22519 February 6, 2018 7:33 AM

Governments can manufacture attack tools, but they can’t protect their close allies against them. Nothing like undermining the security of a country you have a special relationship with.

Maybe we need to stop making exploits if we cannot keep the genie in the bottle and prevent it from running amok.

RogerBW February 6, 2018 8:01 AM

The same NHS that… kept essential services going, and was fully back up and running within a few hours. Yeah. That one.

Also the same NHS that I believe is now the world’s largest buyer of fax machines.

Things aren’t quite that simple.

Clive Robinson February 6, 2018 8:35 AM

@ ALL,

This is the same NHS that was debilitated by WannaCry.

It was also the same NHS that under the Tony Blair Government (that gave you the Iraq War) became what some claimed to be the “largest Government IT Project” in the world, christened “NHSnet”[1].

It nearly bankrupted many NHS Trusts[2] and fairly quickly became the “largest white elephant” in the world.

All the prime contractors failed in their tasks and the guy in charge who talked tough about “giving the bullet” tirned out to be sufficiently bad that he did not rate the cost of a bullet.

As part of this nonsense GCHQ put their snout in the trough[3] with a couple of their “specials” encryption systems called “Rambutan”[4] and “Red-Pike”[5]. Whilst supposadly being “secret” enough issues have surfaced about Rambutan[6] to suggest you don’t want your confidential medical records being sent by it. Red-Pike is a software based system, which likewise has a bunch of questions hanging over it. Not least is why go for another crypto system when AES is assumed more than good enough?

The NHS IT infrastructure, is a mess the whole “Number 10 Policy Unit” stratagy was a disaster from the get go. It was directly responsible for the “Glut followed by famine funding” which has done so very much harm and the people of the UK are paying for it over and over…

Think of it as OPM for the entire UK population, and any visitors who have used it’s services… and you will get an idea as to the size of the problem.






[6] Somebody suggested that like the fruit Rambutan would be awkward and prickly on the outside but soft and easily yielding to the people that know the trick (that is it’s in effect backdoored by GCHQ).

22519 February 6, 2018 9:12 AM

@ Clive Robinson

“Think of it as OPM for the entire UK population, and any visitors who have used its services… and you will get an idea as to the size of the problem.”


GCHQ gets involved, it still fails. Boatloads gets spent, it still fails.

Then the North Koreans, evidently, who are not resource heavily to say the least, do a little downloading thanks to Shadow Brokers, maybe on empty stomachs, and they shut the NHS down for a while and embarrass everyone. How asymmetric can it be? The people with very limited resources seem to have an advantage.

Tom February 6, 2018 9:15 AM

Lets be precise: how many hospitals were influenced by Wannacry? What was the percentage of total medical organizations in UK? Was it as big as it looks like?

The fact that Wannacry were in active in homeland of BBC that made the local news to worldwide news should be taken carefully.

Francois February 6, 2018 9:27 AM

If it’s the same than in Belgium then there’s not a lot of hope.

Here hospitals are mostly non profits, receiving money to operate from the state. The state is constantly reducing budgets for health (or at least not increasing them) and they go to the doctors, who pay for a practice in a hospital. This includes everything like the machines necessary for the practice and the IT, etc.

No way the IT is properly funded, let’s not even think about security.

GDPR compliance is the big risk so there will be money for that, but barely enough to do anything meaningful.

Sheilagh Wong February 6, 2018 9:53 AM

@RogerBW “Also the same NHS that I believe is now the world’s largest buyer of fax machines.”

The reliance of the medical profession on fax machines is rather curious. Here in Calgary, Alberta the fax machine has almost disappeared from the business world, but, like with Britain’s NHS, it is still used extensively by our provincial health service. Every few months there is a news story when someone’s medical test results get faxed to a local 7/11.

Peter S. Shenkin February 6, 2018 11:12 AM

@Clive “The people with very limited resources seem to have an advantage.”

Kipling, “Arithmetic on the Frontier”:

A GREAT and glorious thing it is
To learn, for seven years or so,
The Lord knows what of that and this,
Ere reckoned fit to face the foe –
The flying bullet down the Pass,
That whistles clear: “All flesh is grass.”

Three hundred pounds per annum spent
On making brain and body meeter
For all the murderous intent
Comprised in “villainous saltpetre”.
And after?- Ask the Yusufzaies
What comes of all our ‘ologies.

A scrimmage in a Border Station-
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail.
The Crammer’s boast, the Squadron’s pride,
Shot like a rabbit in a ride!

No proposition Euclid wrote
No formulae the text-books know,
Will turn the bullet from your coat,
Or ward the tulwar’s downward blow.
Strike hard who cares – shoot straight who can
The odds are on the cheaper man.

One sword-knot stolen from the camp
Will pay for all the school expenses
Of any Kurrum Valley scamp
Who knows no word of moods and tenses,
But, being blessed with perfect sight,
Picks off our messmates left and right.

With home-bred hordes the hillsides teem.
The troopships bring us one by one,
At vast expense of time and steam,
To slay Afridis where they run.
The “captives of our bow and spear”
Are cheap, alas! as we are dear.

Denton Scratch February 6, 2018 11:34 AM

@Bruce Have you started getting your news from Trump’s twitter stream?

The NHS was not ‘debilitated’ by WannaCry. That claim is not attested by the Guardian article you cite.

Some units suffered reduced functioning for a couple of days, and were compelled to reschedule non-urgent appointments; many did not. No units were closed, no units stopped treating patients.

There are serious security issues in the NHS that deserve the attention of your blog, especially the apparent determination of certain civil servants to sell off patient data without their permission – google MedConfidential if you want to learn more about this. But all medical organisations are going to be exposed to stuff like WannaCry, because they all have equipment running stuff like WinXP, that can’t be upgraded but has not yet reached EOL. I’m sure this is also true in USA.

vas pup February 6, 2018 12:20 PM

@all: folks in UK are not stupid. As soon as they still have broad utilization of fax machines in NHS it should be some reason. I am sure that is not kind of corrupt scheme when manufacturer gives kick backs to officials of NHS.
Any input?

Clive Robinson February 6, 2018 12:51 PM

@ Peter S. Shenkin,

“The people with very limited resources seem to have an advantage.”

It was not my comment you quote but that of @22519

As for Kippling’s observation, about a scamp with eyes not ruined by bookish study, yes the advantage is often with those that are perceived as the lesser force… Where once the British red coats lost, the Russian’s and the US strayed with equal folly.

Kippling had other words to say in “The Young British Soldier” the last verse of which, has stuck with me for years,

    When you’re wounded and left on Afghanistan’s plains,

    And the women come out to cut up what remains,

    Jest roll to your rifle and blow out your brains,

    An’ go to your Gawd like a soldier.

    Go, go, go like a soldier,
    Go, go, go like a soldier,
    Go, go, go like a soldier,
    So-oldier of the Queen!

The simple fact is a lesser force has not just more targets to, hit they don’t have the large perimeter to defend either.

Thus a single “scamp” can crawl right up and take ten or twenty of a superior force, and with a little caution get away.

The same rule applies to ICT the West is a huge target rich environment with only snake oil defences. It only takes a little ingenuity to wipe out many effectively undefended targets.

We know that the US has upside down thinking on this with the “Offense is best” thinking, and it’s safe to assume such thinking is used in many other countries.

However there is an old saying about “Those who live in glass houses should not throw stones” which by logical progression arives at the notion of “MAD” credited to the RAND Corporation.

However it does not work when your enemy not only does not have glass they don’t live in houses. The logical progression of which is forces to mobile to pin down.

The problem we in the West have is that we do not fight on our own door step, nor do we learn the skills to survive. We mistakenly believe that “distance and technology will save us”. We know they won’t, 9/11 showed the whole world what happens when you turn a nations technology against them it defeats distance with ease and a society that nolonger understands basic survival skills has become so dense that it’s near impossible not to hit many targets irrespective of how you throw the stone.

It’s long past time when a little sanity entered the game. High tech weapons achive little of value to society. They do however enrich a small self selected group at great expense to the many. This stupidity is playing out again on the Internet, where most computers in the West have less protection than a loose hanging tent flap would give. The illusion of security is sold to you by “snake oil salesmen” whos main interest is their wealth, not your security.

Worse you have OS and Application suppliers likewise caring not one jot for real security just the bells and whistles of mainly usless features, that keep lease sales rolling in nicely such that large rents are gathered.

Thus the real question is, “Just what sort of event does it take to change such a disastrous market to one that is even marginally rational?”.

safetony February 6, 2018 1:10 PM

@Clive Robinson

I’m guessing it’s going to take a massive hack resulting in everyone loosing all their bitcoins due to an INTELME hardware backdoor that “accidently” logged everyone’s private key plain text on a publicly accessible webserver.

Secret February 6, 2018 1:18 PM

” 9/11 showed the whole world what happens when you turn a nations technology against them it defeats distance with ease ”

9/11 is being referenced over wannacry hitting hospitals? Where’s my facepalm emoji..

9/11 showed the world that the US doesn’t investigate Saudi Arabia or Israel even when they need to.

Let’s not go fully Godwinesque on every topic, can we agree to avoid that particular hyperbole?
That rabbit hole is a lot deeper than ransomware analogies.

Tatütata February 6, 2018 1:45 PM

@Bruce Have you started getting your news from Trump’s twitter stream?

Speaking of the beast. There was a report yesterday in the Grauniad about PM May being embarassed the Orange Utang dissing the NHS. Any connection?

I am more worried about corruption, e.g., Big Pharma ghostwriting phony studies in favour of their crap. It happens everywhere, and Ben Goldacre described a couple of cases at NHS funds.

albert February 6, 2018 2:07 PM

I was thinking about the OMB hack, and all the terrible damage that -may yet- result from it. Actually, I’m thinking about -all- attacks, those provable (like ransomware) and those proclaimed by either by contractors or gov’t agencies.

How many of these really happened? How many are security theatre?

I’ll tell you why folks are fed up with this computer security crap. It’s all talk, talk, talk, and no action. The big corporations and the IC/LE bureaucracy act all interested and do stuff, but the hits keep coming. (It’s no accident that Congress can’t seem to do anything, either)

Does anything seriously think that upgrading your OS is going to help? It’s a load of bull. Fact: anyone with admin clearance is in, regardless of all the ‘security’ bells and whistles.

A few folks are making a lot of money selling the snake oil, so there’s that, and the Deep State has a definite interest in keeping everyone scared s–tless[1]

The situation is hopeless, but not serious.

Anyone got anything other than gov’t propaganda? I’m all eyes…but I’m not holding my breath, either.

[1] See
. .. . .. — ….

echo February 6, 2018 2:38 PM

I noticed this article about NHS security inadeqaucy the other day along with an article with claims made by GHCQ about how wonderful GCHQ were.

GCHQ unit claims it has ‘objectively’ made the UK a less desirable target to cybercrims

I don’t worship at the alter of the NHS. The NHS and medical profession have a lot of faults they are not candid about. No system is perfect and the US system has its glaring issues too. Standford University published a paper over a decade ago thorughly examining the US healthcare system which has lessons which apply universally. The conclusion was that egotistical turfwars and empire building between doctors and admin can squeeze patients out and that quality patient healthcare was dependent on patients having a strong voice. While policies and legal remedies exist they are not terribly effective.

Hippocratus February 6, 2018 2:50 PM

“The conclusion was that egotistical turfwars and empire building between doctors and admin can squeeze patients out and that quality patient healthcare was dependent on patients having a strong voice.”

What you’re explaining is that unregulated inherent ‘market forces’ in medicine cause unnecessary deaths.

It’s just another example of the “market” not being the best model for delivering all services.
Socialized medicine regimes work better than throwing the poor to wolves – or bankrupting the ‘fortunate’

Freud February 6, 2018 2:52 PM

The next person to whine about the “deep state” gets a needed mental health vacation paid for by taxpayers.

Clive Robinson February 6, 2018 3:23 PM

@ Secret,

9/11 is being referenced over wannacry hitting hospitals? Where’s my facepalm emoji..

Maybe you should start by putting your reading glasses on. The comment was in a reply about Asymmetric Warfare in general, of which most would agree 9/11 is the most notable this century.

As for,

9/11 showed the world that the US doesn’t investigate Saudi Arabia or Israel even when they need to.

That is a matter of your opinion and may or may not have some truth in it in general or in the specific. But one thing is clear the mess in the ME was a long time comming and the US was there every step of the way after cheap and easy oil… For many that price was way to high, so one could ask “Who was investigating the US even when they needed to?” In theory it should have been the US Citizens…

vas pup February 6, 2018 3:49 PM

@Hippocratus • February 6, 2018 2:50 PM.
I agree with your point. Business for profit model is not universal for all types of human activity.
Health care as a whole and selling prescription drugs in particular should not be organized by the same business model as selling e.g. cars, diamonds, you name it. But, something in medical field should primary function on business for profit model: plastic surgery, kind of Hollywood smile dentistry, and (forgive my political incorrectness) surgical operations on gender change. You may continue this list based on you own views.

echo February 6, 2018 4:02 PM


I would like to know what if any solution the NHS proposes to address ‘cyber security vulnerabilities’.

I took great care not to comment on markets or public/private sector balance. I am taking great care not to use this topic to pursue political agendas or personal gripes.

Disclosure: I am attempting to bring a case of gross negligience, discrimination, and fraud against the NHS.

@vas pup

Please stop making swipes against transgender people especially when a transgender person is in the room? Thank you.

Anura February 6, 2018 4:06 PM

@vas pup

Health care as a whole and selling prescription drugs in particular should not be organized by the same business model as selling e.g. cars, diamonds, you name it.

Why not? I mean, the business model we have for selling cars, diamonds, and everything else is bad for the same reasons the healthcare industry is bad. Everything we sell should be made in the best interest of the consumer, and everyone who sells stuff should have a code of ethics detailing their responsibility to the customers they serve that they are expected not only to adhere to, but to uphold as well.

The most efficient economy is the one where everyone acts in the best interest of their customers; for-profit businesses seek to create a less efficient economy so that the people who don’t work can get more for themselves – something they can only do because people depend on them due to inefficient markets. We have limited resources, and for-profit businesses cause us to use more for less benefit, which gives us fewer resources to actually provide healthcare while requiring more of it.

jens February 6, 2018 5:16 PM

because businesses don’t act in the best interest of their customers, they act int he best interests of the stockholders.
So when it comes to medical care it is int heir best interest to deny deny deny to decrease their costs. It is better that their patient die.
That is why health care is not the same as cars and diamonds.

Anura February 6, 2018 5:44 PM


You didn’t say why that’s a good thing. Yes, it’s a reality that businesses act in the interest of their shareholders, but that isn’t a reason why shouldn’t businesses act in the best interest of their customers. Why should there even be shareholders who are not directly involved with the business? Why shouldn’t the customers own the businesses in the first place?

The only reason businesses can act against the desires of the customers is because the market is inefficient – and it’s inefficient because of the decisions made by the owners (such as withholding information about products, making business decisions that reduce consumer choice). Literally, the people who make the most money in society do so by making decisions that lead to worse outcomes for the economy as a whole – why is that a good thing?

Fred February 6, 2018 6:14 PM

Fax machines are still common in many USA doctors’ private practices; in order to comply with HIPAA many have gone back to paper records and faxes rather than try to implement secure digital records plus access systems.

Mark February 6, 2018 6:18 PM

It’s always amusing when Americans comment on healthcare (or anything) outside their small world.

Bruce, as others have pointed out, there’s no such thing as the “UK NHS”.

I have a lot of experience in vulnerability management. Show me a company that does it well, and I’ll fall off my chair. Every company I’ve seen is average to terrible at identifying and remediating vulnerabilities.

I’d rather the NHS spent its money on doctors, nurses, and even administrators, not on fixing vulnerabilities, especially given the staff problems they have.

JG4 February 6, 2018 7:49 PM

@commenters on Kipling, some interesting history

After his son’s death, Kipling wrote, “If any question why we died / Tell them, because our fathers lied.” It is speculated that these words may reveal his feelings of guilt at his role in getting John a commission in the Irish Guards.[77] Others, such as English professor Tracy Bilsing, contend that the line is referring to Kipling’s disgust that British leaders failed to learn the lessons of the Boer War, and were not prepared for the struggle with Germany in 1914, with the “lie” of the “fathers” being that the British Army was prepared for any war when it was not.[71]

The Queens Harumph February 7, 2018 12:36 AM

“It’s always amusing when Americans comment on healthcare (or anything) ”

Stow your continentalism lest ye drown in a Brexit, ye olde asshat.

22519 February 7, 2018 7:55 AM

@ Clive Robinson

        "We mistakenly believe that 'distance and technology will save us'."

That is definitely true: the Vietnam War has many good examples of how American faith in the efficacy of military technology was riddled with judgment errors like Swiss cheese.

                   "An' go to your Gawd like a soldier."

Having served in Afghanistan twice–not in the rear with the gear, but with a beard and deep in it–having come back alive after seeing bodies stacked like firewood, I found myself thinking about Kipling and his verses. I wonder if he had anything to say about the mask of everyday life falling off your face–and off of that red chambered thing under your solar plexis.

“It was the best, most interesting, and funnest part of my life.” That is how one might feel before having been hit by a piece of flying metal, etc. Being a pall bearer is also something one will not forget.

David and Goliath. If you read that story, David was pretty optimistic. His technology was good, even though he did not have a lot of it. Goliath was a bada$$, but he had a big attack surface. David went on offense.

The psychology of offense/defense plays out in cyber war too. Offense has big advantages: you choose the time and place to attack. You don’t get tired waiting for the assault, and you don’t need a lot of folks and you can perhaps conserve resources. You can do a lot of planning, be sneaky, probe, find out what works, use heuristics. Defense might be limited to theoretical constructs. On defense, apathy can take hold and one can feel trapped. Offense is exciting–you can stick and move.

On comparing the Taliban or Anti-coalition Militia (ACM) to North Koreans who are on cyber ops: sometimes when you have very little it makes you stronger because you learn how to maximize what you have.

A man in a corner digs down into himself, finds a fighter, and becomes dangerous; a fat slob contractor in a plush hooch on a big protected base digs down into his tacos on Mexican night and checks his fat pay stub daily. Guess who is destined to win?

AlanS February 7, 2018 8:34 AM

@The Queens Harumph

The national health services are “drowning in a Brexit”. They were already having difficulty retaining and recruiting the skilled workforce they need to run. Brexit has made the problem much worse as the UK doesn’t train enough skilled employees to staff the NHS itself so is dependent on an inflow of skilled employees from the EU and elsewhere.

vas pup February 7, 2018 8:45 AM

@echo: sorry, but you see in my post what was not there. I have nothing against transgender folks for the following reason: your body belong to YOU, not Queen, President, Government. For that reason I am absolutely support the right of any person (after age of maturity) to be absolutely in charge of it in particular: change gender, have sex for free or for money with same gender or other in any fashion in their own privacy (no violence assumed), donate your organs, make any tattoo, even commit suicide when you life is total physical or mental suffering, BUT I was talking about WHO is going to pay for gender change operation. Payment could be structured by payment plan for the person going through the operation, but am strongly oppose put financial burden on other tax payers. Same with abortion: as soon as fetus could not exist separately from woman’s body, that is part of her body and she is in charge to make final decision on abortion. If there are medical condition for abortion (danger for woman’s health), then government should pay. Otherwise in case of rape – rapist (after caught – government could pay first but then get money from criminal), incest – perpetrator. I mean you should apply kind of balance of moral, reason, and calculations to establish PRIORITIES when resources for health care are not unlimited.
Health care is just part of wider subject: demographic policy of the country your are living in. China would never get such economical growth if not timely applied policy of “one family one child”. Societies are in search of mechanisms of influencing demographics (good or bad). Interestingly, in the link below, three of those countries are currently in the top five to live in:
Dear Moderator: without good demographic policy there is no security and good future for any country. That is why this post relevant to the blog.

Moderator February 7, 2018 10:28 AM

@vas pup: “Without good demographic policy there is no security and good future for any country.” Nonetheless, this is not the place for debate over public funding of gender reassignment procedures.

echo February 7, 2018 10:34 AM

@vas pup

What you are describing is extreme selfishness and instititional discrimination. If we all cherry pick for the trash can something we don’t personally need then what? Where does it end? As WPATH states trans healthcare is medically necessary and in some cases life saving (not to mention life enhancing and likely to pay back in terms of increased productivity and is cheaper in total than it costs to house a prisoner for one year).

Worldwide studies prove diversity has a strong economic gain.

Why are we even having this discussion?

Wendy M. Grossman February 7, 2018 1:32 PM

Bruce, as others have pointed out, WannaCry affected a relatively small percentage of NHS trusts, and interfered very little with patient care.

As others have suggested without being clear, “the NHS” doesn’t exist; instead Britain has NHS England, NHS Scotland, NHS Wales, and Health and Social Care Northern Ireland. I’m not sure how much autonomous control each has, but I believe it’s substantial. From a patient’s point of view it makes no difference. If you need care, you present yourself at the nearest surgery or A&E, and you get treated without anyone’s asking to see a card or fill out paperwork.

It always seems to me that in these debates most Americans confuse medical care with the means of paying for medical care. You can quibble with difficulties providing care to all and sundry in every medical system ever created, but as a means of paying for medical care, the NHS is unbeatable. I often wish some of those business-oriented opponents to single-payer health care in the US would add up the incredible productivity waste in the US that’s taken up by filling out useless paperwork, waiting on hold for insurers, and arguing desperately to get consent for this or that treatment. It’s an incredible drain on the economy.


AlanS February 7, 2018 2:51 PM

@Wendy M. Grossman

“I’m not sure how much autonomous control each has, but I believe it’s substantial.”

It is. Each national health service is overseen and funded by its own government.

“From a patient’s point of view it makes no difference.”

Because NHS England has adopted a market model (today: Theresa May refuses to exclude NHS contracts from US trade deals), unlike the other three, there are increasing differences. The treatments available, staffing, quality of service, and out-of-pocket expenses are different so it might very well be different from the patient’s pov. As was already noted above, if you read the coverage I linked to earlier, differences in IT services meant that Wannacry had essentially zero impact on the national health services in Wales and NI.

Clive Robinson February 8, 2018 1:14 AM

@ 22519,

That is how one might feel before having been hit by a piece of flying metal, etc.

I try –mostly– to “look on the bright side”, but yes I’ve seen a few things that would turn the stomach of most, such as bits of peoples brains and skull spread around.

But mostly I was lucky whilst wearing the green the only bullet I came into close contact with coming in my direction was a ricochet from an SLR, so technically blue on blue. It was back when your helmet was the only body armour on issue and it hit me in the chest slightly left of center. Yes it hurt but most of the energy had been lost in the bounce, so a bit of bruising only, I still have it in a box at home. Oddly I’m not the first in my family to get hit in the chest by a bullet and walk away, it also happened to my Grandfather during WWI[1]. There have been other bits of flying metal glass and one human hit me but they were from military vehicles that discovered Newton’s laws do apply and the worst I suffered from them was a broken bone (but did not realise it for a couple of hours, untill the fight/flight hormones washed out).

Having been in a few interesting places back then, it seems odd that nearly all the injuries inflicted on me by others have happened within walking distance of my home at the time (or when stabbed in the head actually in my home). Looking back there have been ten or twenty occasions when I should have been killed doing various sporting activities (such as bouncing 300ft down one of the three sisters at Glen Coe, getting trapped under ice when winter white water canoeing etc). Then there were the many motorists who could not be bothered to see me on my bike…

It’s funny but it’s only as I get older and the aches of injuries long past tell me the weather is on the change[2] that I realise that maybe I should have been a little less bold when younger.

[1] My mother kept my Gradfathers book of common prayer and the two mangled coins that saved his life. He was shot by a German sniper whilst on Church Parade and had the prayer book and coins for the collection in his left breast pocket which stopped the bullet. He was returned to the lines the same day but was a very short while later disabled in an early gas attack and lost much of the functionality of his lungs. Many of those he knew were not so lucky especialy the “Pals” he had signed up with.

[2] For years Drs would tell patients with “bone ache” it was all in their heads, much like they did with “Phantom Limb” syndrome. But scientists have known for years that slow preasure changes do cause aches where people have broken bones in the past.

Otter February 8, 2018 2:33 AM

@ AlanS

You can’t blame “Brexit” for “the UK doesn’t train enough skilled employees to staff the NHS itself”.

Doubless, there are ungrateful wretches in the EU, and especially elsewhere, who are cautiously hopeful that Brexit might allow them put down the Whiteman’s Burden of training at enormous costs skilled employees for the UK.

Cassandra February 8, 2018 2:55 AM

Re: Rambutan and Red Pike

GCHQ/CESG must surely be aware of Kerckhoff’s Principle, so I can only assume there are good grounds for making the attempt to keep the details of the encryption methods within a restricted distribution. It could be as simple as making researchers’ lives more difficult, so they move to easier and more lucrative targets. There, of course, other possible reasons, including unlikely ones, such as stupidity or ignorance.

With regards to the day-to-day workings of the NHS*, there are many blatant and obvious inefficiencies in moving information around and sharing it, as many long-suffering patients know. My own medical records have been completely lost. From a security point-of-view, the organisation is difficult to describe, let alone put any form of security perimeter around. It is entirely normal for access credentials to be shared far and wide because the identification and authorisation mechanisms have been implemented in ways that do not work with the day-to-day procedures of the many clinical departments meant to use them.


*The NHS does not exist. Or rather there is an independent National Health Service in each of the Nations of the United Kingdom (England, Wales, Scotland, and Northern Ireland – in Northern Ireland is it called ‘Health and Social Care’). Each of these independent organisations are made up of independent groups contracting services to each other – the details vary according to country and possibly, region within a country. There are a lot of legally distinct entities providing services to each other under what appears to be a single ‘NHS’ umbrella. The quality of the IT infrastructure, and the resources available to operate it vary from entity to entity. Chaotic is one word to describe it. In organisation, it is probably more like a health-sector conglomerate, keiratsu, or chaebol, than a well-managed company.

Cassandra February 8, 2018 3:19 AM

I made at least one embarrassing mistake in the above posting.

It is of course, Kerckhoffs’ principle, not Kerckhoff’s principle, as the name of the person who formulated it was Auguste Kerckhoffs. I was confusing him with his contemporary, Gustav Kirchhoff.

Etymologically, I think it is the same surname, meaning ‘Churchyard’ in English. The well known philosopher Søren Kierkegaard, also contemporaneous with Auguste and Gustav, has a surname that shares the same meaning as well.


Thomas Sewell February 8, 2018 4:47 AM

When you say, “unregulated inherent ‘market forces’ in medicine”, which country are you talking about?

Surely not the United States, in which health care provision and insurance are some of the most regulated industries we have, with only the financial sector and utilities coming close to the same level of regulatory control.

0Laf February 8, 2018 6:14 AM

The standard they’re being assessed against is Cyber Essentials +. UK gov created that standard to apply against SME companies with 250 companies or less who use mainly off the shelf software.It’s a control based standard and not risk based.

Funnily enough auditing that standard to a gigantic organisation (even small NHS trusts will have thousands of employees) with huge networks and complex bespoke solutions and lots of legacy kit (can’t replace MRI scanners at the drop of a hat) has resulted in a 100% failure rate.

Typical government have been talked into pushing a square peg into a round hole as by people who don’t know what they are doing.

If they’d done a proper assessment based on risk the NHS might have had a chance. But then that would ave cost much more money and would likely have highlighted a lack of resources and skills within NHS IT. That would have been politically undesirable.

AlanS February 8, 2018 8:02 AM


Not quite sure what your point is but I wasn’t blaming Brexit for “the UK doesn’t train enough skilled employees to staff the NHS itself”.

My point was that they are not self-sufficient — a statement of fact (why this is the case is another topic which I didn’t address, although many point to under-investment in training)– and as a result they depend on inflows of employees from the EU and elsewhere. There was already a problem retaining and recruiting the workforce they need to run the health services. The problem has been made worse by Brexit as foreign workers no longer feeling welcome and are uncertainty about whether they will be able to stay. Many already in the UK are leaving and ones who might have come are no longer coming.

In a broader sense, Brexit looks like cutting off ones nose to spite ones face. Areas such as medicine, the sciences, technology and much more depend on international collaboration and flows of personnel.

Otter February 9, 2018 9:01 AM


NHS(s) are not drowning in Brexit. NHS(s) are drowning in the UK doesn’t train enough skilled employees … among numerous other problems.

AlanS February 9, 2018 11:01 AM


I don’t think the two are mutually exclusive. The UK had numerous economic and political problems before the Brexit referendum. The referendum has transformed these problems into a national crisis.

Clive Robinson February 9, 2018 11:48 AM

@ AlanS,

The UK had numerous economic and political problems before the Brexit referendum. The referendum has transformed these problems into a national crisis.

Or to put it another way, an incompetent person was given a job they were clearly unsuited for simply because they were the only compromise to get enough votes. They then lurched from disaster to disaster whilst trying to curry favour from a deeply divided party totally at odds with each other.

To hold onto power she will do any kind of irrational action, thus leaves herself open to coercion.

It’s compleate and utter mess which the UK realy does not need at any time let alone what is fairly rapidly turning into the worst of times.

Oh and supprise supprise, you may remember that I said that the areas of the UK that voted for brexit would loose the most by it… Well a report that recently came out said the same thing but put actual figures on it.

I suspect that if another referendum was held the vote would be somewhat different now.

But that’s not going to happen as the incompetant person sees Brexit as her claim in the history books, irregardless of if it is for good or bad. Like captain Ahab she’s set her sails and stearage right for the crashing waves and like Ahab she’s going to persue that wale to the end, no matter if it’s hell or high water.

AlanS February 9, 2018 6:40 PM


Indeed, but as someone noted below the latest Steve Bell cartoon, it has gotten to the point that “incompetent is no longer a term she is worthy of”.

Clive Robinson February 10, 2018 3:11 AM

@ AlanS,

This is where I become “An enemy of the State”;-)

That Steve Bell cartoon for some reason reminds me of one of the “Airplane Movies” that featured “Roger Roger” and “The inflatable emergancy auto pilot”…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.