General / Off-Topic NHS cyber-attack: GPs and hospitals hit by ransomware

[CMDR Heisenberg B. Damned]

Obviously, before the digital age, patient files, bookings, inventory etc were all non digital (duh!)

With digital comes potential efficiency, X rays can be done in the xray dept and viewed in the consultant's office minutes later, rather than films be developed and then hand delivered to the consultant. The same with lab results, patient histories etc. Even where a patient was in the hospital, daily appointments and so on.

If the computer system were to go down, is there not a potential backup procedure, in the same way pilots have a defined procedure if they lose an engine or power, they don't "wing it" (sorry) they have a manual of procedures - "if engine fails, set fuel switches to X, thrust levers to Y, trim tabs to Z" and so on.

Did the NHS have a similar "pre packed" system - even if it is inevitable less efficient than running with the computers - ready to go in the event that the computer system was unavailable and did it work? If the answer to either of those questions is "NO" then the disaster planning has a massive hole in it - which is a separate worry from the geeky worries about firewalls and data recovery.

I can't speak for the entire NHS but for us yes there are, every system we have is required to be tested for disaster recovery and business continuity but it'll never be as smooth as with the systems up and running. Which is why delays happen and operations get cancelled in such an attack. I'd also say not every plane that loses power ends up landing just fine. In a disaster situation things can go wrong no matter how much planning has taken place.

Really that decision to cancel the deal with MS was either the most myopic piece of bureaucracy ever or a deliberate move to harm the NHS, talking at work when the contract was being scrapped I didn't find anyone who thought it was a good idea or that it'd save money.

Incidentally this isn't the first time a Healthcare system's been hit by ransomware:

https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

 

[beelbeebub]

I can't speak for the entire NHS but for us yes there are, every system we have is required to be tested for disaster recovery and business continuity but it'll never be as smooth as with the systems up and running. Which is why delays happen and operations get cancelled in such an attack. I'd also say not every plane that loses power ends up landing just fine. In a disaster situation things can go wrong no matter how much planning has taken place.

Very true. We heard a lot about how there were problems but the real measure is how well the "fall back" plans worked. It's possible they worked brilliantly and the trouble we saw was a pale reflection of what would have happened if there were no plans in place. Or it may be that what we saw was a result of there being no/insufficient plans in place.

I don't know which one it is. If it's the former, then well done everyone, tea and medals all around. On the other hand there is always some thing we can learn from something like this, even if it's what level of disreuption we can expect.

Really that decision to cancel the deal with MS was either the most myopic piece of bureaucracy ever or a deliberate move to harm the NHS, talking at work when the contract was being scrapped I didn't find anyone who thought it was a good idea or that it'd save money.

Incidentally this isn't the first time a Healthcare system's been hit by ransomware:

https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

I agree the cutting of the maintenance contract was daft.

Was it that the Gov cut the contract and said -"look guys none of you should be on XP so we're cutting the contract to force you to upgrade"? To some extent that would be understandable, although the funds need to be in place for an upgrade program.

This sort of leads me onto my next question.

Given the NHS is huge and has massive IT requirements. would it be cost effective (and more efficient) for it to brew up it's own - hospital and healthcare focused, OS?

Lets say a variant of Linux that is built with a focus on security.

The jobs a hospital computer (disregarding specialist systems like MRI and the like) tends to need to do are relatively limited. Documents, database, simple media (xrays etc), messaging (email or instant).

With the number of computers in the NHS, would there be a saving to using "NHSOS" and (say) a RPi3 as the "standard" computer? - I have no idea of the cost of current "commercial" contracts vs the cost of developing and maintaining an OS and some apps

 

[starman]

.....

 

[Talarin]

Plenty of money to upgrade Trident, but not to upgrade the NHS from Windows XP. The UK, in a nutshell.

NHS Digital has plenty of money to upgrade Windows. Hell, Microsoft would cough up a lot to contribute to that effort.

The problem isn't the OS. The problem is the apps which run on it. As, As others have noted, the NHS isn't particularly good at planning and implementing new application development.

 

[CMDR Heisenberg B. Damned]

Was it that the Gov cut the contract and said -"look guys none of you should be on XP so we're cutting the contract to force you to upgrade"? To some extent that would be understandable, although the funds need to be in place for an upgrade program.

If so then it was poor choice - the deal effectively allowed any trust/GP in the NHS to upgrade as they wished with a central contract with MS, it was a lot of money but even so a massive discount on individually purchasing licenses. We're often told about going to a big corporation for economy of scale savings, this was one example where that worked perfectly. A huge contract sure but much cheaper over all.

Given the NHS is huge and has massive IT requirements. would it be cost effective (and more efficient) for it to brew up it's own - hospital and healthcare focused, OS?

Lets say a variant of Linux that is built with a focus on security.

The jobs a hospital computer (disregarding specialist systems like MRI and the like) tends to need to do are relatively limited. Documents, database, simple media (xrays etc), messaging (email or instant).

With the number of computers in the NHS, would there be a saving to using "NHSOS" and (say) a RPi3 as the "standard" computer? - I have no idea of the cost of current "commercial" contracts vs the cost of developing and maintaining an OS and some apps

You could argue, quite strongly, that in house supported software would be a good idea but repeatedly the government force us to outsource software. Even the supposed central patient record system that cost billions had to be provided by a number of different companies to prevent a monopoly. Again it's rules and regulations from central government that hamper any ideal solution. So I can't see the OS idea working. It'd also have a number of other issues as well, retraining staff, ongoing support for applications as the OS matures. All told it'd probably be a nightmare even if more secure.

 

[Minonian]

Seems quite far reaching, FedEx in the states was hit apparently as well.

It seems that the WannaCrypt Malware also dropped the DoublePulsar implant. There are a couple of Python scripts to help detect and clean up: https://github.com/countercept/doublepulsar-detection-script

I will be scheduling the detection script to run on a regular basis across the subnets I look after.

Wcrypt tracker: https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

The cost of the so called "free internet". Crime and psychotic behavior running rampart unchecked, and THX for the level of our world computerization endangering us all. Anyone who thinks this good like this it can be left in this way out of his mind.

 

[beelbeebub]

If so then it was poor choice - the deal effectively allowed any trust/GP in the NHS to upgrade as they wished with a central contract with MS, it was a lot of money but even so a massive discount on individually purchasing licenses. We're often told about going to a big corporation for economy of scale savings, this was one example where that worked perfectly. A huge contract sure but much cheaper over all.



You could argue, quite strongly, that in house supported software would be a good idea but repeatedly the government force us to outsource software. Even the supposed central patient record system that cost billions had to be provided by a number of different companies to prevent a monopoly. Again it's rules and regulations from central government that hamper any ideal solution. So I can't see the OS idea working. It'd also have a number of other issues as well, retraining staff, ongoing support for applications as the OS matures. All told it'd probably be a nightmare even if more secure.

My thinking was that the OS could be effectively feature frozen at an earlyish stage. We're at a point now where most of the features we would need are known. I'd not like the days when we transitioned from stand alone PCs to connected and win95 machines needed massive updates to work with the new paradigm. Or from parallel or serial ports to.USB (remember having to restart a machine with the peripheral attached? No hot swapping) we're even over the hump of wired to wireless.

Other than security patches, would the hypothetical NHSOS, need regular updates? With a stable reference hardware platform (say RPi3 or similar) things could be I promised around that.

Sure it means the computers will be "outdated" but they will keep doing what they were meant to do.

If we went back towards a terminal/mainframe (cloud) approach with everything being accessed via a "browser", sort of Chromebook like, then the actual apps and databases could be centrally administered with better security, updates and so on?

 

[Arry]

I noticed today that there where a lot of people walking about with clip-boards and bits of paper, instead of i-pads etc.; in the Formula one pit lane.

 

[Minonian]

I noticed today that there where a lot of people walking about with clip-boards and bits of paper, instead of i-pads etc.; in the Formula one pit lane.

Blasted back to the "stoneage". And if we strike against the cyber criminals? The same happens... In reality, there is no difference if we go against them or let it continue. What means the only one good resolution if they taken care of, and the sooner is the better.

And also? paper is cheaper and cannot be hacked. Physical access? that's more problematic, and riskier.

 

[Gully Foyle]

A little user education would go a long way to stopping this kind of attack.
I.E. Stop clicking on links in suspicious and unknown source emails.
Wcry is installed as a phishing scheme.
Stop naive folks at work from clicking their bait.
o7

 

[Minonian]

A little user education would go a long way to stopping this kind of attack.
I.E. Stop clicking on links in suspicious and unknown source emails.
Wcry is installed as a phishing scheme.
Stop naive folks at work from clicking their bait.
o7

You have a point, and one of the main reasons why i use ad & pop up blockers, with addition only go to the web pages once and never again whom have a problems with this. If The SYS admins ad experts have a problem with this, than they do better to check the cleanness of the links in their pages, with the use of some goddamn virus buster, and keep the web clean from such trashes as much as possible, because sure as hell for my own safety, i'm not going to change my approach. And also? Do not annoy us with the ads. No one likes that.

But also? Don't think for a second with this and a well adjusted + updated system you are out of the water there are more trickier malicious programs and methods, not to mention you cannot possibly know when and how your machine can get infected, or hacked. One Program from the android store, any and all freeware, a pendrive from your buddy machine ects ects can do.

 

[Arry]

Blasted back to the "stoneage". And if we strike against the cyber criminals? The same happens... In reality, there is no difference if we go against them or let it continue. What means the only one good resolution if they taken care of, and the sooner is the better.

And also? paper is cheaper and cannot be hacked. Physical access? that's more problematic, and riskier.

Just back up your data daily. This has been the rule since day one of home computers; have two stores, one for today and one for yesterday; it cannot fail.

Oh; of course there is now rule number two. If you don;t know what it is; don't open it.

 

[CMDR Heisenberg B. Damned]

My thinking was that the OS could be effectively feature frozen at an earlyish stage. We're at a point now where most of the features we would need are known. I'd not like the days when we transitioned from stand alone PCs to connected and win95 machines needed massive updates to work with the new paradigm. Or from parallel or serial ports to.USB (remember having to restart a machine with the peripheral attached? No hot swapping) we're even over the hump of wired to wireless.

Other than security patches, would the hypothetical NHSOS, need regular updates? With a stable reference hardware platform (say RPi3 or similar) things could be I promised around that.

Sure it means the computers will be "outdated" but they will keep doing what they were meant to do.

If we went back towards a terminal/mainframe (cloud) approach with everything being accessed via a "browser", sort of Chromebook like, then the actual apps and databases could be centrally administered with better security, updates and so on?

Annoying! I'd written a wall of text, clicked submit and my Internet connection dropped out! Well it saved you the wall of text.

Short version - we (NHS) actually use a huge amount of international software with complex connections to MRI scanners, Pathology centrifuges, Audiology equipment, Pharmacy dispensary robots and so on. These systems get updated and older versions fall out of support (as do the OS's they run on) so we'd have to either get all these multinational companies on board with the OS (unlikely) or we'd have to develop everything ourselves (highly complex).

It's not a bad idea beelbeebub but fairly unworkable short to mid term and may leave us missing out on tech advancements long term. It's also a huge amount of work.

 

[Patrick_68000]

The global cyber attack which attack the planet since Friday has caused 200000 victims, mainly companies, in at least 150 countries, said the director of Europol

 

[FuzzySpider]

Annoying! I'd written a wall of text, clicked submit and my Internet connection dropped out! Well it saved you the wall of text.

Short version - we (NHS) actually use a huge amount of international software with complex connections to MRI scanners, Pathology centrifuges, Audiology equipment, Pharmacy dispensary robots and so on. These systems get updated and older versions fall out of support (as do the OS's they run on) so we'd have to either get all these multinational companies on board with the OS (unlikely) or we'd have to develop everything ourselves (highly complex).

It's not a bad idea beelbeebub but fairly unworkable short to mid term and may leave us missing out on tech advancements long term. It's also a huge amount of work.

I never really thought of it before, but now it's pointed out like this I can see the logic.

The NHS is in the business of delivering healthcare. If it created an IT system then it would have to create a whole new department to create it, when it would be far more cost efficient to outsource such a task to a business (such as Microsoft or Apple) who already create such systems. The problem appears to be:

1. The NSA who knew about this vulnerability said nothing about it for years, who valued their own ability to use it to snoop far more than they valued the actual security of people using this OS.

2. The NHS let support for their computer software lapse a year or two ago and didn't renew, but also didn't upgrade. A monumental error which should see Jeremy Hunt removed from government immediately.

It's astonishing that this happened in the middle of an election cycle and it hasn't impacted opinion polls in the slightest.

 

[Shanaeri]

I never really thought of it before, but now it's pointed out like this I can see the logic.

The NHS is in the business of delivering healthcare. If it created an IT system then it would have to create a whole new department to create it, when it would be far more cost efficient to outsource such a task to a business (such as Microsoft or Apple) who already create such systems. The problem appears to be:

1. The NSA who knew about this vulnerability said nothing about it for years, who valued their own ability to use it to snoop far more than they valued the actual security of people using this OS.

2. The NHS let support for their computer software lapse a year or two ago and didn't renew, but also didn't upgrade. A monumental error which should see Jeremy Hunt removed from government immediately.

It's astonishing that this happened in the middle of an election cycle and it hasn't impacted opinion polls in the slightest.

if it had affected just the NHS and nowhere else I suspect it would have. The fact it happened world wide on systems that had nothing to do with the NHS(cant really blame train outages in Germany or FedEx issues on the tories) probably means it wont.

The issue is, poor processes, training and management and not taking it seriously across the world.

 

[Barking_Mad]

Right-wing BBC and media doing their best to cover up for Tory inadequacy. The story is pushed as "Its happening to everyone" as a means of mitigating Govt responsibility. Barely a squeak about funding, questions about should or could it have been prevented. Meanwhile Jeremy Hunt is nowhere to be seen.

Saying "It's happening elsewhere so it doesn't count!" is a bit like going to work and leaving your front door unlocked and then telling the police when you're informed you've been broken in "Yeah but it happens to other people, right?"

 

[Lianachan]

Right-wing BBC and media doing their best to cover up for Tory inadequacy. The story is pushed as "Its happening to everyone" as a means of mitigating Govt responsibility. Barely a squeak about funding, questions about should or could it have been prevented. Meanwhile Jeremy Hunt is nowhere to be seen.

Saying "It's happening elsewhere so it doesn't count!" is a bit like going to work and leaving your front door unlocked and then telling the police when you're informed you've been broken in "Yeah but it happens to other people, right?"

Indeed.

 

[beelbeebub]

Annoying! I'd written a wall of text, clicked submit and my Internet connection dropped out! Well it saved you the wall of text.Short version - we (NHS) actually use a huge amount of international software with complex connections to MRI scanners, Pathology centrifuges, Audiology equipment, Pharmacy dispensary robots and so on. These systems get updated and older versions fall out of support (as do the OS's they run on) so we'd have to either get all these multinational companies on board with the OS (unlikely) or we'd have to develop everything ourselves (highly complex).It's not a bad idea beelbeebub but fairly unworkable short to mid term and may leave us missing out on tech advancements long term. It's also a huge amount of work.

I hate it when that happens!I was nit thinking of replacing the specialist computers, more the admin side of things.So am Mri machine might be run by a custom computer provided by the manufacturer and produce files readable only by a custom app that requires XP or W10 or whatever. So the specialists use that.The same for the computers that run dispensing robots, blood testing machines and so on.However there is a huge bulk of work that is not specialist. Writing letters, emails between doctors, booking appointments, reading blood test results, reading patient histories, viewing static pictures eg. X rays or MRI scans or simple audio.Printing prescriptions, checking patients in or out, tracking patients in hospitals etc.These jobs don't need specialist computing functions, they don't change alot over time. If somebody brings out the latest super tricorder pocket MRI, it can run on the custom super computer the manufacturer provides, but as long as it's able to put out jpegs (or probably some lossless format) the docs can pull up the data even if they can't manipulate it.Also, the NHS is one of (or could be if it acted as a block) biggest health buyers out there.If they said - we like your MRI but we need the outputs in this format and we'll buy a bunch, I'm sure the manufacturer would oblige.

 

[CMDR Heisenberg B. Damned]

I was nit thinking of replacing the specialist computers, more the admin side of things.So am Mri machine might be run by a custom computer provided by the manufacturer and produce files readable only by a custom app that requires XP or W10 or whatever. So the specialists use that.The same for the computers that run dispensing robots, blood testing machines and so on.However there is a huge bulk of work that is not specialist.

The problem there is you now have 2 different OS's to try and keep on top of. Two different versions that will need patching and upgrading. Effectively doubling the work required. Generally desktops haven't been an issue for our site, it's been the servers that got hit - and quite badly.

We try and keep a standard set of desktops for example, the base build plus any specialist software for a specific department. OS patches for the desktops isn't a major issue as they can be rebuilt easily (even if locked down by this attack it's not an issue as data shouldn't be saved on the desktop, so you just wipe and rebuild). Updates can be easily pushed out overnight for clients. The servers are more difficult, yes patches need to get applied regularly but that also requires down time. Looks like this time the attack came before the patch went onto a number of servers.

Happy to report we've completely recovered and all systems are now patched.