Of the Cyberattack

This article first appeared on 7.6.17 on digitalhealth.net. See that website for comments.

OK, so it’s now a few weeks since the attack. Not the Manchester one – though I was in that same entranceway at the Manchester Arena two weeks prior with my 10-year-old twin daughters, so my thoughts are with all the victims and their families, as with those affected by the recent events at London Bridge. No: it’s a few of weeks since the ransomware attack.

We make a habit of all having a cup of tea at 2.30pm just before afternoon surgery. We were in the common room and I noticed out of the corner of my eye the computer in there rebooting itself. “How odd,” I remarked. Everyone just laughed at me and my IT obsession until people started wandering in saying: “What does this message on my screen mean?”

At first, as I guess in all crises, we didn’t really know what was going on. It was clear we had some sort of virus/Trojan horse. At this point we didn’t know if it was just us. We had been hit by a virus about six months before and since then the USB ports had all been locked out to non-secure memory sticks – though I’m still unclear how an encrypted memory stick protects against viruses. Interestingly I did a Windows update manually on my machine a few weeks ago and was moderately alarmed to note 46 important updates available to be installed. Our PCs are all built to the same build and cloned onto our drives. I wonder if that ever gets updated or if people have been pushing patches. If not why not – or why haven’t they noticed it hasn’t worked on mine?

Anyway there was a sudden panic that someone could be hacking their way into our data. We are quite used to people remoting on, so this seemed a possibility. The more IT literate wondered about data or key logging, and was someone trying to record our passwords, so the initial thought was to turn everything off bar one computer, from which our practice manager was desperately printing off lists of who was coming in that afternoon.

I think it’s fair to say our business continuity wasn’t perfect. We have practised what happens if we lose communications. All appointment lists are backed up to a local PC. In retrospect, I’m not convinced that is enough. What happens if you can’t get to that PC? I can barely consult without some form of electronic record. Even knowing what drugs someone is on or their allergies would help. I remember a few years ago a surgery that was giving people a USB stick or small CD with a summary print out of their record, any time they attended the surgery. This might have been useful if we had anything to read them on. You might think patients being able to access their own record would be the answer – I guess it is if they all sign up and bring some independent kit in with them.

Interestingly we quickly learnt that EMIS was OK. It’s a streamed remotely hosted service and the attack was a national thing against PCs, though we seemed hit hard. It was just our computers and network that were suffering – no data was going. The IT people took the decision to shut down the network, presumably to stop the issue spreading. Our active directory then died. Losing shared folders took out Docman, so no letters. Turning off the caching servers ground EMIS to a trickle, though the number of uninfected machines got smaller and smaller by the minute and by 5pm we were effectively flying blind. Luckily it was a nice day, demand was bizarrely low and patients seemed quite amused – especially as it started breaking on the news. People might now be calling for the head of British Airways to resign but there was little anger at our problem.

I think what this has shown is we almost need a reserve piece of kit. A Mac perhaps, or a Unix box that isn’t on the same network but can get a 3/4G signal or onto Fon through the BT wifi from across the way, and allow us perhaps read-only access to EMIS and our appointments. Perhaps every GP should have an iPad as a backup? EMIS will need to build this functionality – their mobile app had promise but I understand it needs to speak to the local server. What we need is a direct feed to the hosted data. So I can carry on consulting – being battery powered I could even do this without power (this has happened to us numerous times), and being able to wifi/Bluetooth to a printer would help prevent me having to hand write things. So go on, EMIS: there is a product you can probably charge me for.

The crazy thing is not why hospitals suddenly got all the attention. Lazy London TV journalists is my answer to that – hop on a tube and stand outside a hospital hoping to interview an attractive A&E nurse seemed to be the default response to the story. The crazy thing is why it took so long to sort and why we were so unprepared.

The root cause analysis is starting, though interestingly there seems almost a faint resignation rather than major outrage and I doubt heads will roll. Why was my area hit hard? Lack of investment? Lack of expertise? Lack of person power? A reliance on legacy software that utilises old operating systems.

There has been an interesting debate on DHI about Linux and virtualisation. I’ve wondered both about should all this be centralised – get rid of numerous local servers running and replace them with some massive virtual server infrastructure in the sky – versus is it because we are all connected and using the same kit that we were hit.

In biological terms did you know that almost every banana we eat is a clone of one type of banana – all it takes is one bug to come along and the world’s banana production will end. Usually people would advocate a rich diverse ecosystem. Perhaps the answer is that. Turn our services into that web accessible browser-based services. Have a rich diversity of machines on the desktop that can display it. If some go down others survive.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top