NHS hospitals across England hit by large-scale cyber-attack

[nicko31]

Windows is used in more than just traditional PC's.

Big problem in the NHS is things like MRI scanners that run Windows XP etc... and a lot of these manufacturers go bankrupt, out of business - so then what do you do?

For single application purposes anyone with a brain would deploy Windows XP Embedded in the first place.

WinXP for desktop use, they've had years to plan for this. Really no excuse

 

[Leekbrookgull]

Closer to home in a way is it possible to cause this kind of disruption to say air traffic control,a major railway signalling centre that kind of set-up or is that a completely different system ?

 

[Yoda]

For single application purposes anyone with a brain would deploy Windows XP Embedded in the first place.

WinXP for desktop use, they've had years to plan for this. Really no excuse

The biggest issue is trusts that still use old clinical applications on their desktops, where the 3rd party supplier has since gone bust so no longer gets updated, but the trust is still prepared to use the software as they can't afford to go to a new company to get something more update. This then leads to said trust also putting back roll outs for newer versions of windows as the soft ware is no longer compatible.

 

[Silk]

The biggest issue is trusts that still use old clinical applications on their desktops, where the 3rd party supplier has since gone bust so no longer gets updated, but the trust is still prepared to use the software as they can't afford to go to a new company to get something more update. This then leads to said trust also putting back roll outs for newer versions of windows as the soft ware is no longer compatible.

This. If they are using XP, it's often because they have no choice. For a long time, the fact that certain systems would only work in IE6 held back upgrades for everybody.

Sent from my F5121 using Tapatalk

 

[Westdene Seagull]

Being a surprise shows that you really don't understand. XP is as robust as any other system run by Windows, so long as it is updated and patched. Microsoft have contracts to keep it stable. The problem here was caused by the NHS not updating patches since 2012. Paris airport still runs on 3.1 and they don't get problems. So understand before posting.

Of course the biggest problem being that MS stopped any support for XP in 2014.

No problem. Although since this is NSC, I'm not sure an apology is appropriate, perhaps you could just stick to your guns and we can argue about it for a day or two?
I can't say I know about deals of that size, but £65m doesn't seem great to me. It's not like the staff have a computer each, many will share, many are hardly on a computer for their job. Regardless though, it looks like some at the top have ****ed up royally.

£65m is a good deal. Microsoft licencing for corporate is far more complicated and costly then home licences. If the figure of £72 is correct and is includes application, server, OS and access licences is marvellous value for money

 

[Brighton Mod]

Slippery devil, aren't you? The only argument I have actually made is that this a world wide attack affecting 200 countries and many organisations, not just the NHS, and that therefore people should not be rushing to point the finger. Which part of that do you have a problem with?

The sentence you highlighted was not a fact free assumption (like your argument), but a speculation (the clue is in the words "if it turns out".. IF).

Now, where are your facts proving NHS management responsibility again?

Would appear its nothing to do with funding, but the failure of certain trusts to respond to a simple request to input a patch, given to them free, on to their system. A management failure that has cost the NHS millions of pounds, would appear symptomatic of how money is drained from the public purse by inept management in the NHS.

 

[Billy the Fish]

Would appear its nothing to do with funding, but the failure of certain trusts to respond to a simple request to input a patch, given to them free, on to their system. A management failure that has cost the NHS millions of pounds, would appear symptomatic of how money is drained from the public purse by inept management in the NHS.

This is the crux of it for me, rolling out windows updates is a basic admin task.

 

[Silk]

Would appear its nothing to do with funding, but the failure of certain trusts to respond to a simple request to input a patch, given to them free, on to their system. A management failure that has cost the NHS millions of pounds, would appear symptomatic of how money is drained from the public purse by inept management in the NHS.

I think if you read this article, you might find it enlightening. There are many factors at play.

http://www.bbc.co.uk/news/technology-39915440

"Updating your computer if you're an individual is a piece of cake, but for a network the size of Britain's National Health Service? Tough - time-consuming, expensive and complex."

But no. According to you, it's easy.

 

[beorhthelm]

I think if you read this article, you might find it enlightening. There are many factors at play.

http://www.bbc.co.uk/news/technology-39915440

"Updating your computer if you're an individual is a piece of cake, but for a network the size of Britain's National Health Service? Tough - time-consuming, expensive and complex."

But no. According to you, it's easy.

you're not seriously accepting that deflection from Microsoft "its all NSA fault for not telling us bugs"? trouble its now known that MS had the bug fixes for the vulnerablility used back in Feb and released them to supported platforms (and paid XP support) in March before the NSA leak in April. they could refrain from a business model to force upgrades too, so much for putting security first. as for the ease of fixing NHS could be running run SCCM to deploy patches automatically, and auto-updating anti-virus which would have quarantined malware payloads even on vulnerable unpatched machines.

 

[Marshy]

You really need to work in the NHS to understand it's complexities, the legacy IT systems that are still in use and the SUPPLIERS of them, it's not quite as easy as saying why are some PCs still running XP or use SCCM to deploy patches. Sure things could be done better in the NHS like most organisations, but it's certainly not through lack of trying by IT depts to get more upto date. I would say 98% of PCs in BSUH are win7 or above and moving to windows 10 is on the horizon.
We thankfully were not hit by this attack and have taken further action to assure we are safe.
This is not just an NHS issue please do not forget that.

 

[Shropshire Seagull]

I think if you read this article, you might find it enlightening. There are many factors at play.

http://www.bbc.co.uk/news/technology-39915440

"Updating your computer if you're an individual is a piece of cake, but for a network the size of Britain's National Health Service? Tough - time-consuming, expensive and complex."

But no. According to you, it's easy.

At HMRC with have circa 86,000 end clients [laptops, desktops, tablets, whatever] - I've no idea how this compares in quantity to the NHS - but it's still pretty large scale.
We are in mid project, moving everyone to Win 10 - not aware of any XP, but there is bound to be the odd one or two kicking around somewhere.
All Win 10 machines are patched with the regular Tuesday patch releases from Microsoft.

What I think may have happened, is that all major government departments receive an IT budget, but it's up to each how they choose to spend it. And if some think along the lines of "if my XP ain't broke, don't fix it" there was a lessons learnt of epic proportions last weekend.

 

[Buzzer]

The NHS is a public sector organisation, therefore yes, the government bears some responsibility if there​ has been an inability to invest in up to date equipment. You can tell they bear some responsibility from the way they have immediately started dodging it. The media are still labelling it "NHS cyber attack", even though it is well known to be a global attack. Another excuse to bash the NHS.

I don't think anyone should bash the NHS but I think it's fair game to point the finger at individual trust IT departments. This is routine stuff. The size and complexity of an NHS trust is no excuse for basic security admin.

 

[beorhthelm]

You really need to work in the NHS to understand it's complexities, the legacy IT systems that are still in use and the SUPPLIERS of them, it's not quite as easy as saying why are some PCs still running XP or use SCCM to deploy patches. Sure things could be done better in the NHS like most organisations, but it's certainly not through lack of trying by IT depts to get more upto date. I would say 98% of PCs in BSUH are win7 or above and moving to windows 10 is on the horizon.
We thankfully were not hit by this attack and have taken further action to assure we are safe.
This is not just an NHS issue please do not forget that.

you're at a trust that has got some grip on things, which highlights the shortcomings of others. fair enough its complex, that doesnt really wash as there's plenty of large complex organisations (oh the fun i hear of auditing the number of users). its just this idea that the solutions arent there. i wince when i hear the excuses that old equipment is running XP and vendor is gone (so who is providing hardware maintenence and support), or the need to run IE6 applications when you can virtualise those terminals. the solutions exist, its down to prioritisation and implemention. and training Linda not to open email attachments from ted@companyneverheardof.com.

 

[carlzeiss]

http://money.cnn.com/2017/05/16/technology/ransomware-north-korea-hacking-history/

 

[Trevor]

I don't think anyone should bash the NHS but I think it's fair game to point the finger at individual trust IT departments. This is routine stuff. The size and complexity of an NHS trust is no excuse for basic security admin.

Yes, I work for the NHS - we are in pre-election purdah so I should be careful not to express an opinion that favours one party over another (and I don't think I am)

I completely agree with you in general terms. However, I seriously think that IT should be a centrally managed such that decision making is taken away from the individual NHS bodies - many of whom are simply not well-placed to make responsible considered decisions

 

[Buzzer]

Yes, I work for the NHS - we are in pre-election purdah so I should be careful not to express an opinion that favours one party over another (and I don't think I am)

I completely agree with you in general terms. However, I seriously think that IT should be a centrally managed such that decision making is taken away from the individual NHS bodies - many of whom are simply not well-placed to make responsible considered decisions

I cede to your better knowledge here and you've convinced me. It is worrying that considering access to patient records etc should be available to all NHS trusts there should therefore be an integrated IT policy.

 

[WSU Dilettante]

Most of your confidential medical records are probably out there by now for all to see! Or will be soon after the pastebin leaks

Chances are that actually it's the complete opposite. All Primary care clinical systems are hosted and the information stored in secure data banks, with back up data banks for the information to be moved to in the event of an attack.

 

[bWize]

Chances are that actually it's the complete opposite. All Primary care clinical systems are hosted and the information stored in secure data banks, with back up data banks for the information to be moved to in the event of an attack.

If the client workstation is compromised then the attacker could have easily pulled any information from the primary servers via the the infected workstation and then download it. It's highly likely there was a backdoor allowing the attacker full privileges to the infected workstations (Which in turn have rights to access the primary servers to look up patient health records etc)

 

[dadams2k11]

If the client workstation is compromised then the attacker could have easily pulled any information from the primary servers via the the infected workstation and then download it. It's highly likely there was a backdoor allowing the attacker full privileges to the infected workstations (Which in turn have rights to access the primary servers to look up patient health records etc)

No! They would still need Admin username and password to access stuff on the server. Not just any Tom dick or Harry can access the info. That's why we setup security groups and add users to the group to be able to access the information.

 

[bWize]

No! They would still need Admin username and password to access stuff on the server. Not just any Tom dick or Harry can access the info. That's why we setup security groups and add users to the group to be able to access the information.

Yes, but if the system is backdoored then keylogging to gain Admin User/Pass or even using a MITM attack would be fairly trivial for the attacker. Security user groups are not going to help if the machine being used by persons with high level access is compromised.