I’m still in Washington, but have just picked up some news that reminds me not only of home, but of my job of a few years ago, when I worked as a security manager for the UK’s National Health Service. It’s been announced that the Barts and The London NHS Trust, which includes several of the best-known hospitals in London (St. Bartholomew’s, the Royal London, and the London Chest Hospital), has been hit by a virus (apparently a version of the venerable Mytob email worm). It’s been commented that an urgent review of the Trust’s security policy is needed. That couldn’t do any harm - how come so many systems were apparently compromised? - but the problem may go a little deeper than that.
Unless the infrastructure has changed dramatically in the last 2 1/2 years, much NHS email (and there is a lot of it – well over a million people work for for the National Health Service) goes through a mail service currently called NHSmail. NHSmail (which is at least the third incarnation of this particular service) was intended to replace the relay services that carried the bulk of NHS email at the beginning of this decade. The current service is defended by "cutting edge" anti-virus and anti-spam, and that protection was supposed to have been extended to the relay services several years ago. So, there is certainly a question to be asked about the state of the Trust’s own email defences. I have to wonder, though, how email-borne malware can apparently still get through to an NHS site as easily as it could earlier in the decade, when email services were far more fragmented and decentralized?
David Harley CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET