I really enjoyed reading Terence Eden’s blog entry The Unsecured State Part 3 – 2,000+ NHS Security Vulnerabilities (Disclosed). In it, Terence explains step by step how insecure and patchy Britain’s NHS websites are, and how vulnerable they are to hacker attacks. In these days where there is a lot of talk about care.data and the confidentiality of patient records, I think it is an important read. While sadly not surprising, what Terence reports is still shocking.
I am not a programmer so I have only partially understood the technical aspects of the entry, but still it gives a good idea of how much the NHS digital strategy needs to be improved, and it does confirm a lot of concerns that I already had. If you don’t want to read the blog post, or you find it too difficult to read, I will leave here a couple of quotes:
Many Doctors’ Surgeries in an area will all use the same cheap, private sector contractors to built their site. If there’s a bug in one – that bug is present in hundreds of other sites.
I finally heard back from someone senior within the NHS. They explained that the Department of Health has no central control over NHS websites. As a result, sites fall through the cracks as local teams change. Consequently, in many cases there is simply no way to contact the website owners.
Thank you to J Pilbeam at the University of Oxford, who sent me the link to Terence’s post in the first place.