Hospitals contract viruses - of the digital kind
-
Just, - a large scale CryptoLocker type infestation at a number of NHS hospitals across the country and because of a certain degree of inter-connection foisted upon the NHS by a previous government, they propagate to other hospitals. Congrats.
Slightly sad note: a number of people seem to be under the presumption that this is a targeted attack - but I somehow doubt it.
-
Would I be correct in thinking that doctors probably get emails on a fairly routine basis with attachments that they're supposed to open? That, combined with the fact that a lot of them are older and less technically literate, makes this not too surprising to me.
-
@Arantor said in Hospitals contract viruses - of the digital kind:
Just, - a large scale CryptoLocker type infestation at a number of NHS hospitals across the country and because of a certain degree of inter-connection foisted upon the NHS by a previous government, they propagate to other hospitals. Congrats.
that took longer than i expected to be honest. Doctors are not themost techologically literate peofession out there.
hell i know 80 year old farmers that are more techologically literate than the doctors around here!
-
@accalia My experience with hospitals (in the US at least) is that doctors were excited by technology and very good at learning and using it, and it was the nurses who were more phobic and tried to avoid using technology whenever possible.
-
@blakeyrat said in Hospitals contract viruses - of the digital kind:
@accalia My experience with hospitals (in the US at least) is that doctors were excited by technology and very good at learning and using it, and it was the nurses who were more phobic and tried to avoid using technology whenever possible.
East coast versus west coast i guess.
-
@blakeyrat oh, they learn to use it, because it makes their jobs way easier... some of them just don't understand basic security practices sometimes. The concept that the email they just received that says to click here to update their Outlook Web profile might have actually been sent by a malicious hacker instead of "Microsoft support" is just lost on them.
-
@Arantor said in Hospitals contract viruses - of the digital kind:
Slightly sad note: a number of people seem to be under the presumption that this is a targeted attack - but I somehow doubt it.
Me and Blakey were having a good laugh at how much the BBC is sensationalising this story on Discord earlier.
Yes, you read that right.
-
@RaceProUK what in hell's name are you doing on Discord?!
-
@Arantor Stuff.
I'm a member of a few servers:
- SockDrawer, obviously (we use it for Friday game nights)
- A group with a couple of friends I made before a certain game developer who shall remain nameless decided its most dedicated fans were evil
- A group I do Let's Play-type commentary with
- A group with some people from Carrie's other forum
- Kuro's group that does Fanfic Mondays
- And finally, a group for a YouTube person who I support through Patreon
-
@RaceProUK annnnd (I was riffing on the 'you and Blakeyrat talking' part by mocking the bit of it that wasn't supposed to be unexpected)
-
@Arantor She's super early for Fanfic Mondays ;)
-
Considering every computer I've seen in a GP's surgery or hospital is clearly running XP, I'm more surprised it took this long for a security problem to arise
-
-
@Jaloopa said in Hospitals contract viruses - of the digital kind:
Considering every computer I've seen in a GP's surgery or hospital is clearly running XP, I'm more surprised it took this long for a security problem to arise
The NHS actually negotiated with MS for a bulk discount on XP support as they have rather a lot of XP machines.
-
@RaceProUK Why would the BBC be sensationalizing the story on Discord? Don't they have their own means of broadcasting information?
-
@Arantor said in Hospitals contract viruses - of the digital kind:
@Jaloopa said in Hospitals contract viruses - of the digital kind:
Considering every computer I've seen in a GP's surgery or hospital is clearly running XP, I'm more surprised it took this long for a security problem to arise
The NHS actually negotiated with MS for a bulk discount on XP support as they have rather a lot of XP machines.
and apparently the cost of supporting a horribly insecure platform is less than that required to upgrade to a secure platform..... greeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeat. thinking like that is why we have an 386 running our traffic control software.
-
@hungrier The sentence is "(RacePro and Blakeyrat were discussing it on Discord) about how the BBC is sensationalising this"
But they have top men on it. Top. Men. They have...Rory Cellan-Jones.
-
@Arantor said in Hospitals contract viruses - of the digital kind:
But they have top men on it. Top. Men. They have...Rory Cellan-Jones.
Didn't he once get lost in his own museum?
-
@Arantor That would imply that I read it wrong, which is clearly not the case.
-
@Polygeekery Marcus Brody got lost in his own museum. Rory... has yet to even find the museum.
-
@hungrier if you say so ;)
-
@accalia said in Hospitals contract viruses - of the digital kind:
@Arantor said in Hospitals contract viruses - of the digital kind:
@Jaloopa said in Hospitals contract viruses - of the digital kind:
Considering every computer I've seen in a GP's surgery or hospital is clearly running XP, I'm more surprised it took this long for a security problem to arise
The NHS actually negotiated with MS for a bulk discount on XP support as they have rather a lot of XP machines.
and apparently the cost of supporting a horribly insecure platform is less than that required to upgrade to a secure platform..... greeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeat. thinking like that is why we have an 386 running our traffic control software.
Sadly, it's typical of a lot of nationalised stuff over here
-
@Arantor It's right there in the post
@RaceProUK said in Hospitals contract viruses - of the digital kind:
Yes, you read that right.
-
@anotherusername said in Hospitals contract viruses - of the digital kind:
That, combined with the fact that a lot of them are older and less technically literate, makes this not too surprising to me.
That doesn't matter. The NHS is supposed to have good sysadmins, and good sysadmins don't let the hospital staff just run executables with a mere double click. In fact, for something as serious as a hospital, common users shouldn't be able to break the computers even if they try.
I'm assuming major incompetence at some level of the command chain.
-
@anonymous234 said in Hospitals contract viruses - of the digital kind:
I'm assuming major incompetence at some level of the command chain.
That is a safe assumption in government or IT. When those two come together, WTFery breeds WTFery.
-
@accalia said in Hospitals contract viruses - of the digital kind:
and apparently the cost of supporting a horribly insecure platform is less than that required to upgrade to a secure platform..... greeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeat. thinking like that is why we have an 386 running our traffic control software.
It can make sense in some cases. If the 386 computer is still working fine in some room, disconnected from the chaotic internet (or connected through a firewall that only lets "authorized" connections through), there's little reason to touch it now.
The important thing is to plan ahead. The computer will stop working sooner or later, and you might not be able to find a compatible replacement, so figure out now what you're going to do when that happens.
In the case of Windows XP, however, paying for extended support is just major incompetence (again). They already had 13 years to prepare. What are they going to do when Microsoft says "no"?
-
@hungrier stop listening to the shoulder aliens :P
-
@anonymous234 given that at the XP death knell, they had over a million desktops across NHS England running XP and were prepared to pony up for the extension, Microsoft isn't going to turn down that kind of money, they're just not. It's likely that other companies are also paying for deathbed support and it's not like the cost goes up significantly if you're already investing in producing patches anyway.
-
@anonymous234 said in Hospitals contract viruses - of the digital kind:
What are they going to do when Microsoft says "no"?
: Look at all the we're saving now !!!
-
@Arantor Well, okay, but clearly "let's keep using XP forever and paying Microsoft as much as they want to maintain support" is not really the best plan.
(I actually wish copyrights would expire, so 3rd parties would be able to take over maintaining software regardless of who built it, but that's another topic)
-
@anonymous234 it's not the best plan but I also don't know how much of their stuff is tied to hardware that may not have supporting software any more.
-
for extra wtf points... one of these hospitals is my client. Call today:
My CT scanner is already infected. I want to make sure that your treatment delivery system isn't infected as well. Do you think I should power the server down while it is still okay? We don't really want to do that though because we still have patients waiting. Can your application make our network secure to make sure it doesn't spread?
Yes, this was a real query.
-
@royal_poet we discussed this briefly in my office and I outlined the only true solution is nuke and pave. The response was 'don't you mean "nuke and get in the fridge?"'
-
@royal_poet said in Hospitals contract viruses - of the digital kind:
My CT scanner is already infected
Why the fuck is a CT scanner connected in such a way it can be infected‽
-
@RaceProUK Think network share to put the CT files on.
-
@Arantor There must be a way to do that without exposing the CT scanner to infection.
-
@RaceProUK mostly for DICOM modality. Hospitals like to sync them to their HIS/ RIS to get patient data and appointments accross to it as. Patient data is part of the scan files and is needed in those files by treatment delivery suites.
-
@RaceProUK said in Hospitals contract viruses - of the digital kind:
Why the fuck is a CT scanner connected in such a way it can be infected‽
@Arantor said in Hospitals contract viruses - of the digital kind:
@RaceProUK Think network share to put the CT files on.
Really, is that all? I'd have put money on it being controlled by a PC with XP if not something even older running on it.
-
@anotherusername that was just a first order approximation (and has happened before) but @royal_poet explained it better and she's the one that actually works with that. I sit on the edge of computer science by doing fucking web dev, like I'd know something about actual grown up computing.
-
@anotherusername You are not incorrect though. Clinical devices are their own beast in this regard. CE mark validation pretty much makes it impossible to validate them for OS updates so they get locked in. Usually takes years to get a CE mark so imagine the insanity of doing that for each crappy fix MS releases. Most medical manufacturers also cant afford to pay the horrendous feed associated with seeing Windows updates before they are released. So they are playing catch up every time something his commercial release from MS. All of this would be much less of a problem if people in hospitals put their shit behind nat/pat routers only open on certain ports as I tell them to do so many times. Doesn't fix the issue but at least makes it less vulnerable.
-
@royal_poet yeah, a lot of other lab equipment is the same. And process controls. A system gets installed, and it runs for 20, 30 years before it finally needs to be replaced. The computer isn't ever (and probably couldn't be) upgraded, as it's running very specialized software that probably wouldn't work on anything more modern.
I have one of these sitting in my desk drawer:
It's the extra; the system that requires it is still in active use. And it's not even the only system we have that uses one of those.
-
@anotherusername I had some customers in trouble lately because they can't get serial drivers for the barcode readers anymore and zebra has even dropped support for virtual serial ports these days... so lots of customers who are really annoyed as their entire clinical workflow collapsed because they can't barcode in their patients.
-
@anonymous234 said in Hospitals contract viruses - of the digital kind:
In fact, for something as serious as a hospital, common users shouldn't be able to break the computers even if they try.
De-skill the users to the point where they don't know how to do anything other than the most basic point-and-grunt operation, and you'll have your security with only the most minimal of effort spent on actually securing anything at all.
@Arantor said in Hospitals contract viruses - of the digital kind:
deathbed support
-
@RaceProUK said in Hospitals contract viruses - of the digital kind:
There must be a way to do that without exposing the CT scanner to infection.
There is. It pisses users off a lot to have to explicitly ask a DMZ machine to move the files for them. It pisses them off even when you explain why you aren't going to give them what they ask for. They persist in thinking that Bad Shit Can't Happen To Them Because They're Good People.
Ha! Ha, fucking ha!
-
@dkf if those good little users only made backups they'd not have to care. worst case a few hours downtime with a competent IT department.
-
@anotherusername said in Hospitals contract viruses - of the digital kind:
The computer isn't ever (and probably couldn't be) upgraded
Eh, for more modern lab equipment it does get upgraded as they actually talk IP over ethernet. The instruments themselves aren't on the internet, but instead talk to a PC that runs the majority of the control software and which acts as a bridge to the rest of the world. It simplifies the certification process quite a bit, as the critical control is on the part that can be totally locked down.
Which would be good, except the vendors like to come in and upgrade the bridge machine. I've yet to see them do that without completely breaking the network configuration. Every fucking time. Shit-kickers! What's so hard about “use DHCP and you'll go on the right VLAN and get the right network proxies”?! Windows will do it (to a sufficient standard to allow remote management) automatically in its default configuration, for Goddess' sake!
I'm happy I don't work on that project any more. Nice people, but I really ain't cut out to do IT support, as I'm a software engineer…
-
@royal_poet said in Hospitals contract viruses - of the digital kind:
they can't get serial drivers for the barcode readers anymore
You can get barcode readers that generate output in a way that makes them pretend to be USB keyboards. Very convenient.
-
@royal_poet said in Hospitals contract viruses - of the digital kind:
Clinical devices are their own beast in this regard. CE mark validation pretty much makes it impossible to validate them for OS updates so they get locked in. Usually takes years to get a CE mark so imagine the insanity of doing that for each crappy fix MS releases.
Gee if only we had OSs actually designed for embedded systems, with a bunch of safety certifications already and a minimal attack surface so they wouldn't need an update every other week just to run a single program.
Or just, fuck that, put Windows on a read-only flash memory. Reboot every night (or every hour). Problem solved.
-
Sounds like this attack is way more widespread...
"Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia," cyber security firm Kaspersky says.
-
@dcon said in Hospitals contract viruses - of the digital kind:
74 countries
Yeah, it's not an attack, it's an outbreak.