[Dshield] got one

P Ellison p.pe at btopenworld.com
Wed Feb 15 10:59:57 GMT 2006


Chris Wright wrote:
> Actually, you are not wrong there...
> 
> The NHS in the UK has recently been installing site wide network access on
> most wards and offices to allow staff to access patient records/ patient
> care charts etc etc.(well, they've been trying to implement the scheme for
> ages and it is way way over budget). 
> 
> Nearly every machine has internet access and get this, on the ward where my
> wife worked, every single machine was infected with countless bots trojans
> and viri.  
> And it was not an isolated incident.
> 
> I wrote several times to the IT Admin at the hospital concerned and he
> stated that it was impossible.  He backed down when I showed him the
> machines I was refferring too after he arranged to meet me for lunch one day
> (amazing what the threat of going to the local press did).  
> They were installed by a 3rd party contractor who obviously bid the lowest
> price and installed no HW/SW protection whatsoever.  
> 
> Most of the staff would not use the computers because they were slow,
> (because of the amount of junk that was running on them).  
> 
> She left a few months back and I never did get to find out how they or if
> they solved it.
> I for one would not trust having my personal information on an NHS based IT
> system in any hospital.
> Especially with the idea of the network to allow all any NHS location to
> access data anywhere in the NHS system.
> 
> It was downright outrageous.  And when I say the lowest bidder won, I doubt
> it when you see how much money was being spent to roll out the new network.
> (I can't remember offhand the name of the system, but it was being pushed by
> Tony Blair as one of the success stories of the NHS modernisation).
> 
> Every GP (Family Doctor) also had terminals in their practices that had
> access to the NHS system and no doubt these were as insecure as the ones in
> the hospital.  They simply connected via ADSL or Cable access to the same
> network.
> 
> I don't imagine it to be the case in every hospital, since that would be
> just downright unbelievable, but the North Hants Hospital in Basingstoke was
> amazingly lax when it came to network security.
> 
> Regards
> 
> Chris
> 
> 
> 
> 
>>-----Original Message-----
>>From: list-bounces at lists.dshield.org 
>>[mailto:list-bounces at lists.dshield.org] On Behalf Of 
>>Stasiniewicz, Adam
>>Sent: 14 February 2006 03:58
>>To: General DShield Discussion List
>>Subject: Re: [Dshield] got one
>>
>>Hmm, here is a thought.  How about we take a step back and 
>>look at the IT security that was in place for a hospital?  I 
>>might understand if the hospital was specifically targeted by 
>>the hacker, but a random net worm making its way into the 
>>computers of an ICU?  All the hospitals I know only offer 
>>limited internet in the administrative/doctor offices and 
>>completely remove access on the floors (for this exact 
>>reason).  I think the real question here is how could this 
>>have happened in the first place?
>>
>>Regards,
>>Adam Stasiniewicz
>>Computer and Communication Services Department Milwaukee 
>>School of Engineering
>>MSCE: Messaging & Security 2003 
>>
>>
>>>-----Original Message-----
>>>From: list-bounces at lists.dshield.org [mailto:list- 
>>>bounces at lists.dshield.org] On Behalf Of Mike Trahar
>>>Sent: Monday, February 13, 2006 3:06 PM
>>>To: list at lists.dshield.org
>>>Subject: [Dshield] got one
>>>
>>>has anyone seen this?
>>>
>>>
>>
>>http://www.computerworld.com/securitytopics/security/story/0,1
>>0801,10864
>>3,
>>
>>>00.html?source=NLT_PM&nid=108643
>>>
>>>I hope they hang them.
>>>
>>>Mike
>>>_________________________________________
>>>Learn about Intrusion Detection in Depth from the comfort 
>>
>>of your own
>>
>>>couch:
>>>https://www.sans.org/athome/details.php?id=1341&d=1
>>>
>>>_______________________________________________
>>>send all posts to list at lists.dshield.org To change your 
>>
>>subscription 
>>
>>>options (or unsubscribe), see:
>>>http://www.dshield.org/mailman/listinfo/list
>>
>>_________________________________________
>>Learn about Intrusion Detection in Depth from the comfort of 
>>your own couch:
>>https://www.sans.org/athome/details.php?id=1341&d=1
>>
>>_______________________________________________
>>send all posts to list at lists.dshield.org To change your 
>>subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>>
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
What's more important is access levels. Our local NHS trust even give 
access to the cleaning staff through terminals within the group
/Nation wide database, your personal records are not safe from any Tom, 
Dick or Harry with intent to pry.

Josh









More information about the list mailing list