Software Bug at Firm Left NHS Data 'Vulnerable to Hackers'
The National Health Service (NHS) is "looking into" allegations that patient data was left vulnerable to hacking due to a software flaw at a private medical services company, Medefer. The flaw was discovered last November and has raised concerns about the security of sensitive patient information.
Medefer handles 1,500 NHS patient referrals a month in England and provides virtual appointment booking services that allow patients to access their medical records online. However, a software engineer who discovered the flaw believes it had existed for at least six years, leaving patient data exposed to potential hackers.
The Flaw: A Security Nightmare
The software bug was found in the company's APIs (application programming interfaces), which allow different computer systems to communicate with each other. According to the engineer, these APIs were not properly secured, making it possible for outsiders to access patient information without authorization.
"I just thought 'no, it can't be'," said the software engineer, who wished to remain anonymous. "But when I saw what was there, I knew we had a major problem on our hands." The engineer reported the issue to the company and recommended that an external cybersecurity expert be brought in to investigate, which Medefer did not do at the time.
Medefer's Response
Medefer has stated that there is no evidence of any patient data breach from their systems. The company reported the issue to the Information Commissioner's Office (ICO) and the Care Quality Commission (CQC), claiming transparency and stating that the external security agency has confirmed that the alleged flaw could not have provided access to large amounts of patients' data.
"We take our duties to patients and the NHS very seriously," said Dr. Bahman Nedjat-Shokouhi, founder and CEO of Medefer. "We hold regular external security audits of our systems by independent external security agencies, undertaken on multiple occasions every year." However, cybersecurity experts have expressed their concern about the lack of action taken by Medefer after discovering the flaw.
Cybersecurity Experts Weigh In
"There is the possibility that Medefer stored data derived from the NHS not as securely as one would hope it would be," said Prof. Alan Woodward, a cybersecurity expert at the University of Surrey. "The database might be encrypted and all the other precautions taken, but if there is a way of glitching the API authorisation, anyone who knows how could potentially gain access."
Another expert pointed out that Medefer should have brought in cybersecurity experts as soon as the problem was identified to investigate and confirm whether any data had been compromised. "Even if the company suspected that no data was stolen, when facing an issue that could have resulted in a data breach, especially with data of the nature in question, an investigation and confirmation from a suitably qualified cybersecurity expert would be advisable," said Scott Helme, a security researcher.
NHS Response
The NHS spokesperson stated that individual NHS organizations are responsible for their contracts with private sector suppliers and must ensure they meet their legal responsibilities and national data security standards to protect patient data. The NHS offers support and training nationally on how this should be done, but the spokesperson did not comment further on the situation.