Sophos Plc reports that a 20-year Californian kid has been collared for releasing a bug that has managed to infect a hospital full of computers - and caused massive downtime (and probably risking patients lives). However, reading through the article they put all the blame on the kid - who at the end of the day, could be just a script kiddie - nothing more. I'd be more concerned with the Hospital.

  1. They were running Windows machines, exposed (poor AV, poor spam filters, missing Critical Security Patches, etc)
  2. They didn't have their critical systems internally segregated - usually a split subnet, with a filtering firewall in between works wonders
  3. Where's their IT Policy? In all probability, someone opened the first email ...