NHS & Ransomware

Last night, news of a big ransomware outbreak within the NHS came out. This is very bad news: ransomware takes control of your PC and then encrypts any files it can, including any network drives it can get to, then demands money to decrypt them.

Ever since this outbreak was disclosed, there’s been a parallel out break of fuckwits. Stating that various people, from the NHS IT techs to the government are (ir)responsible, and this was entirely avoidable.

It was, of course. But at what cost? Lots of network admins will say how easy it is to keep systems up to date, and at one level it is. My home network is continually up to date: firmware on my domestic router is recent, all the PCs are patched. This is really, really simple, and I barely have to lift a finger to manage it.

It’s also quite simple in a large corporate network if the machines are simple- if they’re all recent PCs, and running little more than Windows and Office, you set up WSUS, keep the OS up to date by having an MS subscription, and it’s job done, and you’re in the pub by lunchtime.

Except, as usual, it’s not that simple.

There are times you can’t update an OS, or at least it’s prohibitively expensive and/or hard. This Twitter thread says it better than I could in relation to the NHS, but all over the place, in industry, education, and everywhere else, there’s systems that are only certified for old operating systems, systems that use bodged, modified OSs (Nortel Callpilot, I’m looking at you) and systems that are untested with patches and/or new operating systems. These cannot be patched or upgraded, and may have millions of pounds of hardware attached which can’t talk to anything else, so the choice becomes to air-gap them, stop using them and buy replacements, engineer a gateway between them and other systems, or just try to beef up the firewall and other edge-protection, and hope nothing gets through; and the compromise is a matter of judgment and risk management, balancing risk against cost and practicalities given limited resources of both staff and cash, and trying to maintain service in something cut to the bone by the current government. It’s worth remembering her that the NHS isn’t the only victim: anyone with finite resources can get hit- so that means basically, all businesses. As complexity increases, the dificulty of keeping it all up to date increases exponentially. Keeping tens of PCs and one server up to date is trivial, hundreds of servers and thousands of PCs with bespoke, complex software is most definitely not.

Finally, spare a thought for the poor NHS sysadmins, fighting this while probably not getting paid, and please, if you’ve suddenly discovered an interest in patching operating systems and are trying to grind a political axe with it, shut the fuck up until you know what you’re talking about.

One Response to “NHS & Ransomware”

  1. Willenhall Lad Says:

    I’m glad I’m out of the NHS as it was a nightmare keeping your agreed targets on track because some higher manager fuckwit pulled you off one job and made you do another one another project even though you never had enough staff to do the maintenance jobs that needed doing.

    You rightly say that there isn’t enough knowledge of IT systems by top management and that’s not restricted to the NHS either. There are too many of these people easily seduced by slick sales people and fear raising “Risk” people. Senior management should hold a proper qualification in IT to at least be able to make an informed decision about IT.

    I reckon the next target will be where the the NHS stores it’s data and there is more of it “in the Cloud” than we think such as this article reveals: <a href="https://thestack.com/security/2017/05/12/google-mishandled-nhs-patient-data-investigation-warns/