From the very late 1990’s up until the time I retired, I worked in an office. I chose a different career path that involved sitting in front of a computer doing things with other computers and servers for the British Healthcare system: the NHS.
Post 4 covered backups and servers. Servers are the computers that hold all of the information and programmes, backups are copies of the data stored away in case anything goes wrong.
This post covers mandatory training, user education and the outbreak of Covid-19: a difficult time for us all. We were dealing with 16,000+ users who had no clue about security or IT. Why would they, they’re Nurses, Doctors, cleaners, canteen staff etc. They didn’t come to work to learn about IT, they came to treat people, clean things, make people better.
Security? What’s that?
That was usually the question we were asked when we pointed out to a user that they shouldn’t be using the same account to access the Patient Records system. Security and accountability is what we normally said and it was almost always met with a blank stare from the user.
When we discovered that many users were using the same username and password to access services, we decided to try and make some educational material to point out why this was a bad idea. We tried (and eventually succeeded) to incorporate some of it into what was called mandatory training.
Mandatory training was a set of courses and exams that you had to do every year, to prove your awareness of certain core skills. It started off with physical courses: groups of people in a lecture room being shown slides about fire & safety etc., but then progressed to an online set of courses, tracked in an online training portal.
We were all supposed to do mandatory training (and we all did in the IT department), but it was somehow missed by the clinical staff in the Hospitals Trust. This was corrected eventually.
By the time I transferred from the Hospitals Trust and spent my final five years of work in a mainly non-Acute Trust, we had most accounts such as admin accounts and user accounts in a good place in terms of security. We had policies in place so that you were unable to do anything administrative on your desktops, we had web and email filtering in place that would stop most nasties from entering the network. Our firewalls had been hardened to the point at which only the specific active traffic could go in or out (that was an onerous task – stripping out all the old legacy firewall rules) and we had strict policies around what you could connect to the network.
We were also moving towards Office 365 for our email provider (and later other O365 services), letting Microsoft handle the nasties for us, as they did for our desktops and servers with Defender. We had disk-based backups and we had very few physical servers (we kept one physical domain controller, just in case!). Life was looking a lot better for the IT department, but what of the user?
Education, education, education
We still had to educate the users. In the last and final Trust I worked before retirement reared it’s lovely head, we had permission from management to create a new team specifically to promote user awareness of “IT issues”. They produced a whole range of media – videos, slides, posters based around the security issue of the day, laptop security, verbal security (data protection). We deployed many desktop wallpapers to users devices “Have you had a scam email?” kind of thing. The Trust intranet was full of little “tips and tricks to keep you safe online” and we used the corporate email system to email flyers to users.
Mandatory training now included a lot of training information based around the user’s responsibility for data. Not only email viruses, or online scams, but also data protection, to prevent information to be stored on your laptop for example. There was a dedicated data protection officer, who would deal with data protection issues, if there had been a breach. An example of this would be that users would sometimes send emails containing patient information to the wrong recipient, as they hadn’t checked the address to whom they were sending. This would invariably be reported as a breach and the data protection officer would get involved to see if any data-damage had occurred. This one also used to hold his head in his hands on the odd occasion.
We produced a lot of media (mostly videos) for self-help, in an attempt to reduce the number of calls to our service desk. We’d set up and video a scenario where a user had forgotten their password and wanted to get a new one. We’d video the user using password reset software on their laptop (we’d deployed that as a self-help tool), answering their security questions and getting a new password. We’d then post that up on the training site and the intranet for the user to view.
Until it was pointed out that the user couldn’t login to see it. OK, phone the helpdesk!!
Basically, we did everything we could to educate the users. The service desk received a lot of calls from frustrated users who couldn’t perform certain tasks on their laptops or desktops. More so around patching time, of course – but this did get better as users got used to the “new ways of working”. We used to sift through the calls logged on the service desk once a month and produce more training material and self-help guides for prominent issues.
I’ve been scammed!
After all that, on the odd occasion, a user would still succumb to a scam email. We would run benign simulations – once a year for the cyber-essentials plus qualifications at a minimum. I would craft a DHL delivery email or something similar (depending on what scams were around at the time) and link the “scammy” bits to a page on our intranet. Should the user succumb to “the scam”, their names would be logged and they would be directed to the page that politely told them that this was a test and directed them to scam recognition videos. We would individually contact the users who had failed the scam test and gently guide them towards the educational material.
But still it happened. It was actually quite heart-breaking to learn that a nurse had been scammed out of several thousands of pounds. Most of them got their money back eventually, but still.
Covid-19
I feel I have to mention Covid-19 and lockdown.
Lockdown meant this:
- If you were clinical, you stayed at work.
- If you were non-clinical, you stayed at home.
The clinical users weren’t an issue, as they used the equipment they always been using at work.
The non-clinical staff however, they were a big problem at the time.
We had a remote access system. It was secure and wouldn’t allow you to access anything else, other than work systems. There were directives in place at the time from NHS England in London about this. Very few people used it. Before March 2020, if you were working, you went to work. In person. Some people that had laptops would sometimes work from home using the remote access system. But generally speaking, most people came to work.
Then after March 2020, we were all told to go home.
The Trust I was working in was mainly non-clinical admin staff. Some had laptops. They all went home and tried to access the remote access system, mostly all at the same time. It did not cope well! We’d never had more than around 60 people at a time on it, most of those were people that had just turned their laptop on and left it on (we could log the activity), so there was no real load to speak of.
Post March, about 1000 people tried to logon. All at the same time.
The upshot was although it was supposed to be designed for 2000 concurrent connections, a combination of network bandwidth, routing and full tunnelling clients dragged it down, so it would barely support 100 at best.
In the meantime, some people who had to go home didn’t have laptops. So we had to try and procure laptops, image them with our software and get them to remote users. That was a big task (not mine, thankfully) in itself. In the meantime, the consultant engineers and I were redesigning the remote access system to become a bit more usable and support the amount of users it was supposed to. That also took a bit of time, but through prudent re-cabling, re-routing and an incoming network link upgrade, we got there.
It was very rushed (for good reason), but we got through that. We learned a lot about users network connections (“it’s very slow”, “I can’t download this 400Mb Excel file”, “my 6Gb video won’t play on my 128Kb broadband connection”, “my Wi-Fi won’t work in my garden”), and of course, we tried to educate the users.
We also changed policies to permit users that were connected in, to be able to use their own network connection at home to access certain services such as O365 and some clinical supplier sites that had internet portals (called split-tunnelling). NHS England relaxed their rules around full tunnelling due to Covid, so we implemented the split-tunnelling as soon as we were able to. This helped a lot with the network traffic situation, and we kept it under control using Microsoft Defender to filter the web activity on the users devices. Although the user could browse to an internet site without routing through the remote access system, we filtered it quite aggressively.
At the point at which I retired, I’d just designed and implemented a test remote system, to enable users to use any device to access a virtual desktop safely and securely, instead of having to use corporate devices. This would mean that no matter what device you used (phone, tablet, laptop, desktop etc.) it didn’t have to be connected to any of our systems, it could tunnel through the internet to our remote terminal system instead. That way, all traffic in that terminal session was controlled by the Trust and didn’t touch the user device at all.
Progress.
Summary
- Most users weren’t aware of security, particularily user account security.
- A lot of time was investing in trying to educate users. As time went on, threats became more prevalent, so we attempted to educate users though media and email flyers.
- A security element was introduced in the mandatory training that users had to do once a year.
- We created a bespoke team of people to specifically educate users in many aspects of IT.
- Covid-19 was a busy time for a lot of people, incuding us!
- Covid-19 forced us to look at our systems and improve them, very quickly!
What we’ve covered so far…
(Post 1) How an IT Department is Financed in the NHS
(Post 2) Windows Updates
(Post 2) Network security
(Post 2) User device security
(Post 3) Account security
(Post 3) The administrators
(Post 3) User account management
(Post 3) The auditors
(Post 3) Sysadmins
(Post 4) Backups
(Post 4) Virtual vs physical
(Post 5) Security? What’s that?
(Post 5) Education, education, education.
(Post 5) I’ve been scammed!
(Post 5) Covid-19