I was disappointed to see that there has been yet another security breech in an NHS Trust. It is getting so common place that it is no longer deemed news worthy, after all, if something happens consistently it is not a new thing and not news. In fact the NHS is the top offender in the UK on the http://datalossdb.org website.
This time it was the Leeds Trust which has been hit by the Conficker worm. Why is it so hard to patch computers? I am really frustrated when organisations don’t do something as simple as apply patches that allows this type of infection to occur, especially when it affects systems that are, by their very nature, sensitive.
I would bet that the amount of effort that has gone into the clean-up process is far more than it would have taken to patch the servers in the first place which in turn would have prevented this incident in the first place.
A statement said “they think they know the source of the infection”. In other words the source may well be not what they think it is, they are not definite. The suspected source is an old laptop that was plugged into the network.
What I find worrying is that a computer could just be plugged into the network without automated checks on the machine’s state, no quarantining of the device until it was confirmed to have current AV signatures so we end up with an infection, it was just allowed to connect and infect.
I appreciate that budgets are tight and that everything is risk based but come on, what are the chances of having people who are too lazy to patch. Quite high in this case!
This is basic stuff, patching coupled with simple network access control which is not expensive. If anything the mop up and remedial work is more expensive when you factor in the cost of disrupting all of the staff that cannot work due to the outage. It has taken them a week to sort this problem out.
I want to see a more robust approach to security, especially weak areas such as simply patching servers and allowing machines to access the network without any basic NAC . There are some tip top products out there that are not overly expensive and will do the job really well, it is just a shame organisations that hold our confidential data (and you can’t really get more confidential than health records) are not implementing them.
I think it is about time that the NHS was given a directive with serious penalties so that they actually do something about the awful state it is in. It is a bit harsh but I would like to see a few heads roll in future, that might make people in the NHS take computer security seriously.
Tuesday, 16 February 2010
Subscribe to:
Post Comments (Atom)
Hi Duncan,
ReplyDeleteGood point about the lack of laptop precautions, I mean people are not allowed to walk into the operating rooms from the street in the UK are they?
Health care is sometimes tricky because application vendors resist OS patches being done due to the fact that it will break their app.
The other big factor in health care is the lack of resources, of course. That's a tough nut to crack.
This leads to the general problem of vulnerabity-centric security not serving the user public well.