We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Nhs network security
Comments
-
I think it is spread via email rather than as a download.
The nurses require internet access so they can post their boobs on Facebook - http://www.telegraph.co.uk/technology/3358681/Facebook-ban-for-nurses-after-online-flashing.html0 -
I have done numerous projects and contracts in the NHS and have a good understanding of their infrastructure. There are a lot of assumptions here but also some "deja vu" (explained later).
My gut feeling is that the reason this was so successful with the NHS was the provision of public wifi which has been badly implemented and not isolated, but also the failure for the Government to invest in the NHS as a whole.
So to begin with let me clarify a few thingsCould the NHS have a stand alone network and not connected to the Global Internet for all there computers but also a separate computer in each NHS building for staff to check things like BBC and other websites and also people have smartphones these days which they can connect to Global Internet if they need to
This already exists, it used to be called NHSnet then N3, it is a private Intranet, the connection to this network has always been extremely strict, it is a massive Intranet connecting over 450 organisations, thousands of sites with tens of thousands of connected devices. Remote access to any computer or network must be via SecureID key fobs. Connecting computing facilities is extremely onerous, it can take over a year and demand all your network infrastructure is changed.What about
1 Have a main NHS server based in say London and when NHS staff log in to a Terminal (computer) at say Newcastle NHS then its a stand alone system
Again, this is partly how NHS systems run across N3, they connect to LSP provided systems and run Terminal Services, Citrix or Web apps or they run VM's on servers. So most XP systems have no local data at all, they are just cheap terminals, there may be literally a handful of systems that require XP for legacy apps, these are usually systems running middleware and messaging.
It should be stressed that windows system is vulnerable here, not just XP, it is just that people notice XP is old and unsupported for the public, but the NHS started paying Microsoft £5m a year for extended XP Support.
The financial issue here was also that Microsoft changed the NHS licensing of what was included in that terminal server and office licensing, particularly component licensing. Also it was not just the cost, it was the manpower.2 Disable the USB ports and CD player on the Terminals so the staff cannot connect there smartphones to it, I have worked for a Goverment department and they do this already
Again, this is already in place, not only is connecting any outside device a disciplinary offence, since a final deadline in 2007 there was an obligation for every IT Director in the NHS to take personal responsibility to have such connectivity disabled via Group Policy or locally for standalone systems as part of the build process.
Staff are NOT allowed to connect smartphones to NHS kit, to be honest they would have no reason to. The obligation to protect patient data is why all these restrictions are in place. As you say this applies to all Government.3 Ransomeware says pay $300 which is about £232 and Ive been on PC World today and theres a few laptops on there for about £200 and there windows 10 but how much would the NHS have to pay the wholesaler when the wholesaler finds out the tax payer is paying for the equipment
The NHS has approved systems which under EU law had to be tendered for, so only approved suppliers for each Trust, but I suspect the issue is not cost, it is having the staff and them working out of hours on live systems often used 24/7. I came across this so many times, we implemented our projects out of hours to cause least disruption but the NHS staff were simply not paid enough to do it.
If you have a Windows system of any age or flavour that has not been updated with March 14th 2017 update use windows update NOW
Thanks, don't you just hate people with sigs !0 -
it's also spreads via "SMB" shares as well. So once a single machine is infected it can easily spread to any machine with (or connected to) a networked shared folder.kwikbreaks wrote: »I think it is spread via email rather than as a download.
The nurses require internet access so they can post their boobs on Facebook - http://www.telegraph.co.uk/technology/3358681/Facebook-ban-for-nurses-after-online-flashing.htmlLaters
Sol
"Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"0 -
You are missing the point that most NHS (non-specialist) computers still run Windows XP - for which Microsoft provides no further patch support without an expensive support agreement.
Your comment about the time taken for bureaucratic organisations to apply patches in a timely manner remains valid!
That is simply untrue, to say MOST is a gross exaggeration.
You could say that MOST Trusts still have some XP systems, but as I posted above, it may be just a container to get the license and that is it.
You could also say that there are certain trusts where MOST PC's are XP.
The Gov started paying Gov $5m a year for XP updates.
I told them they should be run Linux with OpenOffice years ago, but they had things imposed on them by the LSP's who tried to charge them Billions for software that cost less than Millions.to develop. In the end the programme was cancelled but a lot of the software is still in use and supported by those LSP's
In the Trusts I had projects in there were good and bad practices.
They tended to have their own update servers because many a time the MS Updates would kill systems, so they usually ran a week later just to see if there were issues.
This Update MS17-010 did have issues which may explain why the rollout was delayed.
I suspect it is the forced provision of wifi networks for the public to use that has enabled this to spread, it SHOULD have been isolated but as this worm is spread by SMB it is clearly not.
It is the case in well managed Trusts that you are not allowed to bring in your own laptops and if you plug them into the intranet their network connectivity is disabled and alerts are generated.Thanks, don't you just hate people with sigs !0 -
Most of the so called NHS IT managers are probably looking at dodgy internet sites for most of their working day and have inadvertently downloaded something on their XP computers..
It is so funny when people make comments like this.
Dodgy sites are banned as you would expect in any corporate environment, they tend to use a combination of subscribed services and their own blacklists.
You can be instantly fired in the NHS for anything you call "dodgy" I have been in numerous sites and there are dimwits employed at the lower level, usually over promoted types. The problem they have is very similar to many public sector organisations, they do not train enough at the low levels.
I found it very frustrating working with the NHS, we were commercially driven, get it done company, but they had so many blockers it was very difficult.
Like any organisation they have good and bad IT Managers, many are not listened to and I told them to leave or else risk being blamed for stuff they wanted put in but was not.
This is very common with IT Managers and Directors in any organisation, they tend to report into Finance Directorate and they always say "what are the risks if we DON'T do this update or put it off for 12 months". So the IT depts find solutions or just live with the risk.
So the IT guys hold the thing together with blutac and a bit of string, then get blamed for it.
I imagine that there will be a lot of people dusting out the memos where they warned the directorate and were told to carry on.Thanks, don't you just hate people with sigs !0 -
it's also spreads via "SMB" shares as well. So once a single machine is infected it can easily spread to any machine with (or connected to) a networked shared folder.
That is right it is SMB but it can only spread into an unprotected machine.Thanks, don't you just hate people with sigs !0 -
kwikbreaks wrote: »I think it is spread via email rather than as a download.
The nurses require internet access so they can post their boobs on Facebook - http://www.telegraph.co.uk/technology/3358681/Facebook-ban-for-nurses-after-online-flashing.html
Yes the initial infection can be done via an email.
I read about that and was surprised, I worked in a lot of Trusts up and down the country and you could not even access webmail and social media was definitely banned. I suspect they did that via their mobile phones which obviously do not use NHS systems.
The Wifi provision is different, it still uses 3rd party banning sites but I suspect it is how they might have used it. although they are not allowed to, it is for the public use only.
However, if you were a low paid nurse or HCA and you had a choice of using your data allowance or the free wifi, I bet you would use the wifi.Thanks, don't you just hate people with sigs !0 -
Well if it is true the NHS is still running Windows XP, Microsoft are releasing an update for it, three years after they cut off all support for it.
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/0 -
also in the past 20 odd years their has been 2 (I think!?!? one at least!!) separate failed attempts to create a new IT system for the NHS.
It's a massive undertaking that would have taken 10-15 years to roll out fully! By which time the OS and equipment specs would be massively out of date and you would probably end up in the same sort of situation as we're in now! just a few billion £ poorer... lol
It was actually one programme but is had such bad publicity that it had to renamed from the National Programme for IT to "Connecting for Health"
As always it was about BIG money, the fundamental flaw was a decision to replace EVERY clinical system, instead of leaving good systems in place and just using HL7 messaging to connect them.
They eventually scrapped the programme and despite the wild figures banded about they actually spent about 2bn and many of the systems are still in use today, things like Choose and Book, the NHS Spine that shares your data in a summary care record across the N3 NHS Intranet.
The country was split up into regions, I think it was 7 LSP's appointed, each with a multi billion pound contract, of course they whacked up the prices and failed to deliver.
Remember at the time they already had a secure Intranet and the private NHSnet email system, these guys wanted to put their own things in just to get additional work.
Their software development methodology was awful, they left out critical aspects for example the ability to handle clinic appointments and planned to roll it in 4 years later, yet on the front line of any clinical system you depend on that and do not have the staff to do it manually which was the suggestion by the LSP's
One of the things that killed the programme was the way the LSP contractors treated the NHS IT staff, so the IT staff declined to provide them critical information such as their understanding of access control. For example only certain clinicians can be told a patient has HIV (because they need to know as it is relevant to the clinical decisions they make), the idea is that clinical staff assume that ALL patients have HIV and so protect themselves and others from risk of infection. These contractors had no idea how define these clinical staff groups, were not given the information or they had failed to put sufficient access control in the software. Even the old software required staff to put in their pins to see sensitive data.
Anyone who has worked with Public Sector IT knows they are often underpaid, not listened to and under trained, they also know that projects run late because the scope of the projects change. They would cling to Methodologies like Prince2 and ITIL rather than realising that everything needs to be agile and ongoing, so nothing goes out of date.
To be fair to them I have seen dire systems in corporate environments too, from the ones who have money (banking) to those who are cash starved.
It is all about understanding business processes, change and developing around that.
This worm which is far from limited to the NHS should be a wake up call.Thanks, don't you just hate people with sigs !0 -
Neil_Jones wrote: »Well if it is true the NHS is still running Windows XP, Microsoft are releasing an update for it, three years after they cut off all support for it.
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Yep they had to but they already were and have been since 2014 at a cost of around £5m a year
What they are doing now is making it easier to update but the daft thing is if you install a language pack after the fix you make the PC vulnerable again.
So all hackers have to do is send emails to people suggesting genuine Microsoft language packs are needed to prevent vulnerability, the user installs those packs and then the hacker can try and email them a message a week later saying "is you PC secure" then tell them they are while they casually drop the worm again!Thanks, don't you just hate people with sigs !0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352K Banking & Borrowing
- 253.5K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245K Work, Benefits & Business
- 600.6K Mortgages, Homes & Bills
- 177.4K Life & Family
- 258.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards