That ransomware attack

[Feanor]

As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.

The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected  network?

The military have some pretty robust protocols for this stuff.

[Jaded]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

To me, it's on a par with, and similarly reprehensible as, serving patients out of date food.

Stick to whatever it is you do. The comparison is risible.

It's not a bad metaphor for failing to keep systems up to date, thobut.

It is risible.

[Ben T]

What's risible is if I go into a hospital, give them data about my health in good faith, and they proceed to blithely elect to input it into an operating system that's 15 years old and out of support.

[Jaded]

The 15 year old operating system is not holding the data. If it was there'd be a real problem.

It is 15 years old because of the way we treat the NHS. It's a political football and people love it that way. Kick the Reds. Kick the Blues. Get votes!!

Comparing a bed with a computer is risible. Utterly risible.

[Asterix, the former Gaul.]

As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.

The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected  network?

The military have some pretty robust protocols for this stuff.

Agreed.  Software can have a lifespan way beyond the rather transient versions of Microsoft's operating system. It might need to last for decades and be far too complex to undergo any form of revision. 

The big idea at the moment is the 'internet of things' whereby all sorts of devices are to be controllable over the internet.  It's a development with huge potential but now it's apparent it also carries huge risks unless a concerted effort is made to design systems with a coherent resistance to cyber attacks.

Microsoft, having successfully made WIndows so universal has a major obligation to fulfil in that regard.  It's time for them to grow up.

[mrcharly-YHT]

As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.

The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected  network?

The military have some pretty robust protocols for this stuff.

The MRI machine will be networked so that the image taken by the machine can be sent to the consultant for viewing. Should be some pretty gnarly firewalls in place between anything winXP and general network, and I'd hope that the connection is via, say, a Linux server. But setting that up requires really good planning by good IT staff. That all costs.

[Ham]

As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.

The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected  network?

The MRI scanner doesn't need to be connected to the Internet, but the data needs to be accessed by people who do, there's your weakness. Citrix/VDI has a place here but who will pay for it? Plus, it's another layer that needs to be kept up to date. Oh, and as I touched on earlier IME most "critical" systems do have reasonable security and backup procedures. For example, they may have resilient data, backup/archive + third copy of data, "just in case". If you had to speculate that would be in the private sector, it doesn't come free.

[Asterix, the former Gaul.]

As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.

The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected  network?

The military have some pretty robust protocols for this stuff.

The MRI machine will be networked so that the image taken by the machine can be sent to the consultant for viewing. Should be some pretty gnarly firewalls in place between anything winXP and general network, and I'd hope that the connection is via, say, a Linux server. But setting that up requires really good planning by good IT staff. That all costs.

Yup, internet of things.  Machine to machine interfaces (M2M):

 

Demand for wireless connected electronic devices is being driven by the desire for a future where every day physical objects are connected to the internet and are able to identify themselves to other devices.

Areas include

Automotive
Industrial processes
Healthcare
City management
Home management
Security
Asset management (physical assets like MRI scanners, presumably).

We seem to have a big blind spot WRT the way the internet is developing away from our own monitors.  It's not just there to provide human interactions any more.  Initially its development was hampered by limited IP addresses but since IPV6 massively extended the number of addresses available M2M became realistic.  Within the last few years.  Any sophisticated machine will be designed with that in mind.

[ian]

As has been pointed out, there are systems ( eg embedded systems ) that simply can't be kept up-to-date.

The IT managers need to build an infrastructure that keeps such internal critical systems isolated, air-gap if necessary.
Seriously. Does the MRI machine *need* to be connected to an Internet-connected  network?

The MRI scanner doesn't need to be connected to the Internet, but the data needs to be accessed by people who do, there's your weakness. Citrix/VDI has a place here but who will pay for it? Plus, it's another layer that needs to be kept up to date. Oh, and as I touched on earlier IME most "critical" systems do have reasonable security and backup procedures. For example, they may have resilient data, backup/archive + third copy of data, "just in case". If you had to speculate that would be in the private sector, it doesn't come free.

MRI scanners were a lot more secure when you could only get the data off them in some proprietary format that seems vaguely related to Philips videodisc. Even the consultants couldn't access them. (Actually, that might be a CAT scan, but the principle remains.)

Modern life innit. Several weeks back I discovered I could only approve a purchase using IE8 on Windows. Some SAP nonsense but having seen the cost for such implementations (HOW MUCH!), I can kind of understand why.

As for system updates, they're still too painful. I don't use Windows any more, but I can imagine it's not changed. I fired up a Xubuntu box the other week for a first time in a couple of months. A bazillion updates greeted me. Of course, the updates failed, presumably because they needed to be done in a particular order. Mac is a bit better for small stuff (they just happen) but it still likes to occasionally demand I download 2 GB and restart. You can see people might put that off (though it'll do in powernap, if it's in the mood and and doesn't have a headache). In the 30-odd years since we dipped our toes in with Windows 3.1 they've still not figured out a seamless update process and we're still telling users not to do things they'll obviously do (what, don't click this attachment?).

[Riggers]

^
You're avatar seems appropriately apposite, given the subject matter.

[Asterix, the former Gaul.]

^
You're avatar seems appropriately apposite, given the subject matter.

Health secretary Jeremy Hunt was warned last summer that NHS organisations were at risk of cyber attacks.

The national data guardian Dame Fiona Caldicott and the Care Quality Commission assessed the cybersecurity of 60 hospitals, GP surgeries and dental practices at the request of Mr Hunt.

They said the external cyber threat was becoming a “bigger consideration” as the NHS switched from paper to digital medical records and systems.

They warned of increasing numbers of unsolicited emails containing "malware" or hidden software, designed to cause harm, in global circulation.

Their report last July made a number of recommendations, including the advice that “computer hardware and software that can no longer be supported should be replaced as a matter of urgency”.

We have to treat IT a bit more seriously.  One thing MS is right about, it is a 'wake up call' but in a sense they are purveyors of legalised ransome ware.  i.e if you don't buy our latest software the hackers are gonna come for you.

[DuncanM]

I think that attacking Microsoft for "ransomware " is absurd.
They built a product, released it in 2002, and supported it (for free) until 2009.  At that point, they put it in "Extended Support", meaning that it would get security patches but little else, and announced that it would go out of support completely in 2014. They built special migration tools, they had popups that say when support ended, and did everything they could to push people to migrate. For those large organisations that were unable to upgrade, they offered an extended life support package which has security updates in the same manner as supported software.
This all seems very reasonable to me?
The government decided that the NHS didn't need to pay for extended support. The government decided that the MoD did need to pay for extended support.
Those decisions caused this issue to occur in the NHS, not Microsoft.
It is entirely consistent with the spending decisions that this government has made - cutting NHS funding as a percentage of GDP while increasing defense spending as a percentage of GDP  - any comment on that belongs in the Politics board (which I banned myself from many years ago in order to keep my job!).

[Polar Bear]

Except of course circumstances dictate that not everybody can afford to migrate.   The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.   

Security trumps everything else.   Microsoft cannot blame others for the holes in their colander.

[ian]

Well, of course it's not totally unaffordable. Things cost what they cost, you gauge the risks of not making the investment. Blaming Microsoft is a bit silly, of course they want people to pay to upgrade, that's their business model. Not providing free support for the now ancient XP.

[DuncanM]

Except of course circumstances dictate that not everybody can afford to migrate.   The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.   

Security trumps everything else.   Microsoft cannot blame others for the holes in their colander.

If the cost of upgrading all your peripherals is unaffordable, and the cost of extended support is also unaffordable, then you cannot afford to keep your systems on the internet. If security trumps everything else, then air-gap the relevant machines - the only reason an MRI scanner needs to be online is because it's a convenient way to move the results about. So in that case, convenience and responsiveness has been regarded as a higher priority than security.
The NHS is massive, and upgrading the IT infrastructure is a mammoth project.  If you're going to take the view that you update IT systems as they reach the natural end of life (maybe when the MRI machine is replaced) then that means migration is going to happen over a long period and you should pay the support bill as a cost of taking that upgrade approach.

[Polar Bear]

Except of course circumstances dictate that not everybody can afford to migrate.   The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.   

Security trumps everything else.   Microsoft cannot blame others for the holes in their colander.

... convenience and responsiveness has been regarded as a higher priority than security.
..

I disagree.

I ask you to consider what an MRI scanner is for.   You might change your opinion somewhat if you or somebody you love is in urgent need of such a scanner.   It's not a choice of convenience at all, it's making do with the equipment available to best treat as many people in need as possible.   

Of course, there will be people here who can afford or who have provision to go private.   Does this mean that their lives are of greater value to humankind than those who cannot go private?   Who is going to make the decision to pull the treatment and potentially sentence the patient to death?   It certainly will not be one of the politicians or administrators as they will be busy distancing themselves and trying to remain out of the line of fire. 

As Jaded rightly pointed out upthread, the NHS is a perfect example of how being a political football forces them to make risk decisions that are exactly that, risks.   Would we prefer that a selection process based purely on ability to pay? 

Well, of course it's not totally unaffordable. Things cost what they cost, you gauge the risks of not making the investment. Blaming Microsoft is a bit silly, of course they want people to pay to upgrade, that's their business model. Not providing free support for the now ancient XP.

ian tells us that in fact it's not unaffordable so perhaps we should be making choices over the next few weeks to ensure that the people in power are making the choices that we'd prefer even if it does mean ditching "a safe pair of hands".

By the way, I didn't actually blame Micro$haft: 

Except of course circumstances dictate that not everybody can afford to migrate.   The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.   

Security trumps everything else.   Microsoft cannot blame others for the holes in their colander.

[andyoxon]

So have the govt been guilty of spending mammoth amounts on IT consultants in failed patient data projects, and neglected basic new computing infrastructure?

[Polar Bear]

Quite possibly.

More importantly, effective risk management seems to be missing.  One doesn't simply do the risk assessment at the outset but it needs to be visited on an ongoing basis.  I suspect that the real problem is lack of money though and the risk, if it was ever graded such became an issue.

I would be interested to know exactly what Jeremy Hunt knew about the risks faced by the NHS IT systems before this happened.

[MikeFromLFE]

Quite possibly.

More importantly, effective risk management seems to be missing.  One doesn't simply do the risk assessment at the outset but it needs to be visited on an ongoing basis.  I suspect that the real problem is lack of money though and the risk, if it was ever graded such became an issue.

I would be interested to know exactly what Jeremy Hunt knew about the risks faced by the NHS IT systems before this happened.

It's a quite a few (~6) years since I left my NHS post which had Risk Management at its heart, but IT was - frankly - a mess in the Trust that I worked in.
The risk assessment processes associated with IT were crude, and at a basic level - possibly not helped by a very senior management approach to risk assessments in non-clinical (Ie non-patient facing) areas that 'encouraged' the assessments to be played down, possibly with an eye on the financial bottom line. Equally the IT management were somewhat insular when it came to engaging with the more holistic risk assessment systems used in the Trust - the attitude being along the lines of 'this is far too complicated for you to worry your little heads about it'.
The IT support was latterly staffed almost entirely with contract staff who always seemed to be working for our Trust 'in between jobs', leading to a lack of continuity. I got the impression that the few permanent senior staff were well-meaning, but powerless in the face of twin attacks from rapidly developing technology, and from an unsympathetic purely clinically focused board.
The staff -in this Trust, and probably most others - that managed risk, focused on learning from critical incidents, and took recommendations to the Top Table have (apparently) been cut back to almost nothing - so is it surprising that this event has, had the effects it has, and that the boards of the Trusts were so taken aback?


Tapatalk puts this signature here, not me!

[Bledlow]

Anything that you buy has an expected lifetime. A hospital wouldn't expect to buy a bed and have it maintained by the manufacturer for ever. Why should computers be any different?

Are you saying that software wears out? Interesting. Could you explain the process, please?

What I said is that software requires maintenance.

It's not a secret. If you're lucky the vendor will maintain it for several years, included in the original purchase price. Or they may require an annual fee. I'm struggling to think of an example of *anything* created by a human that would last forever without maintenance.

I'd be happy to be able to pay a reasonable amount & have up to date security patches, instead of having to get all-new software with built-in downgrades & bugs, but I can't. I'd also like the option to buy minor upgrades at a reasonable price, but again, that's not offered.

Quantify "reasonable amount". If you're one of the last dozen users of Chucky Egg on FlexOS 1.31 how much would it cost to offer you up to date patches? Perhaps it would make more financial sense to use software a lot of other people are using and spread the cost? Perhaps you think my children should go barefoot because, well, software is software, it's not real stuff like food or bikes.

Software needs maintenance? Really? Please explain this process. Do you mean that previously unknown faults in it need repair? I cannot believe that you mean that it suffers wear & tear.

I think that you are making what our USian friends call a category error. Software is not like a bicycle. If it does not have faults, it will continue to work as long as the hardware on which it is installed works. 'Maintenance' of software is needed because it has faults, or someone tries to use it wrongly, or it is used in an inappropriate environment.

When a software producer sends out a patch for a security weakness, it is not repairing damage. It is making good a fault, either one which was always present but was previously unknown, or one accidentally introduced by the producer in an earlier patch.

BTW, this is a view formed from the inside, from decades spent working in software development & support.

[DuncanM]

Except of course circumstances dictate that not everybody can afford to migrate.   The costs of replacing not just an OS but computers, peripherals and other software can make the exercise totally unaffordable.   

Security trumps everything else.   Microsoft cannot blame others for the holes in their colander.

... convenience and responsiveness has been regarded as a higher priority than security.
..

I disagree.

I ask you to consider what an MRI scanner is for.   You might change your opinion somewhat if you or somebody you love is in urgent need of such a scanner.   It's not a choice of convenience at all, it's making do with the equipment available to best treat as many people in need as possible.   

Responsiveness being the key item as far as the patient is concerned? You can keep the responsiveness and the scanners on XP, by for example, exposing a particular hole in their firewall and ftp all the documents the MRI scans produce to a dedicated document server while keeping the MRI network and the hospital network separate. But then you can't have every machine on the same Active Directory, and that means that password and user management becomes a big headache for IT. Fast, secure, cheap - pick 2. Some trusts picked fast and cheap (worth pointing out that this has affected 60 trusts out of >200 across England and Scotland (couldn't find the Wales numbers)). 

Of course, there will be people here who can afford or who have provision to go private.   Does this mean that their lives are of greater value to humankind than those who cannot go private?   Who is going to make the decision to pull the treatment and potentially sentence the patient to death?   It certainly will not be one of the politicians or administrators as they will be busy distancing themselves and trying to remain out of the line of fire. 

As Jaded rightly pointed out upthread, the NHS is a perfect example of how being a political football forces them to make risk decisions that are exactly that, risks.   Would we prefer that a selection process based purely on ability to pay? 

Eh? What has that got to do with poor IT provisioning/security?
I believe in the NHS, and I'm sad that these issues have come up because it means that NHS patients have suffered at the worst possible time - it is already a service that is underfunded and suffering. Government IT projects have historically been pretty bad though, and this seems like another example of bad IT practises.
NB it's worth noting that this has caused problems for Nissan and Renault factories, Telephonica, Fedex, Hitachi, and some spanish bank I can't pronounce, let alone spell among many others:
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

[pcolbeck]

In practical terms its impossible for operating systems and applications to have zero bugs or exploitable weaknesses. MS or whoever writes the code does there best to find and fix problems but it can never be perfect. They are also commercial organisations and can't provide free support and patching forever. I don't particularly like MS but to be fair they gave everyone many years of warning that they would be dropping support for XP, it snot like they gave organisations a week to switch to a newer OS. No company grantees support for software indefinitely, it would be an unsustainable business model.

[Polar Bear]

Ah Bledlow: software is at the whim of it's users who try to use it far beyond it's design spec.  There are 'faults' but there are also upgrades to stretch previously unanticipated or unbudgeted functionality.  Thus maintenance is an ongoing requirement of software.

MikeFromLFE,

In late 2006 I did a four month contract on the then NHS N3 National Patient Database project.   I was paid handsomely to provide BT in Watford a clean audit on their software Configuration Management in their little chunk of the huge project.   I achieved my target in just three months and in that time I learned so much about the mess of IT in the NHS, specifically how almost every Trust does things differently, how there is no one integrated system, no easy way to pass information between trusts or often even between GPs and hospitals in the same trust, etc., etc., etc.   

The reason N3 was a huge failure imo was that there were too many individual vested interests and no central leadership from the various Health Secretaries who came and went.  Given all that shit ten years back I am only surprised that there have not been more major IT incidents in the NHS.   

DuncaM, it's about spending choices.   Not enough money means that inevitably keeping a machine going with limited budgets and insufficient expertise on matters like IT security will mean that risks are taken.   Spend the money on IT and you cannot treat so many patients.   

[pcolbeck]

Sophos's advertising took a hit. Compare their website from before and after this weekend:

[Feanor]

Software needs maintenance for the reason you have pointed out yourself...

The environment in which it is running changes.
For example, a security protocol that was regarded as good years ago may no longer be regarded as secure, and so updates are required.

This was not a flaw in the original program, it is just a consequence of the environment changing.

In other examples, the OS vendor may make changes to the OS for a variety of reasons, including security.
For example, certain directories that used to be writable by a non-admin user no longer are.
This may mean that programs that previously worked no longer do, and they will require updating.

None of these things are flaws: the programs were written correctly to a perfectly reasonable spec at the time.
But times change, and the software needs to change with it.