Barts virus attack ‘avoidable’

Tags: Barts and the London Conficker consultant Information Information governance iS London Microsoft Mytob Network Security Virus

29 Jan 2009

The Mytob worm attack on the Barts and the London NHS Trust network was “entirely avoidable”, an independent review has concluded.

Board papers published on the trust’s website indicate that although the trust had anti-virus protection “that was updated on a daily basis prior to the attack” this “did not reach all PCs” and was “configured incorrectly on some PCs” leaving a “back door” through which the virus could infiltrate the network.

Mytob struck on 17 November and rapidly infected the trust’s 4,700 PCs. Barts had to activate its major internal incident procedure to cope with the resulting disruption.

The review, conducted by a consultant recommended bythe London Programme for IT, says the incident “could have threatened the well-being of patients and the morale of staff, as well as the long-term reputation of the trust.”

That it didn’t do so “reflects positively on the ability of personnel in all parts of the trust to be reactive and flexible in rising to the very considerable challenges that were presented over the seven days of the incident,” the report says.

However, it concludes that the incident was “entirely avoidable” and the result of a “substantive failure of the trust’s information governance processes, especially those operational processes in the ICT domain.”

The publicly available board papers say it would compromise trust security to say exactly how the virus was introduced, although they say the infection was “accidental” rather than “malicious.”

They also say that an urgent programme of work is now underway to improve management systems and processes that will not be complete until April.

The Barts papers were published days after Sheffield Teaching Hospitals NHS Trust acknowledged that it had been hit by the Conficker B worm in December. The virus apparently struck after IT managers turned off anti-virus protection measures to tackle a problem with PCs supporting information in theatres.

Around 800 computers of the trust’s 7,000 computers were affected, and the trust is still clearing up “the last remnants” of the problem. A handful of patients had their appointments cancelled and immediately rebooked.

Conficker B has achieved some national notoriety, with newspapers reporting that it may have originated in the Ukraine as part of “computer warfare” between former Soviet states.

A number of NHS trusts and public sector organisations are also reported to have been affected. Microsoft provided a patch in October.

Lyn Whitfield

Readers Comments

Security through obscurity

29 Jan 09 08:54

>>it would compromise trust security to say exactly how the virus was introduced<<

That meaning that the individual responsible* for (in)security would be held to account?

[*alien concept to the NHS and UK public service in general]

Perhaps the worm was accidentally loaded from a memory stick while unencrypted confidential patient data was deliberately being stored onto it.

At least the person who subsequently picked the stick up on the train got a nasty surprise - assuming they had neither patched their PC for months nor used Linux, MacOS, Windows antivirus software or their head.

Pathetic :-(

still got holes?

29 Jan 09 13:56

Since revealing how it happened would compromise security. Can we assume that they have yet to plug the security hole?

NHS ICT IN-SECURITY!

max.lock@live.co.uk

01 Feb 09 10:23

There is a mistaken belief that the NHSnet is fully secure from this sort of incident. Well this has proved to them what the rest of us in I.T have known for years, the NHSnet is wide open to abuse. With NHSnet routers often having no firewall configuration, the AV, ASW, security patching of servers and PC's are not kept up to date.

In reflection, there is often no firewall implementation either on the router or between router and LAN, no IDS/IPS, no protocol filter, no website blocker, no content blocker. Staff surf the internet, when it has no relevance to work and further complicate the security issues, which also increases spam email. Primary Care medical providers often do not implement Windows updates on the medical server, virus checkers are often outdates on these servers offering little if any protection. Home IT users are now allowed to dialin from home, often using equipment owned by the individual which could be 100% insecure, spreading whatever they already have.

There is no record of surfing activities centrally on the NHSnet. Locally, very few PCT's have a record of surfing activity and if they have then a social networking site will be at the top of the list for hits. The NHSnet should be work related only, no porn, no gambling, no downloading music for free, no booking holidays, selling and buying and social network sites, no chats etc etc etc

ICT in the NHS is a bottomless pit of funding, but the directors, managers, ICT engineers often have no experience of running a large network and in a PCT where I have some experience the infighting between the Shared Services and one PCT director is comical.

If you perform a FOI on all PCTs in the country to ascertain the number of malicious code infiltrations, I bet you that most will not have any records of this, conveneantly ???????