London Hospitals Knew of Cyber Vulnerabilities Years Before Hack

A group of London hospitals struggling to contain the fallout from a cyberattack against a critical supplier had known for years about weaknesses that left them vulnerable to hacks, Bloomberg News reported Friday, citing internal documents. From the report: The Guy's and St Thomas' NHS Foundation Trust, which runs five major hospitals in the London area, has failed to meet the UK health service's data security standards in recent years and acknowledged as recently as April that 'cybersecurity remained a high risk" to its operations, according to publicly available documents that outline board of directors' meetings. In January, the board of directors raised questions about the security of digital links between hospital computer systems and those of third-party companies.

Hackers last week brought down the trust's pathology services provider, Synnovis, with severe knock-on effects at hospitals. Doctors have, among other things, been forced to delay medical operations, postpone blood tests and resort to handwritten records. The attack has disrupted blood services so drastically that medical facilities are asking the public for donations, and one hospital is calling on its own staff to contribute. The April report proposed an audit to identify where improvements could be made. It's not clear if improvements took place before the hack on June 3, or whether the vulnerabilities identified in the board of directors' reports -- which include dated IT systems and hardware devices -- had any bearing on the ransomware infection at Synnovis.

Vulnerabilities?

[Ol Olsoc]

At the time, a lot of the vulnerabilities were probably features designed more for ease of access, than security.

public sector

[conorjh]

I used to work there, left around 2016 and they were only just coming off XP onto 7 if that's any indication of how slow they move. Might not have been NHS themselves but Im sure around this time ransomeware managed to infect the tape backups of some system, but could well have been third party. Shitshow in general - I dont know why anyone with more than a few years on their CV stays there, especially when they work in London, tonnes of work out there

Re:

[Bongo]

Did they have any IT security staff roles?

Re:

[mjwx]

Did they have any IT security staff roles?

The thing with public sector roles is that they generally don't pay very well. The NHS trusts are no exception. So a lot of roles get tacked onto someone elses job as they cant afford to have a dedicated person for that... Even when they can it won't be the best person for the job.

Public sector jobs used to be low stress for low pay. Ideal if you've paid off your house and just needed money for jam. In the last 14 years the Tory government has been stripping the public service to the bone, then got out t

Re:

[conorjh]

So a lot of roles get tacked onto someone elses job as they cant afford to have a dedicated person for that...

they were fairly standard in terms of scope - it was broken down into teams youd find anywhere else, they just had too much work on their hands. They had a cybersecurity team for instance. They had a lot of legacy systems (sometimes old software, but sometimes specialist hardware to go with it...) they had to support, and tbf its the main reason they arent agile and cannot just bring themselves up to date as easily as most. Imagine a configuration error actually having the potential to kill people... youre

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Teleogy of Technology

[gweihir]

You are essentially listing what I verified to be in place as an IT security auditor in a regulated space. Often against significant resistance. It is known how to do this reasonably well. At the same time, it is known that the drivers of capitalism and bureaucracies are not sufficient to make it happen. Fortunately, the EU has the KRITIS initiative, which is a first step in the direction of making any organization that is important to society start following sound, established practices. Unfortunately, that is just a first step and more steps need to follow. And to drain the criminal swamp of ransomware operators, we need this globally so they starve and go away.

Obviously

[gweihir]

I have been saying for 15 years or longer that IMO many organizations not successfully compromised by attackers just got lucky and nobody competent tried. As a security consultant, I have seen the "Nothing happened so far, so we must be secure!" mind-set time and again. It did often change into a "we must do something" insight a few years back when ransomware became big and professional, but it is rare that any organization affected really did. I have seen a few that got hit by a small attack and and started to do something effective, but even that was not enough in some cases.

Hence while the attackers are a primary cause of this ongoing catastrophe, the sheer incapability of the defenders is the second primary cause. No, this is not "victim blaming". This is blaming people that guard critical assets for shoddy practices, looking away, prioritizing profit over security (Now, where have I heard that one just in the last few days?) and generally failing at their duty. I think you can blame a guard that sleeps on the job or deserts his post when he knows attacks are incoming. And that is the situation we are having.

Since we cannot eradicate the attackers (except by removing their economical basis), we need to hold those that make these attacks possible to account. Obviously that is not only those directly hit, but includes software and OS makers and vendors, IT service companies, outsourcers, security-element makers, hardware makers, etc. We need liability. If a bad attack happens and they cannot prove they followed sound practices and the state-of-the-art, they need to be just as much on the hook as a vendor that delivers a faulty brake-mechanism for a car or the maker of a home appliance that occasionally bursts into flames. The half-assing in the software and computer-space must stop, it has become far too expensive for society. We need solid engineering, not toys to run the most critical functions of society.

What about FOSS you ask? That is a problem that can be solved. For example, state bodies can fund security reviews, vendors can do so too and customers can also have what FOSS they want to use security-evaluated. Anybody profiting from FOSS commercially could be made to pay a tax on these profits that goes into security. Bugs will still happen, but that is not the issue. The issue is organizations taking and taking and taking from FOSS and not giving anything back.

Incentives are mis-tuned

[Tablizer]

Re: "Nothing happened so far, so we must be secure!"

Managers often do "salary math" as follows:

If they spend money to prevent something they estimate has roughly 20% of happening on their tenure, that's less money for "trophy projects" that have almost certain bragging points. Showy projects increase their chance of a raise or promotion, as the people evaluating them don't know IT from a pizza.

So they are weighing an almost certain boost against something relatively unlikely. If bleep does hit the fan, they

Re:

[gweihir]

Indeed. Perverted incentives. That is why established engineering fields have personal (!) liability if you screw up badly.

Re:

[Tablizer]

That is why established engineering fields have personal (!) liability if you screw up badly.

For some reason getting similar for IT security has proven elusive. Maybe we need a 9/11-like event before real change happens.

Re:

[gweihir]

Yes, probably. And the longer it takes, the larger the catastrophe that will finally end the irresponsibility and half-assing.

Re:

[Bongo]

A lot of security auditing could simply be done as a list of staff and their respective incentives.

Re:

[gweihir]

You are probably right on that one.

Re:

[ArchieBunker]

Go back to non windows operating systems and replace most computers with dumb terminals and this would disappear overnight.

Re:

[gweihir]

Doe not even need to be dumb terminals. But what is essential is competent system administration together with a solid OS.

Re:

[HiThere]

FWIW, at the place where I worked before I retired, the folks making the decisions did not, and either would not or could not, understand the problem. Taking effective action would have required financial commitments, and they didn't understand that those were necessary, and didn't trust the "experts in the field" that they had hired enough to make the financial commitment without understanding the need. When I tried to explain to a lawyer why agreeing to a particular contract was a bad idea, he just said

Re:

[gweihir]

Yep, too many people without a solid understanding are making IT decisions. Often, they have no understanding at all and are incapable of listening to those that do. Well, I guess we need a few really spectacular events, like a large multinational going bankrupt because they got hacked. That may change some things.

Re:

[gweihir]

Funnily, /. gives me the quote "Technology is dominated by those who manage what they do not understand." on this page. Right on the mark.

fda approval and other stuff gets in the way of OS

[Joe_Dragon]

fda approval and other stuff gets in the way of OS updates on medical device.
And you also have vendors that say you can not install any of your IT tools on our device and we need to have 24/7 remote access to it as well.

Re:

[gweihir]

fda approval and other stuff gets in the way of OS updates on medical device.
And you also have vendors that say you can not install any of your IT tools on our device and we need to have 24/7 remote access to it as well.

Yes, very nice backdoors into most hospitals: Just compromise the remote access of a medical device vendor.

Anecdotal hospital IT experience

[iAmWaySmarterThanYou]

I worked on one project with a 5 hospital group based in the Midwest a few years ago.

They _knew_ and did not care about IT security problems. Didn't care about their mixing PII/PHI across IT boundaries which put personal patient information of all sorts in places it wasn't supposed to be. Didn't care about pretty much anything IT as long as the WiFi and printers worked. If they are representative of hospitals in general then they're all super fucked.

Re:

[gweihir]

They are probably representative. I have even heard statements from MDs in leadership positions at a major hospital here where they said "we need no IT, we know how to run triage and emergency operations without it". Sure, some basic emergency services will run without IT. But most things become impossible or very slow. And pray there is no major accident with lots of victims while you are manually half-assing it.

What is missing here is a driver that makes these organizations care. I am generally not in fav

Re:

[jbmartin6]

Same at a hospital I worked at. The place was rife with groupthink on IT in general, which they chorused is a 'cost center.' In part it comes from requiring managers to be medical doctors, who are entirely unsuited to run an organization effectively.

Re:

[HiThere]

That's the problem. No expert is properly capable of judging the experts of a very different field. (And this definitely includes experts in IT.) But in a large organization there will be multiple very different fields needing management. Theoretically a specialist in management should be at the top, but those folks are always trained to maximize profit (or an analog), so they are also bad choices.

A doctor is probably as good a manager as any other for a hospital, but they WILL believe that their expert

Well it was on the risk registry

[GeekWithAKnife]

Between the options of avoid, transfer, mitigate or accept they chose "accept".

Crapware is crapware :o

[Mirnotoriety]

“The Guy's and St Thomas' NHS Foundation Trust, which runs five major hospitals in the London area, has failed to meet the UK health service's data security standards in recent years”

What “data security standards” would that be. Wouldn't have made any difference. Crapware is crapware. They were forced to take this crapware because of a government contract with the Microsoft corporation.

“NHS England has announced a new £774m licensing deal for Microsoft productivity [digitalhealth.net]

Unsurprising

[jbmartin6]

This isn't really news. There is probably no organization of this size where someone doesn't know about the vulnerabilities. The more important question is why they did what they did with that knowledge.

Every company has a list of known vulnerabilities

[Tony Isaac]

At least, they do if they're doing their job.

The only ones that don't have a list, are the ones to be most feared, because they aren't even looking.

What if 'red teams' could trigger fines?

[OneOfMany07]

Meaning like bug bounties... where random other people can 'test' and report their findings to companies. If that external team finds an issue the parent company is fined (which part at least would go to the searchers).

We need a cost for poor security results beyond 'whatever happens when it comes to light'. Any capitalistic company will use a calculus to compare costs... just like when they might accidentally kill someone. "How much will the settlement be?" will be compared against the cost to really

pretty depressing to read the comments

[Big Hairy Gorilla]

Reading the previous comments tend to reinforce what I hear from a hospital administrator I know. It's all about money and convenience for .... hospital administrators. They always argue they need "more money" then they spend it on software to "increase efficiency".. translated it works for the admins and that's where it ends. As someone above pointed out, they don't understand what they are doing, and participate in "groupthink".... They LOVE "solutions". Forklift that solution into my hospital. Does it so

Mindset problem to security

[Going_Digital]

I have worked on projects involving hospitals. The problem is they don't care about technical merits of the solution, only that they can shift liability.

One example that required the use of a commercial electronic file destruction tool, open source solutions were not allowed despite there being obvious flaws in the commercial product. We pointed these flaws out, but the commercial product provided a destruction certificate and that is all they cared about. Open source solutions could do a better job, but t

Leeches

[sunderland56]

>> one hospital is calling on its own staff to contribute

Must be fun to work somewhere that management are LITERALLY blood sucking leeches.

NHS IT

[ledow]

The NHS has the single worst reputation among the UK IT industry that I've ever witnessed.

Having been party to some of their technology, I have always advised every IT person who works with or under me to steer well clear of the NHS IT and anything related to it.

Even today, there are Windows XP-powered lab equipment controller/computers connected to the NHS backbone and this is just accepted as "normal" because the manufacturers will not release updated software without basically repurchasing the entire equ