Nhs network security

Jivesinger

Strider590 wrote: »

This NHS ransomware thing........ I'm really sick of it now........

It was NOT AN "ATTACK", it was merely some idiot academics with no common sense, opening and passing on emails/links that contained or lead to this malware!

What is wrong with admitting you fell for something that you have absolutely no knowledge about??????

The point is that many people in those organisations didn't click on any emails or links, and *still* got infected, because of a particular vulnerability which allows the worm to spread.

Once one person clicked on a bad thing, it could spread over the network to all the other computers which hadn't been patched.

So I believe many users had lots of common sense and didn't 'fall for it'. The issue was that their computers were exposed to this particular vulnerability, usually something the user wouldn't have any control over.

Heedtheadvice

Thanks must go to DavidP24 and more latterly novirus for posting those comments that have a lot of insight.

I can agree with most if not all of what they wrote from personal experience.

I would also add that the situation is worse than they describe for the following:
Lack of commonality of good/best practice plus sharing across the wider NHS.
Many trusts have had their IMT systems grow (often individually) rather than be planned and the failed English IT system aimed to remove that diversification (remember here that the NHS comprises English, Welsh, Scottish and N. Irish areas) proved it is by no means easy. One cannot throw away working systems and then develop one new one easily! It is thus difficult to make a single common system that has all the benefits and non of the risks of each individual system.
IMT is on of the poor relations of the different sections within the NHS. Although not medical (we all know that the NHS is comprised of doctors and nurses -seriously whenever do you hear about the allied professions, administrators, managers except as passing remarks or derogatory comments?) IMT staff that fulfill very wide roles provide, support or develop/manage systems that are essential to good, proper and efficient running of patient services. -look what happens when we are denied those services so recently-yet one of the primary drivers is short term cost.
Some of the IT works is done by non IT staff who have neither the training or experience required and detracts from medical services. I have many an example of nurses, allied health professional running their own systems, not falling under official IT policies or control and thus becoming risks.

I could go on but for the sake of some brevity will not. Those who do not know organisations like the NHS can hardly envisage the complexity of the systems involved. They are not anyway like running home or small office PC systems. Interlinking of systems is more and more essential to speed up the processes and make information readily and quickly available that paper systems could not provide. Electronic introduction created its own separate risks and these have not entirely been addressed. The public and therefore politicians looking for votes (of all parties) cannot comprehend that spend outside of Medical staff usually goes a long way to improve patient care or support those front line staff providing that direct care.
I hope that DavidP24's posts have enlightened some......and yes not all finance,IT, management staff (and the rest!) come up to spec. That is human nature too but the NHS must deal with that fact much better, be leaner, communicate better, learn faster. Much power is still with consultants and the medical directors, some of it quite rightly so but much of what DavidP24 says he would change stems from long standing arrangements that those with the power will not give up!

Strider590

Jivesinger wrote: »

The point is that many people in those organisations didn't click on any emails or links, and *still* got infected, because of a particular vulnerability which allows the worm to spread.

Once one person clicked on a bad thing, it could spread over the network to all the other computers which hadn't been patched.

So I believe many users had lots of common sense and didn't 'fall for it'. The issue was that their computers were exposed to this particular vulnerability, usually something the user wouldn't have any control over.

I'm sorry, but this is what the media is telling us and I personally don't believe it, there are MANY reasons why and i'm not going into that.

Hacking is something I know too much about and most of my old "hacker" friends now work in cyber security protecting high profile clients, including contractors to the MOD. Said friends are currently posting (on Facebook) very similar posts to my above statements, in frustration at how this is being handled and how it seems to be more about blaming some random unknown 3rd party, than it is about stopping this happening again.

The NHS need to stop hiring computer science graduates and start hiring people who know about IT security from experience.

It still remains that this was not an "attack", the NHS was not targeted, the actions of a few individuals and a poorly setup IT infrastructure within the NHS have caused this. They can blame cyber criminals all they like, but if they'd taken security seriously this wouldn't have happened.

Ultimately the authorities are going to ride this publicity and use it to sway public opinion, getting the majority to willingly give up yet more online privacy and tolerate yet more censorship/filtering. I think this time around, or maybe next, they'll blame VPNs, because VPNs are something they want shut down too.

debitcardmayhem

I would agree with Strider , it was not a targeted attack on the NHS, there have been incidents is over 70 countries and e.g Renault, Telefonica are not connected to the NHS

Uxb

I understood Telefonica/O2 provide VOIP services to the NHS

DavidP24

Gosh it is like a Spanish inquisition!

I doubt anyone clicked a link but maybe they did, so what, it is easy to be wise but we are in this social sharing society, it can't all be cute kittens on YouTube.

This exploit has been sitting dormant in many people's PC's, I suspect that it is the first of an experiment, one to test how we respond so that a better, more efficient one may be created.

I am not convinced that is is not in some degree sponsored or supported by a State for the above purpose, but we will never know.

It only takes one PC on one badly configured network to release the worm and once inside it takes on a life of it's own.

Rather than blaming or guessing we just have to man up and all admit we can do better and we must do better. Next time they may take out an energy grid or something much worse.

21 organisations in the NHS amongst thousands of sites got hit, now we will see where the next incarnation of this wave goes.

There is no need to panic, no need for Fear Uncertainty or Doubt, just be aware, help those who do not have your expertise and LEARN from this.

AndyPix

Comments about the public wifi being the infection vector are ridicules.
I have worked for the NHS (salford royal hospital) and there, just the same as every organisation with any sense whatsoever, the guest wifi is totally vlan'd from the internal systems.


The infection vector in ransomware cases, is ALWAYS a loaded email.


These have been getting sophisticated recently, the sender puts another collegues EMAIL ADDRESS as the from name in the envelope and encodes it so that spam filters miss it.


All it takes is one nurse who is nearing the end of a 12 hour shift and is maybe not as sharp as she could be to open an email from her "collegue", and click on the pdf within and BAM, the infection process begins.
Now if that nurse is maybe an RGN, with access to some high level network share folders then those go bye bye too, and on, and on ..


NHS computers do use a standard build, as suggested above, which is deployed using PXEboot.
The data will be safe and backed up, however the issue is like David says the sheer scale of the NHS means that reimaging all these computers is going to take an age.


This was bound to happen eventually.


People (IT managers) need to switch on to the fact that they need to use behaviour analysis of newly downloaded programs to mitigate this.
As soon as encryption process is detected, kill the network adapter of the machine.

AndyPix

Cant upvote you enough Strider

Zola.

I once built a website for a local GP practice a few years ago, and they all used Internet Explorer 6 etc, a nightmare to even display the website properly. The systems they used were from the stone age.

Too much complacency.

spenderdave

This is one of the better discussions on this issue, most in the media don't have a clue. There seems to be a lot of blame on XP computers, however from what I can gather although XP is vulnerable to the SMB problem it cannot actually run the WannaCry virus itself. Most of the screenshots shown in the press are of Windows 7 machines!

Which brings up another thought that nobody seems to have mentioned. For much of last year there was a problem with Windows Update on Windows 7 that it would sit for hours or days trying to install them. This was cured late 2016. In NHS and I guess most large organisations they do not have WU set to automatic but install the updates manually at suitable time - you certainly don't want a machine being used live in an operation updating at the wrong time.... Maybe the problem machines had never received updates for a long time because of this issue - and the blame there is very much at Microsoft's door as it was a fault in their software that caused it.

So less emphasis on dated XP machines, more on IT not updating Windows 7 and later ones, maybe because they were unable to do so because of a broken Windows Update system.