The Register® — Biting the hand that feeds IT

Feeds

London hospitals back online after PC virus infection

Two week clean-up job nears completion

By John Leyden, 1st December 2008
  • print
  • alert

Cloud based data management

Computer systems at three London hospitals are almost back to normal two weeks after a computer virus forced staff to shut down its network.

Computers at St Bartholomew's (Barts), the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green were taken offline on Tuesday 18 November following infection by the Mytob worm the preceding day. The hospitals collectively make up the Barts and the London NHS Trust.

Restoring key administrative systems and email access to key systems took the best part of three days, while the clean up operation has taken longer still.

In an updated statement, posted on Friday, the Trust said 97 per cent of its 5,000 computers have now been scanned and confirmed to be free of malware. The remaining PCs should be back online soon.

Infection by the MyTob worm forced the Trust to implement an established disaster recovery plan that effectively put its PCs into quarantine. Medical work at the hospitals went on almost as normal. Doctors and lab staff had to go back to pen and paper systems in some cases, and ambulances were temporarily diverted for a short time during the first day of the incident.

A "very small" number of non-urgent operations postponed as a result of the infection have since been rescheduled, the hospital trust said. Aside from a backlog of admin work that seems like the worst of the problem.

The cause of the infection remains subject to investigation. In the meantime Trust staff are keen to dispel rumours that the shutdown was the result of a targeted attack, or that sensitive records might have been placed at risk as a result of the breach.

"Contrary to some reports, there is no evidence to suggest that the Trust was targeted as part of a malicious attack and there has been no unauthorised access to patient information," the trust said. "An investigation into how the computer system became infected is ongoing."

The disruption of hospitals as a result of viral infection is rare but not without precedent. Infection by botnet clients at a Seattle Hospital two years ago is one of the very few other examples of malware infection affecting medical facilities. ®

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

COMMENTS

House Rules Send Corrections
All Reader Comments (16)
Latest Comments
Anonymous Coward

Windows ME anyone?

Yep I have seen a computer, recently as well running Windows ME.....

Feel safe now.....

Paris because even she knows better

0
0
Joe Montana

Fundamental flaws...

Someone earlier mentioned group policies as a way to improve security...

Group policies are fundamentally flawed in their implementation...

Let's bring up the example of the policy which is supposed to prevent you from opening a command prompt.

So you run cmd.exe, and it pops up a message saying your not allowed to do that...

Now in any sensible implementation, it would be the OS which is doing that... But that's simply not the case.

The cmd.exe program itself executes, and within the program itself checks for the presence of a registry key forbidding cmd.exe use, if it finds it then it displays the message and exits. So the OS does nothing to stop you executing the program, the program does its own check.

So what if you run a different command interpreter, say command.com? Yes, that still works, since they didn't implement the same check into command.com.

And if you have the ability to introduce your own binaries, which you almost certainly do, then you can simply execute a modified cmd.exe that has the check removed (very simple with a hex editor, just change the registry key it looks for so it wont be found).

Also, cmd.exe will still let you execute batch files regardless...

And then there's regedit/regedt that will exit, but reg.exe from the commandline will still work, and you could just supply your own regedit.

Same with restrictions on browsing drives, supply your own apps and they bypass the half assed restrictions.

And when it comes to users supplying their own binaries, on a unix machine you would mount all the areas a user could potentially write to (including removable media) with the noexec flag, windows has no equivalent of this and you need to implement third party binary whitelisting...

Now specifically to the mytob worm, this spreads by exploiting the LSASS vulnerability i believe, and the systems were clearly not patched against it. Surely it would have been more sensible, on workstations at the very least, to disable any listening network services... There really is no need for these services to be available to the network, and if you turn them all off even an un-patched machine won't become infected.

Ofcourse the stupid thing is that such complex bloated services ship enabled by default on a workstation OS.

0
0
Anonymous Coward

RE: A few items from Above

As someone who works in a Canadian Hospital IT department, I can confirm a few comments from above:

1. The staffing levels mentioned by Juillen, are correct. For example, we have 7000 desktops + servers spread through 3 major locations and a further 20 Minor location, and we have only 3 full time network staff (covering internal network gear, as well as Firewalls/VPN etc). The only thing worse than our understaffing is the overstaffing of PMO at 2-3 PMO for each technical member.

2. Windows vs. Linux, most medical software is built on a Windows platform. Since most of the software has to undergo stringent testing at the government (or government agency level) the vendors select the most wide adopted option (i.e Windows). Additionally any critical changes to the platform such as AV/Security patches updates require retesting so most vendors bypass this process. We can not implement the fixes/updates or we take on the liability of the device. We are starting to undertake architecture that will isolate these devices, but see note 1 above for the related timelines...

Over all, I can sympathize with the issues experienced above, but I am sure that they will learn a fair amount from the error and will hopefully get the funding that is required to make the changes (or at least most of them).

Not withstanding the above, healthcare is a great place to work, as there are many projects that you get to work on that greatly improve the care provided to patients, and this is just not something you can get at any work place.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
61
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17