Physical And Information Security In The NHS - Phil Smith

right my name is Phil uh I'm come from 20 years clinically in the NHS uh finally got too much so I walked out and created a physical security company um my view of the NHS it's very much like this bit old generally in good Nick looks like it's you know well maintained all that sort of stuff but you really don't want to start opening panels and finding out what's beside them that is an emergency phone in an NHS Hospital in a lift in service not too far from here so we're going to go through a few stories we'll see how far we get through before we get to the end of time and yes chat GPT is going to be critiquing me

along the way so if you're not sure how the NHS sort of is structured on the clinical side of things you've got your your major sort of Specialties so you've got neurology Cardiology Emergency Care Orthopedics with their little hammers that they love so much and then within that you've got your subs Specialties so in cardiology you'll probably have your plum who do your coronary arteries you'll have your electricians do your pacemakers that sort of stuff and then you'll have your mechanics who do your valves and your pumping function all that sort of thing and then within that you've got some Specialties as well and what that means is you've got a lot of these associations that are very Niche

that crop up and the idea is that they bring together all the evidence from all these disparate Niche sources and create your guidelines your best practice or that sort of thing but some of them offer accreditation which I've never really seen the point in because the patients don't give a crap about accreditation they don't know what it is so could you please scan my heart yes thank you very much goodbye but they do like to have accreditation which is essentially a bunch of tick boxes uh they come in they assess the place have you done this tick tick tick so we're going to go through a quick story of what happens when security is taken away

from the trust and the experts there and is given to uh the clinical people and we're going to protect the guilty we're going to uh refer to the items in question as probes because everybody likes a good probing these were invasive medical devices they are often very poorly secured in hospitals it's usually shoved in a clinic room somewhere security by obscurity but not in this case in this case it was in a solid masonry walled room with going all the way up through the roof void um big solid door uh one of the few digil locks that I don't know a bypass for the code was written on the door frame but that's that's a different issue but the room

was solid and it was built for the storage and preparation of controlled medications with the actual building itself it wasn't retrofitted or anything so uh the probes were kept in essentially pelican cases with foam cutouts all this sort of stuff uh and you could go in there you could get your probe out you could prep it stuff it back in the case uh go and see your probe and then of course it'd be returned after you so if you saw the cases there you knew that the probes were there so then we have the accreditation standard that came along along with a lot of other clinical stuff they had security standards the problem was the accreditation standards were

written by the people like me the people who do the probing and they insisted that these were stored in a locked cabinet uh on display so you could see when they've been returned um and we couldn't we couldn't store them in that room could couldn't remodel it it cost thousands to remodel the room so they put it outside in a secure area yes it could be classed as a secure area you certainly can't break into it uh not without restricted Tools in very restricted catalogs that nobody can access and you certainly wouldn't walk in to find a homeless person availing themselves of a bed and the charity money that actually happened um on top of that the cabinet was secured with a 6

lock from Amazon uh if you don't know what a ch751 is I suggest you go and buy one and start seeing what it opens you will be astonished uh so obviously security was taken away from the truck and was in this accreditation standard and it is far easier to comply with the standard tick the Box on the day than it is to contest and say well actually we exceed that but what happens if they disagree on the day well you put a lot of work in for absolutely nothing this is the one everyone's probably turned up for so I have worked in private as well as NHS so not going to suggest where this was uh you may be aware that

equipment that comes into the NHS often has a very long lifespan you're talking kit that came into service before I started is still in service today uh that's over 20 years and yes this is Windows nt4 uh it's all right don't worry this has been upgraded it's now running Windows XP so that's all good this one firstly it's not actually networked thankfully and only I walk around with my malware on appropriate media but some of these things are networked and it brings me to a little bit of a fad of adding cameras to clinical equipment in clinical areas and I've got two examples of this first one was an exercise testing machine now if you're

not aware of what an exercise test is you uh go on a tread mall or a bike you have electrodes all over your chest you may have a mask on your face uh you may have a scan of your heart with ultrasound before and afterwards for men not so bad for women frankly it's very undignified very revealing and there shouldn't be cameras in the room the other example was a pacemaker programmer uh the manufacturer of this pacemaker programmer came along and said we' like to put some extra things on and we said have fun this pacemaker programmer is sat on the desk about 30° so yeah very ergonomic you like that and they put this great big webcam module on

the top of it the camera speakers microphone and they said we asked why do you want this why is it there the same answer as for the exercise testing machine well we want to be able to give you clinical and Technical Support as you go along firstly why do you need to see in the room secondly with a pacemaker programmer why do you need to see up my nose for that and then we said well we're not actually uh networking this so we can't use it and they said no problem shove a 4G modem in the side of it so now you've got a system that has access to clinical data has a webcam and

a microphone in a clinical area and bypasses all of the protections on the hospital Network as you may have guessed this got unplugged thrown in a Cupboard never to be used again now the manufacturers will tell you quite rightly that these systems uh will get supported and they'll get updated you'll get security updates and that's fair enough except for the fact that this is the NHS we run stuff until it blows up at least once and the the the the example I gave you of that piece of Kit that's been in service for over 20 years and is running uh Windows NT well that's perfect example so yes for the next five or six years that may get support absolutely

but are you honestly telling me that that is still going to be supported in 10 15 20 years time absolutely not so something that I would very much like them to uh stop doing and an example of how this sort of thing does actually go wrong this is the tale of a virus that infected a hospital Network there some reason don't know why it was the admin computers that were most affected uh we found the virus was on the network because uh some chat was at the reception desk making an appointment and you know what it's like when you're making an appointment they say well these are the list of appointments on the screen you pick the one that you

want and it goes so thank you very much I'll have a look at those and then the virus goes payload time what am I going to be this was a bit before ran somewhere so it R ruled that out um shall I exfiltrate this guy's ultrasound data no that's a bit boring no hardcore pornography uh so have a look at your uh screen for your appointments and Bing and that was happening on computers all over the hospital uh there was no data breach there was no data loss it was just a very embarrassing mischievous virus but how did it get on there well we had an ultra sound machine that was running Windows XP embedded and even at

the time this was a little bit old it was running on a CRT monitor so it was pretty old and uh there was a trainee you wanted to get their images off this machine for their log book so you you pres put them in a log book you present them for assessment they pass you or fail you thank you very much and they thought it'd be a great idea to put the USB stick directly into the ultrasound machine into the very inviting ports on the front of the machine rather than go to the workstation and download them in a file format they could actually use and of course we can guess where the USB stick had been we can guess that auto

run was probably still enabled and that was an unpatched OS and yeah very embarrassing that one next one uh this is a current situation so the government it's a bit like alcohol it won't solve your problems but it will give you lots of interesting new ones so the government back in I think it was the Blair or brown era I'm not entirely sure uh they wanted a giant Central database they wanted all the NHS to be running off the same Central database fair enough good idea problem is when Microsoft says no to a large government contract and says it can't be done you should probably heed their warning now a company did agree to do it I think it might have

been crap but I'm not entirely sure um and we ended up with essentially a subscription to Microsoft Office uh that was it that's all we got and why was it so difficult well all of these different elements of the NHS you know GP surgeries your sub dep departments within sub departments they got their own Solutions sorted so some people were on Excel spreadsheets with random columns that kind of just fitted their workflow uh some people had professional databases uh some people have databases cooked up by the local nerd two of mine are currently managing your clinical information you should be afraid uh some access using micros Microsoft Access and some using nothing at all as a result

the hospitals are exploding with paperwork now some progress has been made the Health and Social care acts came along and mandated that some kind of interoperability was required and as the general turnover of these systems happens uh that is that is starting to show results but there is a lot of pressure to relieve ourselves of paper and they're even uh Throwing Fire regulations you can't have all this combustible material stored here thank you very much the NHS is very much like any other big organization it operates in silos and Within These silos uh everyone speaks the same language but if you want to move uh laterally across silos it's like a black box pent test

you are screwed uh you are literally trusting what you can see and it's very difficult um a good example of this at a hospital not too far from here about 10 years ago there was a failure in the pathology computer system the whole thing went down for one or two weeks we were absolutely screwed it was awful uh we had to send tests out to other hospitals in the region to be completed elective stuff had to be canceled it was an absolute nightmare they've obviously taken that a bit more serious iously now and um a few months ago there was a uh flood in one of the main server rooms and the IT department was sending out emails going

oh the world's on fire it's horrible and we're going is it running a bit slower it might be running a bit slower because they had that immediate failover all uh set up so when it's within that Silo things can improve and change quite rapidly bit more background the NHS is uh part of the civil defense legislation so it needs to be able to operate in all scenarios so literally if the building is blown up we have to turn the car park into a hospital and we pick out the plan and we go and execute on it and obviously we need to be able to access patient records as well now if you're not familiar with Pace it stands for

primary alternate contingency and emergency and it's your different stages of plans for how you'll deal with something so let's take medical notes uh for a a small Niche department and put them into the past plant so your primary has always been your paperwork all your test results printed out shoved into the file a little summary sheet is filled in with the important information for that visit uh continuation sheets or anything really really long-winded and important that are filled in and you shove that in a a plastic wallet you shove it in a filing cabinet and then you get it out when you need it alternate is the computer system uh so obviously the paperwork was first so your computer

system has developed second secondary to that and yeah the test results go on that the important stuff goes on that fantastic you can effectively switch between the two and it's not really a problem contingency well you hoping that your patient is carrying around their uh information cards which they never do and your emergency uh emergency plan is throwing diagnostic tests of the problem and hoping that you figure out what's going on so what happens if we just stop using that paperwork primary so we are on to just having one computer system so what happens uh who's responsible for making sure that we have access to those patient records used to be us we were responsible for maintaining those uh an

admin Department that kept those records up to date and that they were accessible in an emergency the backup plan is revert to paper but we need a history we can't just say oh let's just get out some paper and start going uh we need the history we need that that information so who's responsible for making sure there's a backup plan we don't know uh so if there's a ransomware attack uh or someone decides they're going to smash a car into an important bit of infrastructure I trust that the it guys have got their backup yeah that that server on all its information that be mirrored off site somewhere that's fine but if I can't answer it frankly it's worth three FS of

[ __ ] all because I've got a patient in front of me and I need that information so we don't actually have any answers and I think that the malware the ransomware attack on the uh the London hospitals will hopefully give them the little bit of a prod they need to start doing something in the same way that PA pathology issue uh was the prod that they needed but at the moment we don't know uh this might well be the last one we shall see how we go so people pleasing people you can get anywhere in the NHS if you dress the part all right uh there's a few reasons for that there's about three different reasons um the NHS

is full of agreeable people so I mean that technically so in Psychology you have a a major characteristic a major trait called agreeableness it means you want to help nurture all that sort of stuff as you might imagine those sorts of people get into Healthcare and what that means is in that environment dominated by agreeable people if you say no to something you are even if it's perfectly reasonable to say no to it you are seen as being obstructed and that's a bit of a problem uh because it's also very hierarchical so if you are a patient or a visitor here at the bottom so imagine yourself trying to get into a Ward and you're you know buzzing the uh the

little intercom thing and someone's walking past if you're a patient or a visitor they are going to say no keep I'm not letting you in you keep buzzing but what happens I put that on what happens have I walk around with that little piece of paper that the NHS runs on with a piece of patient patient information you know that I've been writing down all that sorts of stuff well from on the phone so I'm outside the world look mate have you spoken to the GP I'm not messing with it soor would you just get that door would you just get that door you might say well I'm not wearing an ID badge I will tell

you that I didn't wear an ID badge in the NHS for over 10 years I blagged myself into everywhere I needed to be because it was fun um but that's okay that's okay because uh I have an ID card printer uh I made an ID card for the fish tank it's on those fishy M fish faces a consultant physiologist and this reveals the last element of how you can quite easily Bluff your way around hospitals there is a normaly bias so when I come along with my stupid ID card and stick on the fish tank the question wasn't Phil why do you have an ID card printer and the answer would be well it was 100 quid on eBay because it didn't

come with a power supply it was covered in mysty goo and you can't say no to that but what they actually uh said was how did you get security to print you that because there's a normaly bias so what happens if I'm now dressed like this I'm tapping on the badge reader which obviously isn't going to read this would you let me in you're probably going to do it and that's that hierarchy that normaly bias and that hyper agreeable nature and this actually did manifest in a couple of situations so me and my boss we were leaving for the day um there was a couple of workmen dressed very much like this chat uh no ID badge no

visitors cards no nothing like that they were in a public area of the hospital so they could have walked in off the street and they were poking up the ceiling tiles and having a look what was going on underneath them we're walking out they didn't talk to us didn't look at us and she says to them do you need to get in this office I can't stay but I can leave the door unlocked for you now what's in that office 2,000 patient records and uh sterile medical equipment that obviously needs to be protected don't blame her that's just the environment that is is set up and this was another one uh this was in a public Corridor uh I don't know

about you but I see something like that and the intrusive thoughts are winning all right I have a burning need to know what's going on in there and why is it there well it's probably there because they need to be helpful they are helping the people uh who are coming to collect it don't waste time coming into the ward don't worry we're Healthcare we're off limits I mean for me I see that and I'm thinking I have got a liquid nitrogen mode on my motherboard I could do something with that but I have literally walked out with a printer under one arm a PC under another arm obviously with permission walked out thrown into the

back of my mat's very old clap tile Aldi that was full of Plumbing equipment and nobody stopped me no ID badge no uniform nothing I think I'll be able to very quickly get through this um so this is back to the government being a problem they wanted to create a central database of your GP records um and then sell access to that to large companies so what they would do is take everything anonymize it and then bundling into a great big data set and sell access to it actually a fantastic idea the the stuff you could pull out of that is brilliant uh only problem is that I'm thinking about my information Theory lessons and going this feels bad

so I emailed my GP uh my GP my mp uh and I got the perun response uh so I did the worst possible thing I could do I stopped drinking for two days and I dusted off the other brain cell and I came up with this uh I decided to be a smart ass about it so what I pointed out was that you can de anonymize uh well you can find out who somebody is with only four or five pieces of information if you know someone is 59 male from leads and their job you are 90% of the way there to uh figure out who they are and of course this data will be available in social media drive data

sets that you could purchase from a data broker and in the medical records whether they are anonymized or not and obviously Google and so on do this all the time to follow what you're doing all over the Internet problem is when I came to write this presentation I couldn't remember what any of that means so I asked chat GPT and it agreed with me so bear in mind also this was two years ago so it was before the whole AI fad kicked off so if you started now just saying oh we got these two big data sets ai ai ai ai they would probably listen to you a lot easier without using words but essentially very simple uh for a data

scientist to mash these two data sets together and what happens you go to your GP complaining of angina what goes along with angina and Es schic heart disease erectile dysfunction so you're now getting adverts sent to your home IP address for erectile dysfunction medication sounds funny but it really really isn't uh and anyway I got I got two pages back from from a lord I felt very very clever indeed obviously I probably wasn't the only complainant uh but they basically said yeah we we're not doing that now uh until they can do a couple of things first create a trusted research environment so you can access and manipulate and work on the data but without stealing it and using it to find

out who has a rectile dysfunction uh and they wanted a way for you to resend uh consent so you could retrospectively uh take your data out of that data set which obviously means it won't be truly Anonymous but hey that's something that they'll have to work out uh and I'm going to leave it there uh because I don't want to encroach on anyone else's time if anyone has any questions for me I will be probably hanging around the lockpicking area with my stupid hi vises my stupid ID cards I have lots of them including the fish ones uh feel free to come and say hi if you got any questions thank you