Software bug at firm left NHS data 'vulnerable to hackers'

The NHS is "looking into" allegations that diligent information was near susceptible to hacking owed to a bundle flaw astatine a backstage aesculapian services company.

The flaw was recovered past November astatine Medefer, which handles 1,500 NHS diligent referrals a month.

The bundle technologist who discovered the flaw believes the occupation had existed for astatine slightest six years.

Medefer says determination is nary grounds the flaw had been successful spot that agelong and stressed that diligent information has not been compromised.

The flaw was fixed a fewer days aft being discovered.

In precocious February the institution commissioned an outer information bureau to undertake a reappraisal of its information absorption systems.

An NHS spokesperson said: "We are looking into the concerns raised astir Medefer and volition instrumentality further enactment if appropriate."

Medefer's strategy allows patients to publication virtual appointments with doctors, and gives those clinicians entree to the due diligent data.

However, the bundle bug, discovered successful November, made Medefer's interior diligent grounds strategy susceptible to hackers, the technologist said.

The bundle engineer, who does not privation to beryllium named, was shocked by what helium uncovered.

"When I recovered it, I conscionable thought 'no, it can't be'."

The occupation was successful bits of bundle called APIs (application programming interfaces), which let antithetic machine systems to speech to each other.

The technologist says that astatine Medefer those APIs were not decently secured, and could perchance person been accessed by outsiders, who would person been capable to spot diligent information.

He said it was improbable that diligent accusation was taken from Medefer, but that without a afloat investigation, the institution could not person known for sure.

"I've worked successful organisations where, if thing similar this happened, the full strategy would beryllium taken down immediately," helium said.

On discovering the flaw the technologist told the institution that an outer cybersecurity adept should beryllium bought successful to analyse the problem, which helium says the institution did not do.

Medefer says the outer information bureau has confirmed that it has recovered nary grounds of immoderate breach of information and that each the company's information systems were presently secure.

It says the process of investigating and fixing the API flaw was "extremely open".

Medefer said it had reported the contented to the ICO (Information Commissioner's Office) and the CQC (Care Quality Commission), "in the interests of transparency", and that the ICO had confirmed determination is nary further enactment to beryllium taken arsenic determination is nary grounds of a breach.

The engineer, who had been contracted successful October to trial for flaws successful the company's software, near the institution successful January.

In a connection Dr Bahman Nedjat-Shokouhi, laminitis and CEO of Medefer, said: "There is nary grounds of immoderate diligent information breach from our systems."

He confirmed that the flaw had been discovered successful November and a hole was developed successful 48 hours.

"The outer information bureau has asserted that the allegation that this flaw could person provided entree to ample amounts of patients' information is categorically false."

The information bureau volition implicit its reappraisal aboriginal this week.

Dr Nedjat-Shokouhi added: "We instrumentality our duties to patients and the NHS precise seriously. We clasp regular outer information audits of our systems by autarkic outer information agencies, undertaken connected aggregate occasions each year."

Cybersecurity experts, who person looked astatine accusation supplied by the bundle engineer, person expressed their concern.

"There is the anticipation that Medefer stored information derived from the NHS not arsenic securely arsenic 1 would anticipation it would be," said Prof Alan Woodward, a cybersecurity adept astatine the University of Surrey.

"The database mightiness beryllium encrypted and each the different precautions taken, but if determination is simply a mode of glitching the API authorisation, anyone who knows however could perchance summation access," helium added.

Another adept pointed retired that arsenic Medefer deals with highly-sensitive, aesculapian data, the institution should person bought successful cybersecurity experts arsenic soon arsenic the occupation was identified.

"Even if the institution suspected that nary information was stolen, erstwhile facing an contented that could person resulted successful a information breach, particularly with information of the quality successful question, an probe and confirmation from a suitably qualified cybersecurity adept would beryllium advisable," says Scott Helme, a information researcher.

Medefer was founded successful 2013 by Dr Nedjat-Shokouhi, with a extremity to amended outpatient care. Since past its exertion has been utilized by NHS trusts crossed the country.

In a connection the NHS spokesperson said those trusts are liable for their contracts with the backstage sector.

"Individual NHS organisations indispensable guarantee they conscionable their ineligible responsibilities and nationalist information information standards to support diligent information erstwhile appointing suppliers, and we connection them enactment and grooming nationally connected however this should beryllium done."