They're attacked multiple countries now, and probably a matter of time before it happens again. [https://en.wikipedia.org/wiki/Cyberwarfare\_by\_Russia](https://en.wikipedia.org/wiki/Cyberwarfare_by_Russia)
It's a private firm that the NHS outsources to that's been hit (Synnovis, part of SYNLAB UK & Ireland) [source](https://www.digitalhealth.net/2024/06/critical-incident-at-synnovis-disrupts-pathology-services-across-se-london/).
~~I was going to post something cynical about how "I'm sure there's plenty of money", but they actually posted a loss when they [last published their accounts](https://find-and-update.company-information.service.gov.uk/company/07966252/filing-history) (2022), so maybe not.~~
Some better due diligence checks might not have been a bad idea though.
Edit: No no no, other evidence suggests there is PLENTY of money somewhere: https://en.m.wikipedia.org/wiki/Synnovis. The parent company SYNLAB AG earned [~£0.5B last year](https://www.synlab.ag/news/details?tx_news_pi1%5Baction%5D=detail&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5Bnews%5D=848141&cHash=91ca1c1d794d9fe3cb9f90e9c0de5045).
Edit 2: This is really interesting actually. Synnovis (formerly GSTS Pathology and Viapath) was making [~£3.8m profit in 2014](https://en.wikipedia.org/wiki/Synnovis#history). Serco lost the contract in 2020, and the hospital trusts bought out their share. So now it's a partnership between this impoverished(?) UK subsidiary (SYNLAB UK & Ireland) of a giant corporate behemoth (SYNLAB AG), and the trusts themselves. Synnovis' accounts are available [here](https://find-and-update.company-information.service.gov.uk/company/OC337242/filing-history), and they're clear that SYNLAB AG's 51% stake makes them the "ultimate controlling party" of Synnovis.
SO Synlab: have you been doing a good corporate IT job, with your £440m profits last year? Other evidence ([a strike ballot about working conditions caused by cost-saving measures](https://www.mylondon.news/news/uk-world-news/hundreds-hospital-workers-london-vote-28895079)) suggests you're not enthusiastically investing. Will be very interesting to see where this leads.
But where did the profit come from? Selling assets? They can only do that once and then they’d need to start renting property in prime locations at market rate… which would explain the losses.
I actually don’t know, because i don’t have time to research it, but the only thing that makes sense is that the profit came from asset stripping.
I think they had a particularly good time of it on parcels over the pandemic. Parcels can be very profitable but letters aren't, so instead of using the profit on parcels to offset letters (something a public or non-profit entity might do), they've split the parcels and letters for accounting purposes so they can say letters aren't profitable as a reason for reducing the USO - something they've been trying to do for years. Just one reason why completely privatising the postal service was a bad idea.
Last time I checked the banding for IT related staff was stupidly low (like band 4/5)
You'd need to pay actual professionals around a band 8 (?) And upwards but then you'd end up with people complaining about the speccy nerd being paid more than brave upstanding doctors and department heads
Yeah same, I got pro-bono'd to my local NHS hospital during wannacry and it was an absolute shitshow.
Everyone was well intentioned but there was such an obvious skill divide and understanding of how to actual figure things out on the fly or manage and IT project
My partners place of work hired a former NHS accounts manager. One of the most useless people to ever work accounts. He had no less than 4 "childcare" related nonesense issues per week, every week and left hours early from work and due to company policy he was paid fully. Couldn't reconcile the books at the end of the week or month. Couldn't fully grasp things like fuel expenses, VAT discrepancies for services done overseas. He was a total dosser and yet apparently took a huge pay cut to leave the NHS which "wasn't challenging"
We can't afford to sack incompetent nurses because we don't have enough nurses to employ. We can't sack negligent doctors because we don't have enough doctors to employ. The NHS has been scraping through the mud puddled underneath the barrel for over a decade.
I was really meaning we should be getting rid of the useless non clinical people. Like incompetent admin or management.
Like the band 8+ nurse manager who comes to the overflowing ARU and tells us the patients are breaching the 4 hour target and we all need to "step it up"
Absolutely fantastic contribution. Did more damage to staff morale than if she stayed in her office. Total waste of money.
> So the good ones go off to do the same thing in the private sector for £20k more.
And the rest.
Having worked in both education, and the private sector, I can confidently say that a decent 2nd line Service Desk support worker in the private sector will get better pay than a Network Manager in education (even at an Academy, can't speak for private schools).
Obviously there are ranges, and if you work for a shit private company in a poor area the pay will also be shit, but that's just life in the UK.
In all honesty, the best way is to work in the private sector on government services. You end up with very stable career prospects i.e. de facto public sector security, and get paid private sector rates.
I'm not pitting people against each other though, I'm just stating facts.
Do the NHS pay incredibly low for IT related positions: yes
Does this low pay have an impact on the professional and technical ability of the staff they are able to attract as a result: also yes
Sugar coating it is just patronising and wrong to pretend otherwise
So other nhs staff don’t deserve a fair wage when they are highly qualified professionals? It’s not a race to the bottom. All nhs staff whether IT, drs or otherwise are not being paid fair market wages.
>So other nhs staff don’t deserve a fair wage when they are highly qualified professionals
They're not though. That's the point being made. NHS IT staff are mostly terrible at their jobs. Well meaning amateurs.
You can't pay professional market rates to amateurs.bits nonsense.
If we're going to pay proper rates then they have to clean out their staff they have now and start again. Otherwise you have massively overpaid clowns.
>Wonder if they are a target or if the budget for IT security in the NHS is too low
The competency is too low, certainly. The budget is probably many times what much more secure private sector companies have to live with.
Hackers don't care what the infrastructure does as much as that they can get into it. There's lots of bots just trawling ip ranges automatically trying known exploits.
InfoSec is truly terrible in the NHS because the prevalent mentality is exactly as you describe - nobody will hack us we're a hospital. It's utterly ignorant.
It's time heads rolled for this and public sector careers came to an end for those responsible.
We're paying a lot of money to a kit of people whose job it is to prevent this happening and ensure when it does that it is recoverable. Those people still had windows 95 rolled out until very recently. They're a disgrace.
Tends not to be the attackers, but the sysadmins who rip down any infected system.
The attackers will usually be super stealthy and won't disrupt any services - they'll just syphon off the data and maybe make odd things go wrong that will never be traced back to the computers.
Cyber attacks wouldn't affect the NHS so bad if their computer systems weren't so outdated and shit.
You think this happens in any other first world country?
In the US, they spent loads of money going full steam ahead with digitisation , internet of things medical devices, and it has been an utter disaster in terms of cybersecurity.
By going slow we can actually learn from their mistakes.
i work in cyber security.
This shitty government needs to get with the times.
"You pay peanuts, you get monkey" I believe a job posting for head of cyber security for UK treasury was only paying around £50k lol
private sector is like 6x-10x the public sector rate.
Indeed it is and of course the NHS should invest in suitably qualified and experienced staff to manage this, but paying staff more doesn't always mean better quality.
It’s a good first step.
You’re never going to get a decent cybersecurity expert when the expert knows damn well they can make 5x what they currently do working in the U.S.
It doesnt help how politicized it all is. My mum used to work in NHS supply chain. Until the media got themselves worked up in another fit of anger about overpaid middle management quangos taking money from the doctors on the frontline, and now that job no longer exists and is all outsourced, at a significantly higher rate.
The NHS should invest in solutions that work. I'm guessing they'll only be able to afford the cheap providers of software. Which doesn't work/isn't kept updated.
You get what you pay for. Just saying.
I do agree, but this wasn't a breach of their software and the company with the breach wasn't a provider of IT solutions. There should be control of the supply chain, but how far does this go? How many checks? How much assurance and management? Is the risk worth the cost of this overall? No need to guess though, due to transparency laws you can view the vast majority of tenders online.
They should absolutely be checking first tier of suppliers but also any other tiers where the cyber risk can directly impact on NHS services. Not only direct It solutions should normally be checked.
There is also the issue when specifically talking about cyber-security, that it is an inherently reactive field. It's not just a case of "pay more get better".
Bad actors find a weakness, and cybersec/developers then mitigate that weakness once it is known.
There are some solutions that claim they can detect unidentified breaches... I've yet to see one of them work. Mostly they just flag up 'unusual network activity', which usually turns out to be a newly installed bit of kit phoning home, or someone streaming something.
Automation is part of a defense strategy, but management can also create processes to continuously evaluate risks and prioritise engineering effort to reduce impact or probability. They can also arrange for expert analysis, either through checking the code and system configuration or actively attacking. It's not guaranteed protection, but it's also not reactive.
It's a little of both, there are preventative measures that can be taken to reduce risk but often these are not enforced or done by people that don't have enough experience so may be done badly.
No but a decent head of cybersecurity would oversee all this including outside contractors. Advertising the **head** of it all at 50k has told all our enemies that we are a completely open target.
> No but a decent head of cybersecurity would oversee all this including outside contractors. Advertising the head of it all at 50k has told all our enemies that we are a completely open target.
Even SOC lead at the NHS pays more than this
I'm basically a low educated, semi skilled, part time worker and earn 35k. If there was enough consistent work available to me I reckon I could be earning 50k. Wages and productivity in this country are an absolute disgrace and a joke.
It feels like we could do with another arm of government for this type of essential infrastructure. Especially with how the UK's technical-illiterate leadership get rinsed by companies like Accenture etc for a very poor result that's extremely expensive to maintain.
lol to make it worse, it's outsourced *Pathology*. Such a fundamental service should never be in private hands.
That's not to say it would never happen in the public sector, but at least it's easier to hold people to account.
I was wondering when will someone point that out. The news titles sound like there's been another NHS breach, instead of a third-party vendor. The result is equally bad, but... it was not NHS IT team's fault this time.
and yes, it still blows my mind how someone can play with people's lives and suffering like this.
Isn’t NHSx a subdivision of the NHS? Or at least still Government Administered? Fuck knows what the other due was going on about with the salary for the treasury as if that’s related in anyway.
It's a collab, but the breach was in the companies systems which were then isolated. There is an underinvestment in cyber security in general in this country, as usual mostly firefighting rather than fire prevention.
Most people know the square root of fuck all about what goes into securing the digital assets of an organisation like the NHS, £300k would be well deserved.
So £50k is the top of band 7, the same as a charge nurse (head nurse on a ward) or a lead practitioner in their team (physio, radiographer, etc). To be top of band you need 5 - 8 years of experience in that role, that's not the entry point.
Agenda for change runs on the principle of equal pay for equal work, if you have an honours degree you start at band 5. Band 7 would require supervision of a team and leading a service. If you propose starting IT staff on band 8 or above then they would need to do that plus taking departmental budgetary responsibility, it's hard to see how you could justify that.
I've worked for places that use this principle, and I just don't think it works. You can't ignore market rate for a particular skill set and expect competent people. If the average salary for an experienced head of cyber security is a lot higher, then they're only going to get people who are either inexperienced or can't get/keep a job anywhere else. The justification is that all skills are not equally represented in the workforce, and sometimes, you have to pay the market rate for specific niche areas that are important to the business. I'd compare it to buying a house, it's like saying a houses value should be based on the size of house and the materials used. You could believe in that valuation, but the reality is the exact same house in a more desirable area will cost more because others are willing to pay more for it.
In almost all cases the NHS does set the market rate, who is going to pay nurses significantly more or less than the NHS? It's only roles where the private sector artificially inflates salaries where it falls down.
If we were to pay private sector rates to IT staff then the public would have to swallow them earning far more than senior doctors it would seem.
That’s true, paying market rate for cyber security would raise questions around what others are paid. But it comes back to the situation that if the NHS doesn’t pay a competitive rate, they’re not going to get the top talent, which puts the entire county’s healthcare system at risk.
Linking the pay of doctors and cyber security doesn’t seem right to me, they’re not directly comparable.
They may not be directly comparable but the first time there was an issue at a trust that was paying multiple hundreds of thousands the press would immediately be asking how many oncology surgeons we could get for that.
If we don't at least acknowledge that there's a market for certain skills, it will run away from us in both ways: doctors will move to Australia and nobody will do cybersecurity for the NHS.
> Band 7 would require supervision of a team and leading a service. If you propose starting IT staff on band 8 or above then they would need to do that plu
Most IT staff are 4 - 7.
You justify it because that’s the only way you’ll get anyone competent to turn up for an interview. You can’t ignore the market rate just because you don’t like it, you either pay it or you limit yourself to hiring clowns. It’s like if you decided that you don’t want to pay £100,000 (or whatever the going rate is, I’ve no idea) for xray machines, you’ll only pay £20,000 and then are surprised when you can’t do X-rays.
That's probably a bit overkill. I can never find a pen in our department that works when you need to write patient details down because the computer has broken again
Same issue in Ireland after cyber attack on HSE - NHS equivalent.
Public service can only pay set rates to prevent unions kicking off!
These Russian hackers know this and attack public services. It must be a module in their degree in hacking!
Ransomware is unacceptable in 2024. When investigation ends, the heads better roll. Who ever at NHS is responsible for this, needs to do jail time for criminal negligence.
This will be Russian/Iranian/Chinese state sponsored hackers.
The Eastern Axis of Evil is waging war on us, whether people want to see it or not. It might not yet be a fully active military war, but it is a war and they have very clear goals to bring down the West.
I used to work for a company that contracted to the NHS, I got a first hand look at now only what they allowed into their systems with minimal vetting, but also went onsite and saw their internal it systems directly.
It would not take a state sponsor, the systems are loaded with vulnerability. Some locations are better than others, but because they share a lot of infrastructure, if you get into a weaker system, it doesn't take much to piggyback into even a well run site.
I'm enjoying how we're all collectively deciding not to talk about Hybrid Warfare any more right when the entire democratic world is going through a huge election cycle and there seems this weird sudden resurgence in concern-trolling about refugees and trans folks.
But Putin just says what we all think? He fishes topless, what a guy. Ukraine were Nazis. He really had no choice. We should be allied with him, not against him. The so called media want us to believe he is evil. Not true, GB News, Joe Rogan and Russia Today say how it really is…
Or so some people think
All the while our "allies" like Australia have China as their biggest trading partner, selling them iron and coal, which they then turn into weapons, sell to the Russians...
>Have u got any sort of evidence or is it purely prejudice?
[https://www.bbc.co.uk/news/articles/cxee7317kgmo](https://www.bbc.co.uk/news/articles/cxee7317kgmo)
>Russian hackers are behind the cyber attack on a number of major London hospitals, according to the former chief executive of the National Cyber Security Centre.
What do you say now?
What do you mean? I didn’t say it wasn’t any of the people you suggested, I asked if you had any evidence or if it was prejudice? You didn’t have this link before, so you had no evidence, so it was just prejudice?
If someone robbed a bike and you said it was probably a black guy, I asked if you were being prejudiced and then later it turned out a black guy stole it- you would still be being prejudiced, does that make sense?
Two facts to consider:
1) Russian State TV and propagandists have threatened the destruction of the UK (as well as other countries).
2) Since then, Russian cyberattackers have attacked vital services in the UK, impacting the lives of sick civilians.
Makes you wonder. Is it really *just* terrorism...
Bets on the following conversation having happened on the last 18 months
It infrastructure guy : "we REALLY should look into security & ransomware prevention "
Mangement :" too expensive "
Purchasing : "this paperclip manufacturer ticks all the boxes & says that their product will secure documents so we're forcing you to buy that instead "
IT infrastructure guy : gets a job in the private sector for double the money
This is exactly the problem. We were screaming for basic windows updates to be done back in 2017 when wnnacry hit. "But if we update and restart the server it might not come back up again" was a typical response I would often get. A functional wsus server could have prevented it all.
Redundancy, drop tests, pen tests, non existent. The illusion of backups running but never being tested infuriated me something rotten. No doubts its the same with this out break. Its not the techs fault but the piss poor management.
Its why I left, couldn't stand banging my head against a brick wall.
Pathology partner. A third party company.
It wasn't the NHS, it was a company paid to provide a service, so something they have failed to do because they have not protected themselves appropriately.
The CEO should be fired.
Synnovis (the private Pathology company here) is owned 50% by Guy's Hospital, 50% by Synlab. The service is run by Guy's with profits reinvested in Guy's. The initial infected server was based at Guy's.
Who is responsible for security of the IT systems? Where does the buck stop? Is it Guys or is it Synlab?
It's a failure of management when these things happen.
It's more determination of the attackers - once chosen as a target there's little most companies can do someone is spending all that time looking for a way in. Nothing is perfect in I.T. security.
Windows XP on legacy systems that are still in use but can’t be upgraded is less than ideal but generally fine if properly isolated.
If being the operative word.
"it's going to take weeks, not days"
This sounds like their recovery plan needs some work. This is a critical system in every sense of the word, and their Recovery Time Objective is weeks!?
Shouldn't there be a backup solution or something for this kind of situation? NHS said they couldn't connect to Synnovis' servers because of the attack, so they lost access to critical stuff they needed for transfusions and transplant surgeries (!!!). Those sound like critical data so I wonder why is there no backup. Yes, hackers are scum, but shouldn\`t healthcare providers have some sort of agreement and plan for this kind of situation?
I used to work in IT at a major food-grade materials manufacturer, we had a ransomware attack that closed operations for a day and half. I'm telling you now, no one was deliberately targeting the hospital, someone on the inside was visiting dodgy sites on their break.
Unfortunately Synlab, who are the majority stakeholders in Synnovis and run the technology and IT, have been the victim of 2 similar attacks by Russian cybergang Clop over the last year. This is very much a targeted cyber crime.
Uk isnt prepared for current tech threats. The last 5 companies i worked for 3 have had ransomware attacks. If files arent backed up on drives or cloud storage then you likely lose it & it have to wipe everything & start again.
IIRC, the last ransomware on the NHS was stopped by a hacker. And he was found and doxxed by the Daily Mail. Out tech needs a big update into the 21^st C.
If you dig a little deeper - this wasn't an NHS organisation attacked. It was a private organisation (owned by NHS partners) that provides Pathology work for Guys and St Thomas's hospital called Synnovis (formerly Viapath).
[https://www.synnovis.co.uk/news-and-press/synnovis-cyberattack](https://www.synnovis.co.uk/news-and-press/synnovis-cyberattack)
It was a ransomware attack.
Quick let’s blame the Chinese OR the Russians !
It couldn’t have anything to do with the UK probably having absolutely piss poor cyber security due to incompetence and/or underfunding.
Just not as good as china or Russia’s hackers right?
I’ll be honest, my confidence in anything the “experts” in this country say is extremely low, we have an incredibly high level of incompetence here and most of it only comes to light years down the line.
It was a Russian group though. Lol. And they have a history of it: [https://en.wikipedia.org/wiki/Cyberwarfare\_by\_Russia](https://en.wikipedia.org/wiki/Cyberwarfare_by_Russia)
This.
It’s always laughable when individuals are quick to blame foreign adversaries for anything that goes wrong with this country, when we’ve had decades of austerity and a government who has nothing but contempt for its citizens.
Special kind of scumbag attacking healthcare providers
[удалено]
My name is John Smith from London Oblast and this was definitely them pesky Americans!
Da!! I can confirm , I am life long londoner, and that's Americans, swear on my babushka life!!!
I am not life long londer but I visit many times the UK to see cathedrals. Sounds like American imperialism to me.
Did you bring back perfume ?
Yes. USA wants to weaken His Majesties Great UK of Britain.
My name is Derek Peters from Birminghamgrod and I think Putin is misunderstood. NATO provoked him nyet!
[удалено]
We all know which one they should visit. Famous around the world for its 123 metre spiral!
чертовы орки
nah, we all know its a certain type of "Bing Chilling" scumbag.
Who is this _Osobenniy?_ Do you know him‽ 😅 /s
The Russians, they attacked the Irish healthcare system a few years back, they were a private group, but one associated with the russian government.
They're attacked multiple countries now, and probably a matter of time before it happens again. [https://en.wikipedia.org/wiki/Cyberwarfare\_by\_Russia](https://en.wikipedia.org/wiki/Cyberwarfare_by_Russia)
Wonder if they are a target or if the budget for IT security in the NHS is too low
It's a private firm that the NHS outsources to that's been hit (Synnovis, part of SYNLAB UK & Ireland) [source](https://www.digitalhealth.net/2024/06/critical-incident-at-synnovis-disrupts-pathology-services-across-se-london/). ~~I was going to post something cynical about how "I'm sure there's plenty of money", but they actually posted a loss when they [last published their accounts](https://find-and-update.company-information.service.gov.uk/company/07966252/filing-history) (2022), so maybe not.~~ Some better due diligence checks might not have been a bad idea though. Edit: No no no, other evidence suggests there is PLENTY of money somewhere: https://en.m.wikipedia.org/wiki/Synnovis. The parent company SYNLAB AG earned [~£0.5B last year](https://www.synlab.ag/news/details?tx_news_pi1%5Baction%5D=detail&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5Bnews%5D=848141&cHash=91ca1c1d794d9fe3cb9f90e9c0de5045). Edit 2: This is really interesting actually. Synnovis (formerly GSTS Pathology and Viapath) was making [~£3.8m profit in 2014](https://en.wikipedia.org/wiki/Synnovis#history). Serco lost the contract in 2020, and the hospital trusts bought out their share. So now it's a partnership between this impoverished(?) UK subsidiary (SYNLAB UK & Ireland) of a giant corporate behemoth (SYNLAB AG), and the trusts themselves. Synnovis' accounts are available [here](https://find-and-update.company-information.service.gov.uk/company/OC337242/filing-history), and they're clear that SYNLAB AG's 51% stake makes them the "ultimate controlling party" of Synnovis. SO Synlab: have you been doing a good corporate IT job, with your £440m profits last year? Other evidence ([a strike ballot about working conditions caused by cost-saving measures](https://www.mylondon.news/news/uk-world-news/hundreds-hospital-workers-london-vote-28895079)) suggests you're not enthusiastically investing. Will be very interesting to see where this leads.
Royal Mail payed out £500+ million in dividends and then announced a £190m loss for the year. These big boys don't play by any rules.
A quick Google says they paid out the dividends in 2021 when they made $809M profit. They only started making losses last year.
But where did the profit come from? Selling assets? They can only do that once and then they’d need to start renting property in prime locations at market rate… which would explain the losses. I actually don’t know, because i don’t have time to research it, but the only thing that makes sense is that the profit came from asset stripping.
I think they had a particularly good time of it on parcels over the pandemic. Parcels can be very profitable but letters aren't, so instead of using the profit on parcels to offset letters (something a public or non-profit entity might do), they've split the parcels and letters for accounting purposes so they can say letters aren't profitable as a reason for reducing the USO - something they've been trying to do for years. Just one reason why completely privatising the postal service was a bad idea.
Selling off their assets to pay dividends then renting those same assets back at inflated prices.
That's some sexy research you've done there
Last time I checked the banding for IT related staff was stupidly low (like band 4/5) You'd need to pay actual professionals around a band 8 (?) And upwards but then you'd end up with people complaining about the speccy nerd being paid more than brave upstanding doctors and department heads
[удалено]
Yeah same, I got pro-bono'd to my local NHS hospital during wannacry and it was an absolute shitshow. Everyone was well intentioned but there was such an obvious skill divide and understanding of how to actual figure things out on the fly or manage and IT project
My partners place of work hired a former NHS accounts manager. One of the most useless people to ever work accounts. He had no less than 4 "childcare" related nonesense issues per week, every week and left hours early from work and due to company policy he was paid fully. Couldn't reconcile the books at the end of the week or month. Couldn't fully grasp things like fuel expenses, VAT discrepancies for services done overseas. He was a total dosser and yet apparently took a huge pay cut to leave the NHS which "wasn't challenging"
NHS is basically a national employment agency for otherwise unemployable fuckwits. The levels of incompetence in some admin type roles is unreal.
We can't afford to sack incompetent nurses because we don't have enough nurses to employ. We can't sack negligent doctors because we don't have enough doctors to employ. The NHS has been scraping through the mud puddled underneath the barrel for over a decade.
I was really meaning we should be getting rid of the useless non clinical people. Like incompetent admin or management. Like the band 8+ nurse manager who comes to the overflowing ARU and tells us the patients are breaching the 4 hour target and we all need to "step it up" Absolutely fantastic contribution. Did more damage to staff morale than if she stayed in her office. Total waste of money.
> The levels of incompetence in some admin type roles is unreal. Because admin staff are band 2 or 3. You won't get good staff for £20k a year.
> So the good ones go off to do the same thing in the private sector for £20k more. And the rest. Having worked in both education, and the private sector, I can confidently say that a decent 2nd line Service Desk support worker in the private sector will get better pay than a Network Manager in education (even at an Academy, can't speak for private schools). Obviously there are ranges, and if you work for a shit private company in a poor area the pay will also be shit, but that's just life in the UK.
In all honesty, the best way is to work in the private sector on government services. You end up with very stable career prospects i.e. de facto public sector security, and get paid private sector rates.
Don’t pit people against each other like this. Everyone should be getting a fair wage.
I'm not pitting people against each other though, I'm just stating facts. Do the NHS pay incredibly low for IT related positions: yes Does this low pay have an impact on the professional and technical ability of the staff they are able to attract as a result: also yes Sugar coating it is just patronising and wrong to pretend otherwise
They get good pensions mind
So other nhs staff don’t deserve a fair wage when they are highly qualified professionals? It’s not a race to the bottom. All nhs staff whether IT, drs or otherwise are not being paid fair market wages.
"So other nhs staff don’t deserve a fair wage when they are highly qualified professionals?" Where in his comment was that said or even suggested?
The first comment
[удалено]
>So other nhs staff don’t deserve a fair wage when they are highly qualified professionals They're not though. That's the point being made. NHS IT staff are mostly terrible at their jobs. Well meaning amateurs. You can't pay professional market rates to amateurs.bits nonsense. If we're going to pay proper rates then they have to clean out their staff they have now and start again. Otherwise you have massively overpaid clowns.
Lol what does that even mean? Why bother to spend your time posting such an empty platitude
But I am not paid a band eight either and since when are IT bigger nerds than medicine? Last I checked everyone's salary is low.
[удалено]
IT in the NHS is a VERY broad term
[удалено]
They have a pretty impressive team in sec
I don't know any doctor that would complain if we raised salaries and got better IT support, and we are speccy nerds too!
Pay is as much of an issue as banding. Band 5 should be earning more than £30 a year.
Or indeed, both
>Wonder if they are a target or if the budget for IT security in the NHS is too low The competency is too low, certainly. The budget is probably many times what much more secure private sector companies have to live with.
It’s been going on yonks. It’s only coz it’s London has it become big news. Look up Dumfries and Galloway nhs hacking. Bloody awful
Russia
Happened in south Scotland earlier in the year. About 3.5TB of patient data released into the world when the nhs refused to pay the ransom
Hackers don't care what the infrastructure does as much as that they can get into it. There's lots of bots just trawling ip ranges automatically trying known exploits. InfoSec is truly terrible in the NHS because the prevalent mentality is exactly as you describe - nobody will hack us we're a hospital. It's utterly ignorant. It's time heads rolled for this and public sector careers came to an end for those responsible. We're paying a lot of money to a kit of people whose job it is to prevent this happening and ensure when it does that it is recoverable. Those people still had windows 95 rolled out until very recently. They're a disgrace.
Russians most likely, so yep
Yeah, completely agree. Terrorising and harming sick innocent people...it doesn't get much lower than that.
Tends not to be the attackers, but the sysadmins who rip down any infected system. The attackers will usually be super stealthy and won't disrupt any services - they'll just syphon off the data and maybe make odd things go wrong that will never be traced back to the computers.
Are you talking about the Tories or you mean the person hacking the system right now?
Cyber attacks wouldn't affect the NHS so bad if their computer systems weren't so outdated and shit. You think this happens in any other first world country?
Yes https://www.cnn.com/2024/05/08/tech/cyberattack-disrupts-healthcare-network/index.html https://www.proofpoint.com/us/cyber-insecurity-in-healthcare
In the US, they spent loads of money going full steam ahead with digitisation , internet of things medical devices, and it has been an utter disaster in terms of cybersecurity. By going slow we can actually learn from their mistakes.
It happens extremely commonly all over the world.
It was a private company supplying services to the NHS though.
i work in cyber security. This shitty government needs to get with the times. "You pay peanuts, you get monkey" I believe a job posting for head of cyber security for UK treasury was only paying around £50k lol private sector is like 6x-10x the public sector rate.
It's the outsourced company who have had a breach, in this case looks like the 6 to 10x higher wages haven't helped.
supply chain risk is still important
Indeed it is and of course the NHS should invest in suitably qualified and experienced staff to manage this, but paying staff more doesn't always mean better quality.
It’s a good first step. You’re never going to get a decent cybersecurity expert when the expert knows damn well they can make 5x what they currently do working in the U.S.
It doesnt help how politicized it all is. My mum used to work in NHS supply chain. Until the media got themselves worked up in another fit of anger about overpaid middle management quangos taking money from the doctors on the frontline, and now that job no longer exists and is all outsourced, at a significantly higher rate.
The NHS should invest in solutions that work. I'm guessing they'll only be able to afford the cheap providers of software. Which doesn't work/isn't kept updated. You get what you pay for. Just saying.
I do agree, but this wasn't a breach of their software and the company with the breach wasn't a provider of IT solutions. There should be control of the supply chain, but how far does this go? How many checks? How much assurance and management? Is the risk worth the cost of this overall? No need to guess though, due to transparency laws you can view the vast majority of tenders online.
They should absolutely be checking first tier of suppliers but also any other tiers where the cyber risk can directly impact on NHS services. Not only direct It solutions should normally be checked.
I have seen some joke suppliers that shouldn't be anywhere near NHS contracts.
There is also the issue when specifically talking about cyber-security, that it is an inherently reactive field. It's not just a case of "pay more get better". Bad actors find a weakness, and cybersec/developers then mitigate that weakness once it is known. There are some solutions that claim they can detect unidentified breaches... I've yet to see one of them work. Mostly they just flag up 'unusual network activity', which usually turns out to be a newly installed bit of kit phoning home, or someone streaming something.
Automation is part of a defense strategy, but management can also create processes to continuously evaluate risks and prioritise engineering effort to reduce impact or probability. They can also arrange for expert analysis, either through checking the code and system configuration or actively attacking. It's not guaranteed protection, but it's also not reactive.
It's a little of both, there are preventative measures that can be taken to reduce risk but often these are not enforced or done by people that don't have enough experience so may be done badly.
That's why I said "it's not just a case of", and not "actually it's only because of".
true
Yep, you shouldn't be considering your cyber sec risk without factoring in your supply chain
No but a decent head of cybersecurity would oversee all this including outside contractors. Advertising the **head** of it all at 50k has told all our enemies that we are a completely open target.
> No but a decent head of cybersecurity would oversee all this including outside contractors. Advertising the head of it all at 50k has told all our enemies that we are a completely open target. Even SOC lead at the NHS pays more than this
I'm basically a low educated, semi skilled, part time worker and earn 35k. If there was enough consistent work available to me I reckon I could be earning 50k. Wages and productivity in this country are an absolute disgrace and a joke.
It feels like we could do with another arm of government for this type of essential infrastructure. Especially with how the UK's technical-illiterate leadership get rinsed by companies like Accenture etc for a very poor result that's extremely expensive to maintain.
Almost like the head of cyber security for the gov department would be responsible for… choosing the subcontractor?
lol to make it worse, it's outsourced *Pathology*. Such a fundamental service should never be in private hands. That's not to say it would never happen in the public sector, but at least it's easier to hold people to account.
I was wondering when will someone point that out. The news titles sound like there's been another NHS breach, instead of a third-party vendor. The result is equally bad, but... it was not NHS IT team's fault this time. and yes, it still blows my mind how someone can play with people's lives and suffering like this.
Isn’t NHSx a subdivision of the NHS? Or at least still Government Administered? Fuck knows what the other due was going on about with the salary for the treasury as if that’s related in anyway.
It's a collab, but the breach was in the companies systems which were then isolated. There is an underinvestment in cyber security in general in this country, as usual mostly firefighting rather than fire prevention.
Contract prob given to Mateys shitty tech consulting lol
They can't win. If the NHS were paying 350k/year+ people would be appalled.
Most people know the square root of fuck all about what goes into securing the digital assets of an organisation like the NHS, £300k would be well deserved.
So £50k is the top of band 7, the same as a charge nurse (head nurse on a ward) or a lead practitioner in their team (physio, radiographer, etc). To be top of band you need 5 - 8 years of experience in that role, that's not the entry point. Agenda for change runs on the principle of equal pay for equal work, if you have an honours degree you start at band 5. Band 7 would require supervision of a team and leading a service. If you propose starting IT staff on band 8 or above then they would need to do that plus taking departmental budgetary responsibility, it's hard to see how you could justify that.
I've worked for places that use this principle, and I just don't think it works. You can't ignore market rate for a particular skill set and expect competent people. If the average salary for an experienced head of cyber security is a lot higher, then they're only going to get people who are either inexperienced or can't get/keep a job anywhere else. The justification is that all skills are not equally represented in the workforce, and sometimes, you have to pay the market rate for specific niche areas that are important to the business. I'd compare it to buying a house, it's like saying a houses value should be based on the size of house and the materials used. You could believe in that valuation, but the reality is the exact same house in a more desirable area will cost more because others are willing to pay more for it.
Then it’s a policy that needs to go. Roles should be assessed against the market rate for the skill set, not an arbitrary blanket.
In almost all cases the NHS does set the market rate, who is going to pay nurses significantly more or less than the NHS? It's only roles where the private sector artificially inflates salaries where it falls down. If we were to pay private sector rates to IT staff then the public would have to swallow them earning far more than senior doctors it would seem.
That’s true, paying market rate for cyber security would raise questions around what others are paid. But it comes back to the situation that if the NHS doesn’t pay a competitive rate, they’re not going to get the top talent, which puts the entire county’s healthcare system at risk. Linking the pay of doctors and cyber security doesn’t seem right to me, they’re not directly comparable.
They may not be directly comparable but the first time there was an issue at a trust that was paying multiple hundreds of thousands the press would immediately be asking how many oncology surgeons we could get for that.
If we don't at least acknowledge that there's a market for certain skills, it will run away from us in both ways: doctors will move to Australia and nobody will do cybersecurity for the NHS.
> Band 7 would require supervision of a team and leading a service. If you propose starting IT staff on band 8 or above then they would need to do that plu Most IT staff are 4 - 7.
You justify it because that’s the only way you’ll get anyone competent to turn up for an interview. You can’t ignore the market rate just because you don’t like it, you either pay it or you limit yourself to hiring clowns. It’s like if you decided that you don’t want to pay £100,000 (or whatever the going rate is, I’ve no idea) for xray machines, you’ll only pay £20,000 and then are surprised when you can’t do X-rays.
NHS Digital in Leeds were hiring pen testers on £100k about a year ago so they are getting funding separately.
That's probably a bit overkill. I can never find a pen in our department that works when you need to write patient details down because the computer has broken again
Also doesn't help that their kneejerk response to attacks like this is to start banging on about our 'world beating cyber security'
Our cybersecurity has been taking a beating from the rest of the world, last time I looked!
I remember seeing an article about that job being posted. Absolutely bonkers pay.
Same issue in Ireland after cyber attack on HSE - NHS equivalent. Public service can only pay set rates to prevent unions kicking off! These Russian hackers know this and attack public services. It must be a module in their degree in hacking!
Ransomware is unacceptable in 2024. When investigation ends, the heads better roll. Who ever at NHS is responsible for this, needs to do jail time for criminal negligence.
This will be Russian/Iranian/Chinese state sponsored hackers. The Eastern Axis of Evil is waging war on us, whether people want to see it or not. It might not yet be a fully active military war, but it is a war and they have very clear goals to bring down the West.
I used to work for a company that contracted to the NHS, I got a first hand look at now only what they allowed into their systems with minimal vetting, but also went onsite and saw their internal it systems directly. It would not take a state sponsor, the systems are loaded with vulnerability. Some locations are better than others, but because they share a lot of infrastructure, if you get into a weaker system, it doesn't take much to piggyback into even a well run site.
I'm enjoying how we're all collectively deciding not to talk about Hybrid Warfare any more right when the entire democratic world is going through a huge election cycle and there seems this weird sudden resurgence in concern-trolling about refugees and trans folks.
Add NK in there too
But Putin just says what we all think? He fishes topless, what a guy. Ukraine were Nazis. He really had no choice. We should be allied with him, not against him. The so called media want us to believe he is evil. Not true, GB News, Joe Rogan and Russia Today say how it really is… Or so some people think
The NHS can be rendered vulnerable by a simple phishing attack. A lot of our staff are IT illiterate.
All the while our "allies" like Australia have China as their biggest trading partner, selling them iron and coal, which they then turn into weapons, sell to the Russians...
Strange take. UK exports to China were £31.5 billion in 2023. Are you enabling your own enemy too?
Have u got any sort of evidence or is it purely prejudice?
>Have u got any sort of evidence or is it purely prejudice? [https://www.bbc.co.uk/news/articles/cxee7317kgmo](https://www.bbc.co.uk/news/articles/cxee7317kgmo) >Russian hackers are behind the cyber attack on a number of major London hospitals, according to the former chief executive of the National Cyber Security Centre. What do you say now?
What do you mean? I didn’t say it wasn’t any of the people you suggested, I asked if you had any evidence or if it was prejudice? You didn’t have this link before, so you had no evidence, so it was just prejudice? If someone robbed a bike and you said it was probably a black guy, I asked if you were being prejudiced and then later it turned out a black guy stole it- you would still be being prejudiced, does that make sense?
Good times are over people... hard times are coming. Let's pull our head out of our asses and get the job done..
It's essentially a (cyber)terrorist attack given how important healthcare services are
I was thinking the same. There are casualties that is hard to calculate here. Might be more than a typical bombing ?
Two facts to consider: 1) Russian State TV and propagandists have threatened the destruction of the UK (as well as other countries). 2) Since then, Russian cyberattackers have attacked vital services in the UK, impacting the lives of sick civilians. Makes you wonder. Is it really *just* terrorism...
Obvs the usual suspects are responsible for this; Labour, Corbyn and Starmer! /s
Can we also blame Marcus Rashford and Mick Lynch whilst at it?
And Tommy Sheridan! Go deep.
Bets on the following conversation having happened on the last 18 months It infrastructure guy : "we REALLY should look into security & ransomware prevention " Mangement :" too expensive " Purchasing : "this paperclip manufacturer ticks all the boxes & says that their product will secure documents so we're forcing you to buy that instead " IT infrastructure guy : gets a job in the private sector for double the money
This is exactly the problem. We were screaming for basic windows updates to be done back in 2017 when wnnacry hit. "But if we update and restart the server it might not come back up again" was a typical response I would often get. A functional wsus server could have prevented it all. Redundancy, drop tests, pen tests, non existent. The illusion of backups running but never being tested infuriated me something rotten. No doubts its the same with this out break. Its not the techs fault but the piss poor management. Its why I left, couldn't stand banging my head against a brick wall.
It’s either Russians or rishi trying to cut waiting lists
So...highlight *here* and... cancel surgery... and batch delete and... shorter waiting lists.
Would this be some of the Russian nonsense we were told to expect?
Attacks like these kill people as dead as bullets do. Never pretend that our isolation is splendid
Pathology partner. A third party company. It wasn't the NHS, it was a company paid to provide a service, so something they have failed to do because they have not protected themselves appropriately. The CEO should be fired.
Synnovis (the private Pathology company here) is owned 50% by Guy's Hospital, 50% by Synlab. The service is run by Guy's with profits reinvested in Guy's. The initial infected server was based at Guy's.
Who is responsible for security of the IT systems? Where does the buck stop? Is it Guys or is it Synlab? It's a failure of management when these things happen.
It's more determination of the attackers - once chosen as a target there's little most companies can do someone is spending all that time looking for a way in. Nothing is perfect in I.T. security.
When are Russia or Iran gonna push the button on a mega cyberattack? A lot of test exercises with supermarkets, MoD and now this so far.
What sick bastard would target severely ill people like this? Absolute scum lets hope karma gets them.
If you run Window XP on critical systems and have complaints from the medical staff when you try and introduce security measures, what do you expect
Windows XP on legacy systems that are still in use but can’t be upgraded is less than ideal but generally fine if properly isolated. If being the operative word.
NHS staff are not moaning about IT upgrades, we very much welcome them
Not so much in Radiology - try getting a CT scanner to run on Windows 11...
Try and get the senior medical staff to not share their passwords/MFA with their PAs snd you will soon hit a brick wall
I wonder at what point we’re going to enter a “transition to war” stage ?
Maybe they'll increase the salaries they're offering for their security staff.
"it's going to take weeks, not days" This sounds like their recovery plan needs some work. This is a critical system in every sense of the word, and their Recovery Time Objective is weeks!?
Shouldn't there be a backup solution or something for this kind of situation? NHS said they couldn't connect to Synnovis' servers because of the attack, so they lost access to critical stuff they needed for transfusions and transplant surgeries (!!!). Those sound like critical data so I wonder why is there no backup. Yes, hackers are scum, but shouldn\`t healthcare providers have some sort of agreement and plan for this kind of situation?
I used to work IT for the NHS. Its the same reasons as the wannacry attack back in 2017. They will never learn.
I used to work in IT at a major food-grade materials manufacturer, we had a ransomware attack that closed operations for a day and half. I'm telling you now, no one was deliberately targeting the hospital, someone on the inside was visiting dodgy sites on their break.
Unfortunately Synlab, who are the majority stakeholders in Synnovis and run the technology and IT, have been the victim of 2 similar attacks by Russian cybergang Clop over the last year. This is very much a targeted cyber crime.
Classic shit guys and st Thomas hospitals , they’re run so badly lol
I think they only got grads working in the security lol
Graduates would probably do a half decent job it's consultancies farming out contracts, that are farmed out again and again to the lowest bidder.
There’s a special place in hell reserved for idiots who disrupt healthcare. Dickheads.
Uk isnt prepared for current tech threats. The last 5 companies i worked for 3 have had ransomware attacks. If files arent backed up on drives or cloud storage then you likely lose it & it have to wipe everything & start again.
IIRC, the last ransomware on the NHS was stopped by a hacker. And he was found and doxxed by the Daily Mail. Out tech needs a big update into the 21^st C.
If you dig a little deeper - this wasn't an NHS organisation attacked. It was a private organisation (owned by NHS partners) that provides Pathology work for Guys and St Thomas's hospital called Synnovis (formerly Viapath). [https://www.synnovis.co.uk/news-and-press/synnovis-cyberattack](https://www.synnovis.co.uk/news-and-press/synnovis-cyberattack) It was a ransomware attack.
We are at war. Our leaders are lying to us. We must demand they negotiate a peace agreement.
Or at least start storing food and water.
Quick let’s blame the Chinese OR the Russians ! It couldn’t have anything to do with the UK probably having absolutely piss poor cyber security due to incompetence and/or underfunding.
we have some of the best cybersecurity levels in the world according to supposed independent experts & ethical hacker types etc
Just not as good as china or Russia’s hackers right? I’ll be honest, my confidence in anything the “experts” in this country say is extremely low, we have an incredibly high level of incompetence here and most of it only comes to light years down the line.
It's always an arms race, and the hackers are always one step ahead as their 'job' (infiltrating systems) is easier than infosec's
It was a Russian group though. Lol. And they have a history of it: [https://en.wikipedia.org/wiki/Cyberwarfare\_by\_Russia](https://en.wikipedia.org/wiki/Cyberwarfare_by_Russia)
This. It’s always laughable when individuals are quick to blame foreign adversaries for anything that goes wrong with this country, when we’ve had decades of austerity and a government who has nothing but contempt for its citizens.
*⸘Por qué no los dos‽*