The UK's Department of Health has taken the highly unusual step of suddenly taking a doctors' appraisal website offline for three weeks over concerns it was vulnerable to hacking attacks. The NHS Appraisal Toolkit was taken down on Tuesday (9 February) and is not expected to return until 3 March. The site provides an online …
Quite happy with that
I know that this must be an annoyance for doctors, but the facts that:
a) The NHS actually bothered to do a security audit
b) The auditors found some (I am guessing real) problems
c) They proactivly actually took the site down to prevent loss
are all good points for once.
True, But 9 Years?
Its took them 9 years to do said Audit. "No evidence of a breach"
They cleaned up after being there 2 years maybe?
10 out of 10
For the action that they took.
Its a pity that the NHS couldn't have arranged the audit so that it's results wouldn't clash with a high volume period, but that's a minor nit pick considering the actions taken.
NHS in IT success story.
no attack has actually
What they really mean is "no known attack has actually". I hope there was no confidential information held on the site. If it is mandatory that Drs submit data then I suspect there may be a few legal eagles flapping around?
As with too many things these days there appears to be a failure in the 'duty of care' owed to the Drs when dealing with computers and databases.
I've never even considered using it
I'm a GP.
It didn't strike me as useful, and it isn't something I like the approach of.
Very much another instance of the NHS administration's idea of computers as devices which program people.
No useful purpose
I'm another GP, and I keep all my appraisal material in a few locally-stored OOo word processor and spreadsheet files. I don't see what uploading the material to a website would add, apart from opportunities for security breaches, and data corruption or loss. So like Adrian I have not used it.
Your readers will not be surprised to learn that use of this "Toolkit" is to be made compulsory for doctors as soon as our "revalidation" commences.
9 years old. OMG does it need IE6?
OTOH I've never heard of the supplier, so maybe they are one of those niche specialst companies that concentrate on what they are good at.
It is possible that this is only the *current* security audit that has rung alarm bells and they run these anually. However if that be the case running them at the high usage time of year is a bit stupid.
They didn't say
They didn't say it's a 9 years old bug, but it is a 9 years old system and evidently vulnerable to... well, distributed attack by botnet was less of a risk in 2001. At least, the volume was less.
Having said that, maybe they're looking at the main modern attack against servers, SQL injection. In which case, whoops. Allowing SQL injection to be possible was already WRONG in 2001.
And even a 9 year old Windows server doesn't take three weeks to download all of the critical updates. This is probably a major rewrite against SQL injection, or a rushed migration from an obsolete, insecure component... MS Internet Information Server maybe?
Re: They didn't say
It won't be a 9 year old server. When I say SCHIN "isn't a company", what I mean is, it's not a company that has to make a profit - which (in the case of gevernment IT) often translates as "Does not understand the concept of loss". It'll be a dedicated Windows 2003 Advanced server, I'd guess.
As for what's up with it? Well, NHS code is generally piss-poor, so we shouldn't be that surprised. Plain text SQL injection is very likely,. Another good NHS wheeze, is transferring data in CSV files, over unencrypted connections. In fact, I once had one NHS manager tell me they didn't use stunnel because "no one understands it" (and it was perfectly clear that any attempt to understand it, would be regarded as, effectively, an admission that you hacked computer systems in your spare time).
SCHIN isn't a company
It's the Sowerby Centre for Health Informatics at Newcastle. They're based in Bede House. it's right by the Tyne Bridge - a semi-commercial, not-for-profit organisation that sprang out of Newcastle Uni.
As far as the NHS goes, I think it's one of those "lease it back to the company we bought it" arrangements.
They don't say
what the fault is.
I always immediately distrust people who don't say what the fault is.
SCHIN has on the whole been a force for good, but this is a system operated under NHS admin rules.
Nevertheless, the fault should be named.
- Review Samsung Galaxy Note 8: Proof the pen is mightier?
- Nuke plants to rely on PDP-11 code UNTIL 2050!
- Spin doctors brazenly fiddle with tiny bits in front of the neighbours
- Game Theory Out with a bang: The Last of Us lets PS3 exit with head held high
- Flash flaw potentially makes every webcam or laptop a PEEPHOLE