They knew they were vulnerable because they had been hit before. Many times.
While everyone is busy being “shocked – shocked! – to discover that ransomware is real,” it turns out that NHS hospitals have been getting hit with ransomware for a while. NHS cyber attack: Doctor who predicted hack says scale makes him ‘worry about who is behind it’ | The Independent
“From a Freedom of Information request we know that over one third of NHS trusts have admitted to being hacked – but [in the past it seems to have been] individual organisations [targeted].”
So a third of your organization is hacked over some months, and Microsoft – and the whole of the cyber-security industry – starts yelling in March of this year that you need to update your systems or be in even worse stead, and you do nothing. (Exactly what would cause you to do something?)
Corporate IT departments will tell you that they can’t upgrade their systems every month. (I know I used to work in those departments, though I was never the one saying that.) But I update my system every month. And LibreOffice, all my browsers (I use several over the course of a week) my Kindle for PC app, Spotify (which is usually playing music in the background), games, etc. ALL continue to work. If your in-house applications don’t work across a security update, you are doing something REALLY wrong. And you should figure out how to stop doing that.
And then they launch into the “cost” of this attack, in terms of the impact on patients.
“Hospitals need access to those records day in day out,” [Dr Krishna Chinthapalli, a neurology registrar at a London hospital] said. “If you lock systems we can’t access blood tests or scans or clinical information, so what drugs patients are taking – what medications – what the dosage is, what they’re allergic to, all of that for example.
If you truly believe that your systems are that critical then you have a couple of options – at least as I see it, there may be more.
- Make your system separate from the Internet. A hard gap. No access to the outside, only access to the features (like medical records) that are critical. (And no access to email, etc.)
- Commit to keeping your systems up-to-date. That means applying every MS patch Tuesday update, updates for all your application software (including such things as PDF readers) Not as fool proof as 1, but you can say you are doing your best.
- Go back to keeping records with pen and paper
Item 3 is near and dear to my heart. On more than one occasion I have told employers to either shut off their completely defective “information systems” (I use quotes because they were more like disinformation systems) or put up some real money to fix the problem. If you aren’t going to secure your CRITICAL information systems, then you shouldn’t be relying on them. (How can they be both critical and wrong, or critical and not worth security?)
One of the “costs” mentioned in the article, is that doctors couldn’t get access to email. I want to sneer, but I suppose it is possible that they are conducting real business over email. Even though email is NOT secure, unless you are using something like GnuPG to encrypt everything. And I doubt it! How many people even know what public key cryptography is?
My guess is that if you tried to implement any security regime, even a reasonable password policy, at NHS (and even if you got everyone access to a decent PW manager) the doctors would rebel. Because technology is there to serve them. Security be damned if it gets in their way. Tell me what I can and cannot click on? Who are you to tell a doctor anything? And if you think it’s bad in medicine – it is – you can substitute “professor” for academia, or “executive” for corporate America (or corp. United Kingdom), etc. No one wants to do anything about security, until something like this happens. Then they will be sharpening knives to take the scalps of the IT pukes who have been screaming for months about security.