back to article NHS given a lashing for lack of action plan one year since WannaCry

Nearly a year has passed since the unprecedented WannaCry cyber attack and the UK's NHS has yet to agree an action plan, according to a report by MPs. Following the incident last June, which caused 20,000 hospital appointments and operations to be cancelled, a Lessons Learned review was published with 22 recommendations for …

  1. Anonymous Coward
    Anonymous Coward

    Kick me whilst I'm down

    I'm asking for funding, I'm being told there isn't any for most of it but here's some scraps - see what you can do with it.

    When an FOI comes in asking how much we spend on Cyber Security EVERYTHING is thrown in, AV software, switches, firewalls, random staff member salaries who perhaps answered an e-mail relating to ransomware at some point but in reality it's just me and 20K worth of web filters a majority of time.

    If I see a product that could help us, build a business case, go to a mini tender and then I'm told I can get half of the funding I need and stated in the business case there really isn't anything I can do. I can't protect half the sites, that's completely bloody pointless when they are interconnected.

    I need either a senior staff member to be fired or locked up before I'll get the backing I need.

    I also need my own CYBER SECURITY BUDGET rather than having to begging to other departments for it, we need money ring fenced for this sort of thing and if we already have, why do those of us who are in the position to make the most of it not get control of it???

    I need more coffee.

    1. Aladdin Sane

      Re: Kick me whilst I'm down

      Welcome to government service.

      1. Anonymous Coward
        Anonymous Coward

        Re: Kick me whilst I'm down

        I hear ya.

        Money's always going to be a constraint. In my experience the best (only?) way to make forward progress is to work out what other constraints you can remove. Procurement, processes and IT ops are often full of waste in the NHS.

        For example if you never have enough time to keep on top of patching, perhaps you could improve the use of time in other areas so you free up a few hours every week. Or do a bit more automation or something. Maybe you already do all that of course.

        I once rolled out a whole new service after the budget got tied up in months of knots, by pulling in favours, piggybacking off existing contracts etc. Not ideal and I got a bit lucky, but it can be done.

        1. AMBxx Silver badge

          Re: Kick me whilst I'm down

          Imagine how bad this would have been if there had been enough money to make the NHS fully digital?

          Sounds like a really good argument for paper records and disconnected machines.

    2. Doctor Syntax Silver badge

      Re: Kick me whilst I'm down

      "I need more coffee."

      You need your CEO to be told their job is on the line if there's a breach.

      1. wolfetone Silver badge
        Pint

        Re: Kick me whilst I'm down

        Like every other member of staff at the front line of the NHS (so I'm excluding the managers from this, as they're arseholes. And Jeremy Cunt.), you're in a thankless position. But we appreciate what you're doing, and we're not ignorant to the shit you're having to deal with that you really shouldn't be.

        Please accept this icon of a beer as a token of my gratitude.

        1. Chris 3

          Re: Kick me whilst I'm down

          I get pretty sick of the 'managers are arseholes' mantra. My wife's a hospital doctor. She's very glad that she doesn't get stuck with the shit that the managers have to deal with.

          1. wolfetone Silver badge

            Re: Kick me whilst I'm down

            "I get pretty sick of the 'managers are arseholes' mantra. My wife's a hospital doctor. She's very glad that she doesn't get stuck with the shit that the managers have to deal with."

            The mother-in-law is a nurse, and they deal with a lot more shit than doctors have to.

            1. CrazyOldCatMan Silver badge

              Re: Kick me whilst I'm down

              The mother-in-law is a nurse, and they deal with a lot more shit than doctors have to

              Quite often literally.

              (Mum was a nurse - at time midwife[1], surgical nurse, school nurse[2], and general ward-sister. I don't hate the smell of hospitals - to me that was what Mum used to smell like so it's quite comforting to me!)

              [1] In East London in the mid 1950's. As I discovered when she and my wife were talking about "Call the Midwife". According to her, the setting and methods were fairly authentic although her main comment was "we would have got sacked if we got up to half of what they seem to get away with".

              [2] She hated that one. All the responsibility with none of the ability to do stuff to fix the underlying causes. And her boss was (apparently) "a right bitch". That's the one and only time I've ever heard her say anything like that about someone.

        2. John Smith 19 Gold badge
          Coat

          Basically in NHS land computer security is not a core priority. Until it *becomes* one.

          Apparently it still isn't.

          Not in 2018.

    3. sanmigueelbeer

      Re: Kick me whilst I'm down

      What is/are the chance(s) that NHS will go down again after another ransomware &/or worm attack in the next 14 months?

      I guess this is the reason why decision-makers are not taking this issue/threat seriously.

      Roll the dice ...

    4. Cuddles

      Re: Kick me whilst I'm down

      "I'm asking for funding"

      And this is ultimately the whole problem. People love to complain about managers and the like not caring enough, as seen in the comments here, but those managers have no more control over the NHS budget than you do. When we're facing serious shortages of doctors and nurses, constantly growing waiting lists, ambulances queueing up for hours, entire hospitals having to shut down for days to everything except emergencies, and so on, the idea that IT security would be the only department actually getting the funding it needs is laughable. Sure, we here know the potential dangers of lacking security, but even then we have to admit that the dangers almost always remain potential, and to date very little actual harm has been done, even when things like Wannacry make the headlines. When you can see people actually dying every day due to the lack of funding in every other area, IT is simply not going to be a priority.

      1. Anonymous Coward
        Anonymous Coward

        Re: Kick me whilst I'm down

        If next time it takes out the 999 service, then there WILL be deaths caused by it.

        1. Cuddles

          Re: Kick me whilst I'm down

          "If next time it takes out the 999 service, then there WILL be deaths caused by it."

          That's exactly the point I was making - if something with low probability happens at some undefined point in the future, there might be some consequences. That kind of "if" simply cannot compete with "people are dying right now on a daily basis because there aren't enough beds/doctors/nurses/etc.". It's like telling a soldier in the middle of a firefight that they should eat more fruit and vegetables; no-one's going to argue that it's bad advice, but sometimes there are more pressing issues to deal with first.

    5. Anonymous Coward
      Anonymous Coward

      Re: Kick me whilst I'm down

      Dude... don't you understand? Every penny has to be spent on patients. No money can be spent on software licences, since they're intangible and despite the fact that an upgrade from Office 2007 would improve everyone's productivity, you can't have them. No money can be spent on the office you work in - the fact the walls haven't been painted since the building opened in 1898, the bogs are so gross you'd rather walk across to the station for a No. 2, there's no air conditioning and your office chair hurts your back isn't important.

      And yes, I did work for a certain trust.

      1. Anonymous Coward
        Terminator

        Every penny has to be spent on patients

        Anon: "Dude... don't you understand? Every penny has to be spent on patients .. And yes, I did work for a certain trust."

        Half of £2bn NHS cash injection spent on outsourced private care providers

        PFI deals are bleeding the NHS dry

      2. David Glasgow

        Re: Kick me whilst I'm down

        "an upgrade from Office 2007 would improve everyone's productivity".

        I agreed with everything else, but this. How on earth would productivity be increased by upgrading Office? Most clinical records are (pretty much) plain text, and so they should be.

  2. Anonymous Coward
    Coat

    My friend came down with a strain of ransomware when he went to the Hospital for a checkup...

    1. Aladdin Sane
      Coat

      Had he been sticking his dongle into unprotected devices?

      1. Sgt_Oddball
        Coat

        No, but...

        He might have ejected unsafely...

  3. Primus Secundus Tertius

    Valuable comments

    As often happens in the pages of el Reg, the comments here are more informative about the situation than the original article. Thank you, fellow commenters. I hope the ACs are not found out and punished; the NHS is known to be vindictive.

    The root problem remains. How much do YOU want to pay for the health of other people?

    1. codejunky Silver badge

      Re: Valuable comments

      @ Primus Secundus Tertius

      "The root problem remains. How much do YOU want to pay for the health of other people?"

      I am not sure this is the problem. It seems more on maintaining the bureaucracy. Nothing needs to get done but great excuse to sit and chin wag about it. Of course the people on the ground having to deal with the problem aint happy but that wont bother the NHS. The patients, doctors, nurses, staff all come below protecting the institution, the religion, the NHS.

      1. Doctor Syntax Silver badge

        Re: Valuable comments

        @codejunky

        Sometimes we agree. Jobs, and that means top jobs, need to be on the line and without golden goodbyes an case of failure.

        I'd love to have the first A/C and the trust CEO appear together before the PAC. Ask the CEO their salary and then ask the A/C how much they could accomplish with that sum.

        1. codejunky Silver badge

          Re: Valuable comments

          @ Doctor Syntax

          "Sometimes we agree."

          Probably more than we think. I do upvote a good few of your posts for being pretty spot on.

        2. Anonymous Coward
          Anonymous Coward

          Re: Valuable comments

          Ask the CEO their salary and then ask the A/C how much they could accomplish with that sum

          To be fair, organisations need CEOs and the nature of that job always attracts the big bucks.

          Which doesn't detract from your overall point. It would be interesting to compare, say, the first A/C's budget vs the cost of a team that contribute very little value per capita (e.g. "knowledge management", or perhaps the paragons of efficiency found in every NHS procurement department).

          The money's often there, or at least some of it is. Part of the problem is that IT's sometimes still treated as an overhead rather than a critical part of the business.

    2. InNY

      Re: Valuable comments

      The problem with your question, "How much do YOU want to pay for the health of other people?", is that to someone else, you are the other person. Your family are the "other people".

      Maybe, you should be asking "How much do you want to pay for your own and your families' health?"

      Reducing health service funding because others', who you think, do not deserve it, also reduces those services you, or a member of your family, may have to rely on.

      Really, forget about other people and look at what you [may] need for yourself and your family. Then ask the question.

    3. markr555

      Re: Valuable comments

      "The root problem remains. How much do YOU want to pay for the health of other people?"

      I'm not sure that this is at all a valid statement. If you look at most people in the UK, they are not actually contributing to their (or anyone else's) care at all. By the time you have compared the tax payed by the vast majority against the cost of education(of their breed also), policing, roads and all public services, most people are getting the NHS for 'free'. this is one of the real benefits of our socially responsible society. What the NHS really needs is a shed-load more money from the public purse, end of story.

      1. DML71

        Re: Valuable comments

        Problem being is that everyone feels 'entitled' to free care. "I've paid my taxes" etc etc so there's no incentive to take any action till its too late.

        If people had to pay towards for preventable illness. Alcohol/smoking/obesity related diseases would the NHS be so stretched?

        Should private health insurance be tax deductible rather than a taxable benefit if work provides it or you pay for it yourself.

        So called health tourists could be clamped down on. I wouldn't dream going to America without insurance but no EU visitors can happily come here for all sorts.

      2. Doctor Syntax Silver badge

        Re: Valuable comments

        @ markr555

        When the Welfare State was set up NI was added to taxation supposedly to cover the costs of this. Likewise road vehicle taxation was introduced, in the form of the Road Fund Licence, to finance road construction and repair (the clue was in the name). The Road Fund, incidentally, was a solution to a problem that had plagued England and presumably many other places sing the middle ages.

        The problem with this is the Treasury. It really doesn't like not being in control of all finances. It simply treats these as part of general taxation and doles out as little money as possible to the originally intended recipients. In the case of vehicle taxation it really did have to change the name - people might have started asking awkward questions such a show much money's in the fund and how's it spent.

        In each case I think the solution is to tell the Treasury no. DVLA gets to keep the money and spend it on roads. It might make a payment to the NHS to cover the costs of dealing with RTAs but only when the roads are up to an agreed standard does any left-over money go to Treasury; if they're not up to standard then it goes back to the original tax-payers as compensation. A reconstituted DHSS would collect NI directly. NI could be set according to requirements, not according to what proportion of total taxation Treasury wants to shove under that heading.

        This would bring transparency to large areas of taxation. NI could be set to meet requirements with a good deal more acceptance than at presence because it would be clear as to what it was being used for. The incompetence of DWP as it currently is would be an issue that affected taxpayers in general rather than just benefits claimants and get a much higher political profile.

    4. Anonymous Coward
      Anonymous Coward

      Re: Valuable comments

      "The root problem remains. How much do YOU want to pay for the health of other people?"

      Happily stick £10 a month on my National Isurance IF it's going to be used by the emergency services, rather than some pet pork barrel.

    5. Anonymous Coward
      Terminator

      Re: Valuable comments

      @Primus Secundus Tertius: "As often happens in the pages of el Reg, the comments here are more informative about the situation than the original article"

      I don't think so, merely an exercise in how to not mention the very big elephant in the room.

      "The root problem remains. How much do YOU want to pay for the health of other people?"

      The root problem is the ubiquitous use of Microsoft Windows in medical devices connected to the Internet.

      1. wallaby

        Re: Valuable comments

        "The root problem is the ubiquitous use of Microsoft Windows in medical devices connected to the Internet."

        Wrong !!!!

        wouldn't matter what the product is (but get your Microsoft bash in anyway)- ALL medical products are exempted from updates regardless of the OS - a change to a simple DLL file (or similar) could change the way an algorithm works and could at worst case kill somebody.

        ALL such devices should be off a network which has connections to the internet, USB ports should be locked down, and if sharing the same switches etc. locked down VLans should be used. 90% of the 1000 + PCs I look after are patched to the installation date and never updated afterwards - we keep them away from the wild for this very reason. Simple to say update the kit but when a replacement instrument can cost £600k +, and the one you have works perfectly well......

  4. Anonymous Coward
    Anonymous Coward

    We failed our audit....

    Because an updated Chrome version has been released that morning and it had only reached 3000 of our 8000 devices....we could have terminated peoples browser sessions but we'd rather not do that for minor releases.

    As a bit of non salty clarity. It was only a problem because we'd started pushing the patch out and it had <90% coverage, so it went into the audit as a non effective patch which was a fail. The fact it had only started being deployed that morning was irrelevant.

    So we've got out review going on 'soon', our intentions are to freeze all patch deployments a couple of days before hand so that all 'deployed' patches pass the audit.

    Its mental really....

    1. Anonymous Coward
      Anonymous Coward

      Re: We failed our audit....

      And when praytell did you roll out that chrome update ?

      Would it have been during the working day ? On a Monday to Friday ? Or would it have been sometime more sensible like 3am on a Wednesday morning ?

      1. Anonymous Coward
        Anonymous Coward

        Re: We failed our audit....

        It happened to be a Tuesday and it began deployment from 2am, it was approved the previous day after being tested vs Clinical and Corp.

        Installations only occurred when the user was not actively using the device (either locked for 15 mins or logged off) and when, in this case, chrome was not already running. MS patches occur with the same rules but suppress reboots, but will trigger a reboot if the device is logged off for more than X minutes.

        The audit then began at 10am. We were expecting, naively i guess now with hindsight, that they look at how quickly we could get patches out (once approved) and it would reflect well upon us. Little did we know what the actual criteria were, this had been kept by SMT away from we minions.

        But dont worry we got pulled up by the SMT after we received the failure notice and were thoroughly lashed for our lack of clairvoyance to stop our normal policy.

        1. Anonymous Coward
          Anonymous Coward

          Re: We failed our audit....

          Its not that I was saying that Wednesday at 3am is a great time either - hospitals are a 24/7 "business", but upgrades and changes have to be done at some time....

          Problem is that what you dont want is to choose busy periods to do the upgrade, often, particularly in the case of hospitals, generic change windows such as Friday night / Saturday night are often really quite busy periods for A&E in particular, so it is best up to the individual hospital IT management to work out when the best timing is.

          But, Im pretty sure that 11am on a Thursday morning is probably not a great time to upgrade your email servers like a London hospital I know did.

          I totally agree that AfC is a big heap of stinky poo - which just doesnt work - for anyone let alone IT staff.

          The thing is that most of the hospitals I am aware of, they setup specific projects to do specific things and employ contractors on a very short term basis (often too short a time period to get the project done properly and dont even think about doing any sort of useful handover) and then this pile of dung is flung at the IT folks that never get real training on anything and dont have enough staff anyway to try and support it.

          I do feel sorry for these IT folks, but, headlines such as the one for this story is hardly surprising because of the way this all works.

          Whether its Wannacry or the eejit that created a mailing list of every nhs.net account and allowed a non-authenticated reply to the list, it doesnt matter - its all very much a product of the way that the (current and succesive) government treats the NHS....

          Nextup - privatising IT provision with offshoring to any country that will charge peanuts!

      2. Anonymous Coward
        Anonymous Coward

        Re: We failed our audit....

        Why is that a more sensible time to apply an update to Chrome?

        He likely doesn’t have 8000 machines in one building powered on/WoL enabled, they’re probably majority mobile working devices spread around 10s/100s of official sites and even more non-NHS sites.

        It’s an update that installs straight away and applies on application restart. The “sensible time” is probably straight after their testing/approval process. The point from his comment is that he failed an audit based on a successful, ongoing deployment - That common sense was not applied.

      3. Anonymous Coward
        Anonymous Coward

        Re: We failed our audit....

        3am is more sensible in a hospital??...seriously, there is never a good time in that kind of environment...you will always get a kicking.

    2. Doctor Syntax Silver badge

      Re: We failed our audit....

      Quite frankly, it says a good deal more about the competence, or lack thereof, of your auditors than it does about you.

  5. Anonymous Coward
    Anonymous Coward

    Have you ever had to deal with an NHS IT department ?

    Im sure there are some extremely competant people that work in NHS IT departments.

    HOWEVER.....some of the things that go on are completely delusional.....for example, in order to cut costs, most departments only work Mon-Fri 9ish to 5ish. This includes all upgrade work, break-fix and all support.

    Yes, you heard me right dear reader, upgrades are performed to core IT systems during the working weekday - this can and has resulted in connectivity to the outside (and inside) worlds being lost - completely, for hours and hours at a time - especially when it all goes horribly wrong.

    Remember, alll results are now sent out via email, so, when the email server is taken down for 2 hours at 11am and is still not up by 5pm ... well, you can guess the fun that is had by already overworked nurses, doctors and BMS folks.

    The folks are often that incompetant that when someone changes names, they cannot understand that you should make the default primary email address the new name, and alias the old one - so, I am well aware of a number of staff who have logins that are their new name, but all email comes from their old name, but the alias to their new name (sometimes) works....

    So, this news is hardly surprising - the NHS do not pay IT staff well enough or pay for working weekends/nights and they are understaffed (like most departments in any hospital you choose to think of).

    1. Anonymous Coward
      Anonymous Coward

      Re: Have you ever had to deal with an NHS IT department ?

      I'll just add that, structurally, the NHS is not well set up to manage, compensate or otherwise reward IT staff. The whole centralised "Agenda for Change" system of pay scales, job banding and progression is - understandably - set up for health professionals, support staff such as receptionists and porters, and managers. It fails fairly badly for IT staff, particularly at senior technical levels. The usual story with one-size-fits-all policies.

      1. Anonymous Coward
        Anonymous Coward

        Re: Have you ever had to deal with an NHS IT department ?

        the NHS is not well set up to manage, compensate or otherwise reward IT staff

        None of the public bodies are. Even though salaries are supposed to be 'industry-average' in reality they are about 60-70% of the industry-average. And, unlike private industry, promotion is almost strictly 'dead mens shoes' since getting extra slots for higher grades means cutting elsewhere. So, in order to be promoted, you have to have a good manager prepared to fight on behalf of their people, an understanding HR department[1] and an open slot at a higher grade somewhere in the department.

        [1] Yeah right. Now most private company HR departments tend to exist to protect the company from the employees but, in public bodies this seems to be their entire reason for existing..

    2. Anonymous Coward
      Anonymous Coward

      Re: Have you ever had to deal with an NHS IT department ?

      Most non-clinical services do not run 24/7 in the NHS. Which frankly makes no sense. Important staff like those who would investigate breaches are also typically not on call and only allowed to work 9-5 with no overtime ever being on offer if they work over that, so oddly enough most don't.

      I hate to defend middle management but my own department manager wants to go 9-5 7 days a week, we could easily have enough work to cover quiet periods during the weekend and get one with plenty of proactive work but due to cost it's been turned down repeatedly despite some of the clinical areas seeing the benefit of having technical staff more readily available over weekends.

  6. Whitter
    Meh

    If there's been no action

    Then what was the £21 million spent on?

    1. Anonymous Coward
      Anonymous Coward

      Re: If there's been no action

      Meetings, first-class travel to meetings, biscuits to consume in meetings...

  7. Anonymous Coward
    Anonymous Coward

    It’s not the money

    The NHS has literally billions to spaff on Accenture and the like for projects that none of the medical staff actually need or want.

    This is absolutely 100% a failure of management.

    1. Anonymous Coward
      Anonymous Coward

      Re: It’s not the money

      Go higher...

  8. Anonymous Coward
    Anonymous Coward

    I second the other NHS AC's in this thread.

    The audit that was done on us had some big flaws in it's analysis that we pointed out, but they have refused to take into account.

    We did pretty well in our audit I believe - still a fail - and where we have gaps we already had a plan to tackle them, just a lack of budget.

    It feels like NHS Trusts are pawns in a gambit to secure more funding, but it can't help but feel like a personal attack on our professional abilities.

    Where people are working miracles with the little budget they're have is where the money will be best spent, and best used.

    Trusts that have failed to even get to grips with the basics like WSUS and centralised antivirus management are not going to benefit from just a cash injection. Paying some expensive consultants might help short term, but without a change in management and a huge attitude shift to IT security it won't last.

    1. Anonymous Coward
      Anonymous Coward

      We’ve been called in for consultancy for a trust on more than one occasion and from what I saw, budget isn’t so much of an issue.

      Standard issue for all staff are ultrabooks and iPhones, backend is all warrantied, top of the line commercial gear and the place is chocked full of staff.

      Vague directives, poor management and staff turnover are the key issues. I’ve seen a well funded department that is in a shambles with as far as I could see, a single qualified engineer surrounded by disinterest and incompetence.

  9. HmmmYes

    The saddest thing is that 'we' are only looking at the computers and the like as it fucked up and 'we' are used to looking for computery fuck ups.

    However, Im sure that if a few grown ups got together theyd find similar results in health outcomes, treatment, etc etc.

  10. Anonymous Coward
    Anonymous Coward

    UK NHS

    .. doesn't exist. Each of the devolved countries manage their own NHS and can put on place directives of their own.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like