March 2024: A ransomware group is threatening to publish a huge cache of stolen data following a catastrophic failure by a Scottish health board to secure confidential information.
Back n 2017 NHS trusts were left vulnerable to a major ransomware attack - 'WannaCry' - because cyber-security recommendations had been ignored. More than a third of trusts in England were seriously disrupted as a result.
Hospitals and GP surgeries in England and Scotland were among at least 16 health service organisations hit by a "ransomware" attack, using malware called Wanna Decryptor - with reports potentially dozens more were affected.
Staff were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.
Hospitals and doctors' surgeries in parts of England were forced to turn away patients and cancel appointments after they were infected with the ransomware, which scrambled data on computers and demanded payments of $300 to $600 to restore access. People in affected areas were being advised to seek medical care only in emergencies.It was only stopped 'accidentally' NOT by any NHS IT dept but instead a 'White Hat hacker' ON HIS WEEK OFF!.
Following that fiasco the Nat Audit Office chief stated that the Department of Health and the NHS must now "get their act together". Almost seven years later and they still haven't. A group calling itself NHS Dumfries and Galloway IT has now admitted it allowed hackers INC Ransom to siphon off three terabytes of data. Despite many warnings that patient data was being targeted in ransomware attacks, these breaches have been allowed to continue. The Ransom organisation has already published some patient data and threatened to publish the rest unless its demands are met. Dumfries and Galloway NHS Board admits they are clueless as to what happened:
'The scale and breadth of information which the cyber criminals were able to access makes it difficult to define the data which they may have been able to download, or to address this on an individual patient and staff member basis.'
INC Ransom have published some of the data - a “proof pack" - including confidential information on a small number of patients.
Jeff Ace, the health board's chief incompetent - apparently dubbed Ace Waste Of Space by colleagues - said patient-facing services were functioning "effectively as normal" after the laxity of their IT systems earlier in March (2024).
Yeah, that's not some kind of 'win'. That's not how these kind of attacks work and you know it. Deflecting. The data was not encrypted on your systems but stolen. You have negligently allowed three terabytes of personal information to be siphoned off by criminal blackmailers. The damage has already been done. This kind of leak can be devastating
The incompetent buffoon blustered: “We absolutely deplore the release of confidential patient data as part of this criminal act."
Well, we deplore your absolute failure in protecting patients confidential information. This kind of hacking data breach has been around for a long time now. You have no excuse. The data taken will include patients full name, date of birth, full home address, contact telephone numbers, emails - a goldmine to identity thieves - along with confidential medical information.
'He said that as part of the response, the health board will be making contact with any patients whose data has been leaked.
...and offering compensation? Laughably they say 'A robust response has been mounted by the Health Board’s IT teams'
“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”
Crocodile tears; 'acutely aware' but ultimately 'we do not give a sh*t otherwise we would have done something to prevent this happening, just as the earlier WannaCry devastation could have been averted
Waste of Space previously claimed "a very great effort is being made to try to prevent the attack from being repeated.
The health board is continuing to working with Police Scotland, the National Cyber Security Centre and the Scottish government and other agencies.'
Too little, too late. Why weren't you working with these agencies BEFOREHAND to PREVENT this happening? Where was your Risk Assessment?! Why aren't you resigning?
However, blame does not rest with this moron alone. According to the report quoted earlier 2017, NHS trusts had 'not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software. (eg Windows 7) The Department of Health also lacked important information because before 12 May 2017, it had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance." Organisations could also have better managed their computers' firewalls - but in many cases they did not, it said.
Don't waste any sympathy on these NHS executives. Jeff Ace retired on a full pension in March this year (2024). Clueless top management are a large part of the problem in NHS IT. They would rather shut down a cheap open source project and pour a hundred million pounds yearly into Microsoft licenses - and no doubt enjoy plenty of 'perks' from grateful Microsoft and other crapware salespeople - while wasting £BILLIONS upon £BILLIONS on atrociously negotiated and then abandoned IT projects.
NHSbuntu, later NHoS (National Health Operating System) was an open source project started in 2017 being developed as a proof of concept based on the Linux Ubuntu distribution.
It was a volunteer effort to prove the potential to replace the current NHS Windows-based smartcard verification system, used by almost three-quarters of a million NHS staff.
The ultimate ambition was to provide an
How much support does the NHS give to plucky opensource homegrown volunteer alternatives? Over to Dr Marcus Baw who headed up NHoS:
... we have received absolutely zero backing from those higher up in NHS Digital and other NHS bodies, – despite significant interest from grass-roots CIOs and NHS tech implementers, who welcome the range of possibilities that an open source NHS-warranted Spine environment would provide them.
The NHS will just have to solve its own terminal addition and lock-in to Microsoft. One day we may re-initiate the project, when we have some people backing us at high level who actually believe in the project’s aim and aren’t using it as leverage to hep them get their political ends.
You hear a lot about innovation in the NHS, but if this is the way innovators are treated – and with the full might of DH Legal against an unfunded volunteer organisation – then you can see why we have no actual innovation…
This article left is - as the Guardian points out -
ten years old yet here we are again with yet another IT disaster. An abandoned NHS patient record system cost the taxpayer nearly £10bn, with the final bill likely several hundreds of millions of pounds higher this according a highly critical report from parliament's public spending watchdog.
MPs on the public accounts committee said final costs are expected to increase beyond the existing £9.8bn because new regional IT systems for the NHS, introduced to replace the National Programme for IT, are also being poorly managed and are riven with their own contractual wrangles.
The NHS is creaking along using often way out of date Windows machines running unsupported end-of-life operating systems. It has piss-poor cyber security and the whole lot was almost brought to a grinding stop seven years ago by WannaCry which exploited a vulnerability in ...Microsoft! And, while it affected computer systems around the world-
'In Britain, the NHS was the worst hit.'
No surprise there given what we know about how NHS IT is procurred and maintained.
The NHS is huge and gets endless £billions in funding but is a classic case of 'where does the money go to?!' It should have moved to an open source solution based on a secure Linux distro - no need to reinvent the wheel - instead of entering into various disastrous deals with Crapita and Microsoft etc. The open source community would have benefitted from a £££ injection and the NHS would have an in-house secure solution tailored to their needs
Links and alternative links: