Up to 90% of the Ministry of Health’s 2,000 PCs remain cut off from the internet, due to fears of a reinfection by a persistent worm.
Just 200 PCs currently have internet access. For the remainder, access has been denied for the foreseeable future.
“We’re choosing not to put a date on internet access,” says Alan Hesketh, deputy director general of the information directorate. “We don’t want to risk having a piece of the worm hibernating.”
The reaction of staff to the situation can be judged by an “advertisement” posted recently on the Ministry of Health’s internal buy and sell notice board: “Third-world organisation sought to donate air conditioning and computer systems to New Zealand Ministry of Health. Any contributions gratefully received.”
The ministry was infected by Downadup over Christmas, with variant B of the worm. Hesketh says the worm is now up to variant E in the wild. And it hasn’t yet delivered any significant payload. It’s thought the malware comes from the Ukraine.
One of the difficult problems to manage is the mobility of many of the staff. Hesketh says his IT team is detecting people bringing in laptops and USB sticks with the worm on them. This is being done by a combination of software and monitoring.
“We’re confident we are detecting and eliminating it, but if we tighten up security too much we are going to stop people working effectively.”
The ministry is also reviewing security policies.
It has a mixture of operating systems and Hesketh says the age of some of them – NT is one — means that patches don’t always work.
“We’re taking a careful look at the priority of patches. The Microsoft patch for the worm was an out-of-sequence patch.
“In almost all cases, we’ve brought the operating systems up to service patch levels.”
For some time the ministry has had an on-going programme in place to update its systems, he says.
Last year, the ministry outsourced its datacentres to Unisys. “We’re in the process of implementing new hardware from IBM and Sun into the datacentres,” Hesketh says. “We’re upgrading the servers.
“There is a significant refresh of infrastructure and that has exposed the weaknesses of the system.”
As is happening with all government departments, projects are subject to a line by line review with the minister.
“We have to prove value for money,” Hesketh says.
“We’re quantifying the cost [of the worm]. It’s significant, but it has brought forward some of the work we were going to do later this year.”
Hesketh has a warning for other CIOs: “They need to know that the worm doesn’t need the Windows vulnerability to attack.
“It has other methods of spreading that don’t need that vulnerability. For example, an MP3 player will do it.”