't come in via NHS Mail, they checked, double checked - not a sign of it.

      It most likely came in via another route and spread through improperly secured network connections. The NHS is incredibly interlinked.

      1. Anonymous Coward
        Anonymous Coward

        Re: Close the attack vector

        Also, anyone who thinks NHSmail is the only email system in the NHS probably doesn't understand how the health service is structured. It's nothing like that centralised.

      2. CrazyOldCatMan Silver badge

        Re: Close the attack vector

        The NHS is incredibly interlinked.

        Indeed. And I was fairly shocked to discover (in a previous life, far, far away) that N3 links were very often not firewalled.

        Being a paranoid sort, and despite having a 3rd-party N3 link (so quite restricted in access), I nevertheless make sure we had a firewall (even if it was a Cisco PIX box - that was all I had) to manage traffic.

        Chatting to some of the BT engineers was fairly instructive - quite a few installs they had done has the N3 router feeding directly into the LAN on-site. The N3 WAN was seen as "Trusted".

        That was 10 years ago, so things might have changed.

    2. handleoclast

      Re: Close the attack vector

      shirley the NHS email system could run sanitisation software so that all incoming emails are stripped of attachments and in-body links, and the body converted to text.

      I'm sorry, Mr Woodnag, but the X-Ray Department is having problems sending me your CAT scan. They've tried a dozen times now, but the attachment doesn't show up.

      Perhaps you could come back tomorrow.

  4. Anonymous Coward
    Anonymous Coward

    It wasn't Windows.

    At least north of the border, apparently the company in charge of connections hadn't secured some of their sites, no ACLs present at all.

    Sites with ACLs were unaffected.. even if their PCs were vulnerable.

  5. fnusnu
    Joke

    First mention of the mythical MRI scanner

    The one which runs on unpatched or unpatchable software!

  6. John Smith 19 Gold badge
    WTF?

    "NHS ransomware attack cost £180,000, "

    Really.

    Let's say an IT person is £10/hr

    That's. 18 000 hrs of staff time.

    But there are something like a 1000+ hospitals in the NHS in the UK.

    So roughly 18 hrs per hospital to mitigate the effects of this?

    I smell bu***hit.

    1. phuzz Silver badge

      Re: "NHS ransomware attack cost £180,000, "

      You forgot the 400% price increase because it's a government contract.

  7. Neil Alexander

    Well, an inquiry will be a complete waste of time and tax-payer funding.

    We already know everything that an inquiry is going to tell us. We know that Windows XP is out of date, we know that patch management was insufficient, we know that appropriate control measures weren't in place, we know that management of NHS IT is inadequate and so is the money allocated to it. More to the point, we already know what steps need to be taken to resolve these issues.

    What the NHS really needs is for someone to go out there and actually pull out their cheque book and invest properly.

    1. Primus Secundus Tertius

      "someone to go out there and actually pull out their cheque book"

      That someone is the taxpayer, i.e. me. I am also asked to restore student grants, double the size of the armed forces, spend billions on roads, spend billions on guards for driver-only trains, and pay for everybody's grandma to live in a hotel.

      Which should I do first?

      1. codejunky Silver badge

        @ Primus Secundus Tertius

        "Which should I do first?"

        Unfortunately some people think all and more and yesterday. Often as long as someone else pays. Everything is of absolute importance until the bill needs to be paid then suddenly the silence kicks in. I do wonder how people have forgotten the lessons of socialism over the many attempts and total failures.

        But there seems to be another wave of entitled who want to spend spend spend so I am very sorry friend but people like me and you are going to have to either hide our wallets or have them robbed in the name of the latest fashionable term (e.g. fairness, community, morality, communism, maoism, stupidity).

      2. Doctor Syntax Silver badge

        "That someone is the taxpayer, i.e."

        You missed out increasing police number.

  8. Anonymous Coward
    Anonymous Coward

    It's still ongoing

    Sorry but I logged into two geographically separate NHS sites via N3 on Monday and both were infected (one in north wales & one in east Anglia)

    I advised the relevant IT contact and was told that the issue was fixed!

    So I logged out and asked for the VMs to be sanitised and updated

    (The servers are running clinical imaging databases)

    I was asked to 'not tell my boss' (which BTW is ME)! so I didn't tell myself

    When I logged back in today, both servers are still infected, and the databases have crashed

    Based on the DB size and storage locally, both servers completely screwed, so obviously any clinician doing any image storage were off work.

    Anon just in case

    1. Anonymous Coward
      Anonymous Coward

      Re: It's still ongoing

      > I advised the relevant IT contact and was told that the issue was fixed!

      You work in/with NHS IT and this surprises you? I'm guessing the systems in question were one of the following:

      1. Not known about by IT

      2. Known about by IT, but the "business owner" was someone else (i.e. Somebody Else's Problem - we've done everything we can at our end guv)

      3. "Fixed" by following some script, but no-one bothered to validate, monitor, or close the security hole afterwards.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's still ongoing

      Check the sites have ACLs applied, many of mine were affected because crapita or whichever bunch of morons is in charge of those now didn't have anything applied on the damn routers.

  9. streaky
    Black Helicopters

    Inquiry..

    If it doesn't begin and end with the NSA with a creamy filling of why the hell are there so many systems so out of date then we have a serious problem.

    1. theblackhand

      Re: Inquiry..

      Lets wait for the inquiry to find out if it was the end of life OS's that were affected...

      The NHS had a massive task to update old applications and systems to move off WinXP and they have made progress (I'll leave it as an exercise for the reader to decide if the progress is good/bad/sufficient). If the older systems had been effectively isolated and weren't hit, that leads to a very different conclusion to the Windows XP

      While I don't doubt the NSA is the cause, patches were already available for the issue. Why weren't they applied and how can the NHS address these deficiencies in a way that avoids the impact that we saw with WannaCry.

      Finally, MS having Windows XP/Windows 2003 patches that weren't released prior to WannaCry is also dubious in my opinion - while they didn't have to patch these, the nature of the bugs severity, the public disclosure of the bugs and the length of time that the the compromise was present suggests they should have been publicly released patches as soon as they were tested.

  10. Anonymous Coward
    Anonymous Coward

    The machine that goes *ping*

    Went *pong*

  11. Anonymous Coward
    Anonymous Coward

    Good practice will be punished

    After years of deliberation, paper shuffling, and jolly damn good dinners, the inquiry will

    1) Avoid any blame whatsoever falling on the persistent and deliberate under-funding of the NHS in pursuit of the Tory privatisation agenda

    2) Ignore the good practice of all those NHS Trusts that *weren't* affected by WannaCrypt (most of which is just standard industry good practice anyway)

    3) Pay billions to the usual suspects (Fujitsu, Siemens, Capita, etc) for an inadequate 'solution' that will create a single point of attack and/or add another standard on top of all the other standards (https://xkcd.com/927/).

    AC as, obviously unlike most commentards, actually working in the sector

    1. Anonymous Coward
      Anonymous Coward

      Re: Good practice will be punished

      "Avoid any blame whatsoever falling on the persistent and deliberate under-funding of the NHS in pursuit of the Tory privatisation agenda"

      sorry AC but my local health trust is in financial difficulties almost entirely due to Mr Brown's PFI initiative, which nearly bankrupted it.

      Not that you'd know, from the Socialist Worker posters up on the noticeboards talking about evil Tories (including one particularly memorable one last time I was there - that had a large bandage stuck on top of one word just so you'd pay extra attention to the word that rhymes with Hunt). Disgraceful patient noticeboards used for political propaganda - even worse when it's inaccurate political propaganda! Not saying Tory policy even remotely ideal, but the Labour govt responsible for way more than half of that trust's problems, with effects felt daily, ten years after they did it.

  12. herman

    So, the moral of the story is to use more Windows XP machines?

  13. John Smith 19 Gold badge
    Unhappy

    Perhaps time for some El Reg readers to put pen to paper?

    to the Head of the Enquiry, pointing out or asking the following.

    If you don't have source code to an OS you will have to upgrade on their support schedule, unless you are prepared to spend a lot more money. This will happen regardless of OS supplier.

    Why are applications not just written to run on a particular OS (when their main UI is web based, which should be supportable by any browser) but on a particular version of that OS and its browser?

    Why don't NHS contracts for specialist software, or computer controlled machinery, include clauses to require suppliers to plan in for migration to newer versions of an OS, or to encourage a server/browser model? Windows 7 is already 2 versions behind Microsoft and that will only get worse.

    Software migration is inevitable. Why does there appear to be no planning for it within the NHS, either centrally or at Trust level? If it is going on, why do so few trusts seem to be doing it?

    Is it possible to say how many PC's the NHS actually has? How many of them need to be able to run MS Office directly, rather than on a central server? How many of them have to be able to generate Office documents?

    1. Primus Secundus Tertius

      Re: Perhaps time for some El Reg readers to put pen to paper?

      It is easy to write a Requirement spec that says the software shall be compatible with future upgrades to the OS and the toolchain.

      It is easy for the supplier to assert in a "design document" that the software will be compatible ...

      When the upgrade comes you find that actually no thought was put into the design of the product and how it might be updated. Too many "design documents" are nothing more than a restatement of the requirements.

      Years ago, when I tried to get authors of design documents to explain how rather than to state what, I was told by management to stop obstructing the project plan.

      1. John Smith 19 Gold badge
        Unhappy

        "he upgrade comes you find that actually no thought was put into the design of the product"

        I did not explicitly state but assumed that such contracts would have "penalty" clauses for failing to plan this in and acceptance tests based on the next version of the relevant OS.

        My apologies for not being explicit.

    2. Loud Speaker

      Re: Perhaps time for some El Reg readers to put pen to paper?

      None of them NEED to generate MS Office documents.

      As a large quasi government body, ALL documents should be produced using open standards that will survive death of the software provider - which means OpenDocument format - the well defined ISO standard.

      There should be a systematic campaign to sack anyone specifying closed document formats for anything remotely relating to the general public, or for documents intended to last more than 12 months.

      1. John Smith 19 Gold badge
        Unhappy

        "which means OpenDocument format - the well defined ISO standard."

        You are aware that MS gamed the ISO standards process so they could claim a version of MS Office documents is "ISO compliant" ?

        No it's BS but they have actually done that.

        the question of course is wheather MS Office reads such documents, because that's the other side of this see saw.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like