Another view: of the cyberattack
- 7 June 2017
OK, so it’s now a few weeks since the attack. Not the Manchester one – though I was in that same entranceway at the Manchester Arena two weeks prior with my 10-year-old twin daughters, so my thoughts are with all the victims and their families, as with those affected by the recent events at London Bridge. No: it’s a few of weeks since the ransomware attack.
We make a habit of all having a cup of tea at 2.30pm just before afternoon surgery. We were in the common room and I noticed out of the corner of my eye the computer in there rebooting itself. “How odd,” I remarked. Everyone just laughed at me and my IT obsession until people started wandering in saying: “What does this message on my screen mean?”
At first, as I guess in all crises, we didn’t really know what was going on. It was clear we had some sort of virus/Trojan horse. At this point we didn’t know if it was just us. We had been hit by a virus about six months before and since then the USB ports had all been locked out to non-secure memory sticks – though I’m still unclear how an encrypted memory stick protects against viruses. Interestingly I did a Windows update manually on my machine a few weeks ago and was moderately alarmed to note 46 important updates available to be installed. Our PCs are all built to the same build and cloned onto our drives. I wonder if that ever gets updated or if people have been pushing patches. If not why not – or why haven’t they noticed it hasn’t worked on mine?
Anyway there was a sudden panic that someone could be hacking their way into our data. We are quite used to people remoting on, so this seemed a possibility. The more IT literate wondered about data or key logging, and was someone trying to record our passwords, so the initial thought was to turn everything off bar one computer, from which our practice manager was desperately printing off lists of who was coming in that afternoon.
I think it’s fair to say our business continuity wasn’t perfect. We have practised what happens if we lose communications. All appointment lists are backed up to a local PC. In retrospect, I’m not convinced that is enough. What happens if you can’t get to that PC? I can barely consult without some form of electronic record. Even knowing what drugs someone is on or their allergies would help. I remember a few years ago a surgery that was giving people a USB stick or small CD with a summary print out of their record, any time they attended the surgery. This might have been useful if we had anything to read them on. You might think patients being able to access their own record would be the answer – I guess it is if they all sign up and bring some independent kit in with them.
Interestingly we quickly learnt that EMIS was OK. It’s a streamed remotely hosted service and the attack was a national thing against PCs, though we seemed hit hard. It was just our computers and network that were suffering – no data was going. The IT people took the decision to shut down the network, presumably to stop the issue spreading. Our active directory then died. Losing shared folders took out Docman, so no letters. Turning off the caching servers ground EMIS to a trickle, though the number of uninfected machines got smaller and smaller by the minute and by 5pm we were effectively flying blind. Luckily it was a nice day, demand was bizarrely low and patients seemed quite amused – especially as it started breaking on the news. People might now be calling for the head of British Airways to resign but there was little anger at our problem.
I think what this has shown is we almost need a reserve piece of kit. A Mac perhaps, or a Unix box that isn’t on the same network but can get a 3/4G signal or onto Fon through the BT wifi from across the way, and allow us perhaps read-only access to EMIS and our appointments. Perhaps every GP should have an iPad as a backup? EMIS will need to build this functionality – their mobile app had promise but I understand it needs to speak to the local server. What we need is a direct feed to the hosted data. So I can carry on consulting – being battery powered I could even do this without power (this has happened to us numerous times), and being able to wifi/Bluetooth to a printer would help prevent me having to hand write things. So go on, EMIS: there is a product you can probably charge me for.
The crazy thing is not why hospitals suddenly got all the attention. Lazy London TV journalists is my answer to that – hop on a tube and stand outside a hospital hoping to interview an attractive A&E nurse seemed to be the default response to the story. The crazy thing is why it took so long to sort and why we were so unprepared.
The root cause analysis is starting, though interestingly there seems almost a faint resignation rather than major outrage and I doubt heads will roll. Why was my area hit hard? Lack of investment? Lack of expertise? Lack of person power? A reliance on legacy software that utilises old operating systems.
There has been an interesting debate on DHI about Linux and virtualisation. I’ve wondered both about should all this be centralised – get rid of numerous local servers running and replace them with some massive virtual server infrastructure in the sky – versus is it because we are all connected and using the same kit that we were hit.
In biological terms did you know that almost every banana we eat is a clone of one type of banana – all it takes is one bug to come along and the world’s banana production will end. Usually people would advocate a rich diverse ecosystem. Perhaps the answer is that. Turn our services into that web accessible browser-based services. Have a rich diversity of machines on the desktop that can display it. If some go down others survive.
5 Comments
The reason for the success of the attack seems to me quite simple: and it’s very little to do with IT and everything to do with planning, policing and management.
Where was the NHS IT management plan to:
1. Identify all out of date hardware and software and replace them (or at the very least, isolate them)?
2. Identify the upgrade/patching status of all machines in the NHS sphere?
3. Police aggressively the application of patches and upgrades?
4. Penalise those organisations and individuals who hadn’t carried out the above properly?
5. Provide all the resources for this?
The iPad solution from EMIS doesn’t need to talk to any local servers. It synchronises directly with the EMIS data centre itself.
my understanding is that is until version 4 comes out you need to put which pts you want to see on an appt list on the home system and sync them across – no good if you cant get to your system. version 4 apparently lets you choose anyone from your db – at least thats what ive been told – im happy to be corrected.
The right answer is to use a well designed, properly managed ICT infrastructure, with under-pinning security policies and compliance management. Its no coincidence that the area most penalised by the ICO for data breaches is Healthcare.
Because the resource the ICO spends on the high risk public sector is significantly higher than the resource attributed to the private sector. You think the NHS is bad – at least we have the conversations about this. I know many companies (some of which are in the private health sector admittedly) that make the NHS a shining star!
Comments are closed.