Is UK NHS jinxed or does it just have a weak information protection policy?

Why public organizations


p { margin-bottom: 0.21cm; }a.western:link { }a.ctl:link { }

It seems that the National Health Service has turned (again) into some sort of “black sheep” of data safeguarding. Following the 2009 Conficker infection spike, last year's Qakbot offensive, and the recent attack of the Lulz Security hacker group, another security breach – this time several stolen laptops, of which one is supposed to hold details of a bit over 8 million patients – rounds up the series of incidents endangering the medical records this public organization stores.

Without entering into a debate about how these things actually happened and who is to be held responsible – most likely these are the details that an official investigation should reveal – I think it is important to see why this incident may have happened and what consequences it has.

At a closer look, the main issue here is, probably, a weak computer use and data protection policy. Conficker spread through a few major vulnerabilities: unpatched OSs, unprotected systems with the Autoplay feature enabled (for more details, see this whitepaper). In its turn, the Quakbot family of worms disseminated through network shares, removable drives and poisoned Web pages, being able to steal the user names and passwords to different services, as well as to capture any information a user types in a Web browser (see a detailed description here). The attack carried out by hackers a few weeks ago proved that administrator passwords are also easy to get, while the current incident shows that the physical tier of defense is quite loose (not to mention the lack of encryption on a system with such a “delicate payload”).

To put it differently, I see here a list of facts and events that tells me the following: chances are that the OSs running on several machines were unpatched and, probably, they weren’t running up-to-date security solutions; the target organization’s staff presumably could browse freely whatever Internet page they wanted and they could connect almost any device to any terminal in the network; last but not least, it is also very much likely that laptops weren’t closely monitored or secured with at least some cheap cables.

What are the consequences of this state of facts? According to this blog post – the Parliamentary Network, the Royal Navy, and NHS weren’t the only public organizations in the UK or in the world to be hit by Conficker two years ago. Nor were they the only victims of Qakbot, which also invaded the Massachusetts Executive Office of Labor and Workforce Development in the US, for instance (see details here). As for hacking attempts, the recent attacks on the US Senate, FBI, CIA and other organizations speak for themselves. Bottom line, in all likelihood, the compromised networks/servers/systems or the leaked data grants access – one way or another – to highly classified information or to people in key-positions who – again, one way or another – could have access to such data. Luckily, so far no one thought of selling or of exploiting these details, respectively of blackmailing these people. But, to quote Alice, “what if”?


Safe surfing everybody!


All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


With a humanities passion and background (BA and MA in Comparative Literature at the Faculty of Letters, University of Bucharest) - complemented by an avid interest for the IT world and its stunning evolution, I joined in the autumn of 2003 the chief editors' team from Niculescu Publishing House, as IT&C Chief Editor, where (among many other things) I coordinated the Romanian version of the well-known SAMS Teach Yourself in 24 Hours series. In 2005 I accepted two new challenges and became Junior Lecturer at the Faculty of Letters (to quote U2 - "A Sort of Homecoming") and Lead Technical Writer at BluePhoenix Solutions.

After leaving from BluePhoenix in 2008, I rediscovered "all that technical jazz" with the E-Threat Analysis and Communication Team at BitDefender, the creator of one of the industry's fastest and most effective lines of internationally certified security software. Here I produce a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases. Every now and then, I enjoy scrutinizing the convolutions of e-criminals' "not-so-beautiful mind" and, in counterpart, the new defensive trends throughout posts on www.hotforsecurity.com.

Balancing the keen and until late in night (please read "early morning") reading (fiction and comparative literature studies mostly) with Internet "addiction", the genuine zeal for my bright and fervid students with the craze for the latest discoveries in science and technology, I also enjoy taking not very usual pictures (I'm not a pro, but if you want to see the world through my lenses, here are some samples http://martzipan.blogspot.com), messing around with DTP programs to put out some nifty book layouts and wacky t-shirts, roaming the world (I can hardly wait to come back in the Big Apple), and last but not least, driving my small Korean car throughout the intricacies of our metropolis's traffic.