Ransomware Causes 'Major', Long-Lasting Outage for UK Health Service's Patient Notes (independent.co.uk) 26
The Independent reports that the UK's National Health System is experiencing a major outage "expected to last for more than three weeks" after a third-party supplying the NHS's "CareNotes" software was hit by ransomware.
Unfortunately, this leaves doctors unable to see their notes on patients, and the mental health trusts that provide care "across the country will be left unable to access patient notes for weeks, and possibly months." Oxford Health NHS Foundation Trust has declared a critical incident over the outage, which is believed to affect dozens of trusts, and has told staff it is putting emergency plans in place. One NHS trust chief said the situation could possibly last for "months" with several mental health trusts, and there was concern among leaders that the problem is not being prioritised.
In an email to staff, Oxford Health NHS Foundation Trust chief executive Nick Broughton, said: "The cyberattack targeted systems used to refer patients for care, including ambulances being dispatched, out of hours appointment bookings, triage, out of hours care, emergency prescriptions and safety alerts. It also targeted the finance system used by the trust.... An NHS director said: "The whole thing is down. It's really alarming...we're carrying a lot of risk as a result of it because you can't get records and details of assessments, prescribing, key observations, medical mental health act observations. You can't see any of it...Staff are going to have to write everything down and input it later."
They added: "There is increased risk to patients. We're finding it hard to discharge people, for example to housing providers, because we can't access records."
"'Weeks' is an unreasonable period," argues Slashdot reader Bruce66423, wondering why it couldn't be resolved with a seemingly simple restore from backups?
And Alan Woodward, a professor of cybersecurity at Surrey University, warns the Guardian that "Even if it was ransomware ... that doesn't mean data was not stolen."
Unfortunately, this leaves doctors unable to see their notes on patients, and the mental health trusts that provide care "across the country will be left unable to access patient notes for weeks, and possibly months." Oxford Health NHS Foundation Trust has declared a critical incident over the outage, which is believed to affect dozens of trusts, and has told staff it is putting emergency plans in place. One NHS trust chief said the situation could possibly last for "months" with several mental health trusts, and there was concern among leaders that the problem is not being prioritised.
In an email to staff, Oxford Health NHS Foundation Trust chief executive Nick Broughton, said: "The cyberattack targeted systems used to refer patients for care, including ambulances being dispatched, out of hours appointment bookings, triage, out of hours care, emergency prescriptions and safety alerts. It also targeted the finance system used by the trust.... An NHS director said: "The whole thing is down. It's really alarming...we're carrying a lot of risk as a result of it because you can't get records and details of assessments, prescribing, key observations, medical mental health act observations. You can't see any of it...Staff are going to have to write everything down and input it later."
They added: "There is increased risk to patients. We're finding it hard to discharge people, for example to housing providers, because we can't access records."
"'Weeks' is an unreasonable period," argues Slashdot reader Bruce66423, wondering why it couldn't be resolved with a seemingly simple restore from backups?
And Alan Woodward, a professor of cybersecurity at Surrey University, warns the Guardian that "Even if it was ransomware ... that doesn't mean data was not stolen."
Answering the obvious questions... (Score:4, Interesting)
...wondering why it couldn't be resolved with a seemingly simple restore from backups?
Because unless you know exactly how it got in, where it spread, and that you both eradicated all traces as well as closed the holes, you're just going to get reinfected again. Waste of time.
And the other issue is companies (and many gov't institutions) treat backups with contempt and a hand-wave. Non-IT people seem to think there is a stack of tapes or drives somewhere and you just plug them in and click a button and everything is restored. It doesn't work that way, especially with proprietary software being backed up, and the vast volumes of data that we process today. Guess how much fun a 3-2-1 backup strategy [carbonite.com] is when you generate multiple gigabytes of data daily.
If you mention RTO and RPO to most non-IT people, they'll probably chime back with something like "and C3PO". Add things like retention requirements and it is a hard, EXPENSIVE problem that requires dedicated professionals and real-world testing.
Re: (Score:2)
Because unless you know exactly how it got in, where it spread, and that you both eradicated all traces as well as closed the holes, you're just going to get reinfected again.
there is no "closing holes", you have to cleanse the whole compromised network. that means format and reinstall of every node which, if properly automated, is a matter of minutes, hours at most. then you might have specific additional backup restore procedures. if those are longer than a couple of hours then there's something wrong with them.
Guess how much fun a 3-2-1 backup strategy [carbonite.com] is when you generate multiple gigabytes of data daily.
gigabytes? a simpe pendrive can hold hundredhs of them. this is a national healthcare system. i would expect their it infrastructure to handle and safeguard no less tha
Re: (Score:2)
My guess is that understaffing is the bottleneck, all along the way, including design and maintenance of security, and then having any spare capacity to actually handle an incident. Just the meetings alone generated from this incident probably have them running around with their hair on fire. That's the trouble with running everything with 80% of the staff which you really need--all sorts of shortcuts creep into how things should be done, and when disaster strikes they have nothing spare left to handle it.
Re: (Score:2)
No - it is proof that government policy works as intended.
The present system is:
Run by bean counters, for bean counters
In all encounters between bean counters and techies, the conversation goes:
Bean counter: How much will it cost?
Techie: £X to do it at all, £2X to do it properly
Bean counter: I will give you £X/2
Project is then delivered late, half-done and badly implemented
There are further problems here:
Windows - no one ever got f
Re: (Score:2)
there is no "closing holes", you have to cleanse the whole compromised network. that means format and reinstall of every node which, if properly automated, is a matter of minutes, hours at most. then you might have specific additional backup restore procedures. if those are longer than a couple of hours then there's something wrong with them.
At which point it immediately gets compromised again, as you restored it to the state immediately before the compromise - including the holes that allowed it. You need to restore the systems in isolation, deal with the vulnerabilities, then put the system back online. And in order to deal with the vulnerabilities you need to know what they are. Then, depending what the fix is, you need testing to make sure it didn't break anything. That takes a bit more then "a couple of hours".
Re: (Score:2)
of course isolation of the network and assessment are the first things that need to happen, long before any restoring is even considered (and any public declarations are made). if the service is critical you replace the hardware and do forensics afterwards. i'd say a national health care service is critical, and maybe that's just me but 3 weeks (what they cite as best case scenario) is just insane and reflects very poor it management.
besides, this is ransomware, the usual vector isn't zero-day exploits or s
Re: (Score:2)
Thanks for a helpful reply (Score:2)
As the originator of this thread, I should comment that I retired from the industry when the top priority system I was working on was still operated on the backup and restore basis, as well as being based on hardware running a relatively obscure operating system.
Who's game for a murder charge for these jokers? (Score:2)
Re:Who's game for a murder charge for these jokers (Score:5, Insightful)
Re: (Score:2)
If they're local, and you can prove who they are, yeah. If they're located in Moscow or Tanzania...you may well have a hard time getting extradition.
The real answers are:
1) don't put records systems on the internet (or at worst only use HTML1).
2) Never pay the Danegelt.
Re: Who's game for a murder charge for these joker (Score:1)
This is the UK (Score:3)
There ARE no backups.
There are also no storm-drains.
The NHS sends armed police to a third heart-attack victims, because the ambulance-drivers now drive the lorries after the EU-citizens left.
Re: (Score:1)
There ARE no backups.
Several NHS hospitals were hit by ransomware attacks a couple of years ago and recovered from backups.
Re: (Score:2)
"There ARE no backups.
Several NHS hospitals were hit by ransomware attacks a couple of years ago and recovered from backups."
"A couple of years ago " maybe, NOW it's some Tory donor's company doing this for them.
Or not.
Re: (Score:2)
NOW it's some Tory donor's company doing this for them.
Or not.
No why would they? The Tories don't care about the NHS, they are too busy getting Brexit done. Seriously the only mention of the NHS in the latest leadership race was that Truss wanted to fire some manager to magically make everything better. Except she didn't even admit it needed fixing, that itself would have been a step too far.
Ban crypto... (Score:2)
IT run by lawyers. (Score:4, Interesting)
The fundamental problem is that in institutions like the NHS they are not interested in the best technical solution, they are looking for the solution that best transfers liability. I have been involved in implementing IT systems that integrate with the NHS for health research.
When data is destroyed there is a requirement to use a commercial tool that, issues a pdf certificate of destruction. Our IT people raised legitimate concerns about the effectiveness of this solution especially in relation to SSD storage, they didn’t care, just want the company to indemnify them, so they have someone to point the blame at when things go wrong.
While lawyers have a place in determining policy, shutting out the IT professionals ultimately results in systems that are insecure. No doubt a contractor somewhere along the line will carry the can for this episode, but that does not change the fact that it has resulted in failure of patient care.
My Employer (Score:1)
Never thought I'd ever see the company I work for on El Reg and Slashdot and spread across the rest of the UK press.
Re: (Score:1)
Hope you aren't the guy who's supposed to do backups.
Post Mortem Details and follow up (Score:3)
So glad Cryptocurrencies exist... (Score:2)
To make these schemes financially plausible. This is the inevitable outcome of deregulated financial exchanges. They will be constant targets of abuse and theft. Look at what the best regulated systems deal with and allow. Crypto is a greased rail for criminal financial processing of all kinds.
I know this will draw out the crowd that thinks the freedoms provided by this system outweigh all that, but they don't. Poorer nations and people don't need crypto they need functioning banks. Well, not as much as bas
Re: (Score:2)
Earlier this year, someone made a brilliant analogy worth repeating. Inventing a holodeck is hard, not just because of the physics involved, but because people are going to have lots of sex in it. The first guy inventing it might have been too idealistic to ignore that basic tenet of human nature, but it won't take long to figure out that inventing the holodeck means accounting for people having sex on it. This could mean limiting the programs that can run, having 'red light district' holodecks that can wit