Software bug at agency left NHS information ‘susceptible to hackers’ | EUROtoday

The NHS is “looking into” allegations that affected person information was left susceptible to hacking as a consequence of a software program flaw at a personal medical providers firm.

The flaw was discovered final November at Medefer, which handles 1,500 NHS affected person referrals a month.

The software program engineer who found the flaw believes the issue had existed for a minimum of six years.

Medefer says there isn’t any proof the flaw had been in place that lengthy and confused that affected person information has not been compromised.

The flaw was mounted just a few days after being found.

In late February the corporate commissioned an exterior safety company to undertake a evaluate of its information administration techniques.

An NHS spokesperson stated: “We are looking into the concerns raised about Medefer and will take further action if appropriate.”

Medefer’s system permits sufferers to e-book digital appointments with medical doctors, and offers these clinicians entry to the suitable affected person information.

However, the software program bug, found in November, made Medefer’s inner affected person document system susceptible to hackers, the engineer stated.

The software program engineer, who doesn’t need to be named, was shocked by what he uncovered.

“When I found it, I just thought ‘no, it can’t be’.”

The downside was in bits of software program known as APIs (utility programming interfaces), which permit completely different laptop techniques to speak to one another.

The engineer says that at Medefer these APIs weren’t correctly secured, and will probably have been accessed by outsiders, who would have been in a position to see affected person info.

He stated it was unlikely that affected person info was taken from Medefer, however that with no full investigation, the corporate couldn’t have recognized for positive.

“I’ve worked in organisations where, if something like this happened, the whole system would be taken down immediately,” he stated.

On discovering the flaw the engineer advised the corporate that an exterior cybersecurity knowledgeable must be purchased in to research the issue, which he says the corporate didn’t do.

Medefer says the exterior safety company has confirmed that it has discovered no proof of any breach of information and that each one the corporate’s information techniques have been at present safe.

It says the method of investigating and fixing the API flaw was “extremely open”.

Medefer stated it had reported the problem to the ICO (Information Commissioner’s Office) and the CQC (Care Quality Commission), “in the interests of transparency”, and that the ICO had confirmed there isn’t any additional motion to be taken as there isn’t any proof of a breach.

The engineer, who had been contracted in October to check for flaws within the firm’s software program, left the corporate in January.

In an announcement Dr Bahman Nedjat-Shokouhi, founder and CEO of Medefer, stated: “There is no evidence of any patient data breach from our systems.”

He confirmed that the flaw had been found in November and a repair was developed in 48 hours.

“The external security agency has asserted that the allegation that this flaw could have provided access to large amounts of patients’ data is categorically false.”

The safety company will full its evaluate later this week.

Dr Nedjat-Shokouhi added: “We take our duties to patients and the NHS very seriously. We hold regular external security audits of our systems by independent external security agencies, undertaken on multiple occasions every year.”

Cybersecurity specialists, who’ve checked out info provided by the software program engineer, have expressed their concern.

“There is the possibility that Medefer stored data derived from the NHS not as securely as one would hope it would be,” stated Prof Alan Woodward, a cybersecurity knowledgeable on the University of Surrey.

“The database might be encrypted and all the other precautions taken, but if there is a way of glitching the API authorisation, anyone who knows how could potentially gain access,” he added.

Another knowledgeable identified that as Medefer offers with highly-sensitive, medical information, the corporate ought to have purchased in cybersecurity specialists as quickly as the issue was recognized.

“Even if the company suspected that no data was stolen, when facing an issue that could have resulted in a data breach, especially with data of the nature in question, an investigation and confirmation from a suitably qualified cybersecurity expert would be advisable,” says Scott Helme, a safety researcher.

Medefer was based in 2013 by Dr Nedjat-Shokouhi, with a objective to enhance outpatient care. Since then its know-how has been utilized by NHS trusts throughout the nation.

In an announcement the NHS spokesperson stated these trusts are liable for their contracts with the personal sector.

“Individual NHS organisations must ensure they meet their legal responsibilities and national data security standards to protect patient data when appointing suppliers, and we offer them support and training nationally on how this should be done.”