[SystemSafety] NHS Safety and Cybersecurity. Again.

Martyn Thomas martyn at thomas-associates.co.uk
Tue May 16 10:56:06 CEST 2017 

If this report in The Register is true, then Microsoft Windows could be
considered to be ransomware.

http://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/

While Microsoft griped about NSA exploit stockpiles, it stockpiled patches:
Friday's WinXP fix was built in February

And it took three months to release despite Eternalblue leak

16 May 2017 at 01:44, Iain Thomson

...

On Friday night, Microsoft issued emergency patches for unsupported
versions of Windows that did not receive the March update - namely WinXP,
Server 2003, and Windows 8 RT. Up until this point, these systems - and all
other unpatched pre-Windows 10 computers - were being menaced by
WannaCrypt, and variants of the software nasty would be going after these
systems in the coming weeks, too.

The Redmond tech giant was praised for issuing the fixes for its legacy
Windows builds. It stopped supporting Windows XP in April 2014, and Server
2003 in July 2015, for instance, so the updates were welcome.

However, our analysis of the metadata within these patches shows these
files were built and digitally signed by Microsoft on February 11, 13 and
17, the same week it had prepared updates for its supported versions of
Windows. In other words, Microsoft had fixes ready to go for its legacy
systems in mid-February but only released them to the public last Friday
after the world was engulfed in WannaCrypt.


On 16/05/2017 09:39, Matthew Squair wrote:
> Re: the NHS
>
> IIRC the NHS has been under an effective funding freeze (conservative
> initiated) since about 2010. Funding does increase but not matching
> inflation rates. Plus the usual outsourcing of noncore activities like
> IT, yay. 
>
> Size of problem? As of 2014 there were about 1.08M desktops running XP
> in the NHS. That's big, a real big number. 
>
> To renegotiate a major government support contract is a multi year
> effort and a very political exercise. Extending the XP support to
> cover the gap is doable, but the cost goes up (a lot), thanks MS. 
>
> You want to upgrade to Win 10? Ok, we're talking big dollars for
> hardware upgrades ($100M+?) as a ballpark plus say one tech day  for
> swap and go do that's a million labour days and cost. But you can't
> parachute in a Mobile strike team, it's all decentralised, and
> tailored so it'll take time to figure out (for example) how to recert
> that MRI that's running XP for example. 
>
> So I'm not surprised that this got put in the intractable basket by
> the trust. They're struggling if you hadn't noticed. I also think the
> snarky comments by the current (conservative) Minister are invidious
> to say the least.  
>
> Cheers, 
>
>
> Matthew Squair

More information about the systemsafety mailing list