The UK's Department of Health has taken the highly unusual step of suddenly taking a doctors' appraisal website offline for three weeks over concerns it was vulnerable to hacking attacks. The NHS Appraisal Toolkit was taken down on Tuesday (9 February) and is not expected to return until 3 March. The site provides an online …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 10th February 2010 15:55 GMT David 49

Quite happy with that

I know that this must be an annoyance for doctors, but the facts that:

a) The NHS actually bothered to do a security audit

b) The auditors found some (I am guessing real) problems

c) They proactivly actually took the site down to prevent loss

are all good points for once.

3 0
1. Wednesday 10th February 2010 16:22 GMT Anonymous Coward
  
  True, But 9 Years?
  
  Its took them 9 years to do said Audit. "No evidence of a breach"
  
  They cleaned up after being there 2 years maybe?
  
  2 0
Wednesday 10th February 2010 16:20 GMT John G Imrie

10 out of 10

For the action that they took.

Its a pity that the NHS couldn't have arranged the audit so that it's results wouldn't clash with a high volume period, but that's a minor nit pick considering the actions taken.

NHS in IT success story.

1 0
Wednesday 10th February 2010 16:57 GMT Anonymous Coward

no attack has actually

What they really mean is "no known attack has actually". I hope there was no confidential information held on the site. If it is mandatory that Drs submit data then I suspect there may be a few legal eagles flapping around?

As with too many things these days there appears to be a failure in the 'duty of care' owed to the Drs when dealing with computers and databases.

1 0
Wednesday 10th February 2010 21:51 GMT Adrian Midgley 1

I've never even considered using it

I'm a GP.

It didn't strike me as useful, and it isn't something I like the approach of.

Very much another instance of the NHS administration's idea of computers as devices which program people.

1 0
Thursday 11th February 2010 01:05 GMT Michael Leuty

No useful purpose

I'm another GP, and I keep all my appraisal material in a few locally-stored OOo word processor and spreadsheet files. I don't see what uploading the material to a website would add, apart from opportunities for security breaches, and data corruption or loss. So like Adrian I have not used it.

Your readers will not be surprised to learn that use of this "Toolkit" is to be made compulsory for doctors as soon as our "revalidation" commences.

1 0
Thursday 11th February 2010 10:34 GMT John Smith 19

9 years old. OMG does it need IE6?

OTOH I've never heard of the supplier, so maybe they are one of those niche specialst companies that concentrate on what they are good at.

It is possible that this is only the *current* security audit that has rung alarm bells and they run these anually. However if that be the case running them at the high usage time of year is a bit stupid.

0 0
Thursday 11th February 2010 11:26 GMT Anonymous Coward

They didn't say

They didn't say it's a 9 years old bug, but it is a 9 years old system and evidently vulnerable to... well, distributed attack by botnet was less of a risk in 2001. At least, the volume was less.

Having said that, maybe they're looking at the main modern attack against servers, SQL injection. In which case, whoops. Allowing SQL injection to be possible was already WRONG in 2001.

And even a 9 year old Windows server doesn't take three weeks to download all of the critical updates. This is probably a major rewrite against SQL injection, or a rushed migration from an obsolete, insecure component... MS Internet Information Server maybe?

0 0
1. Thursday 11th February 2010 13:28 GMT Daniel 1
  
  Re: They didn't say
  
  It won't be a 9 year old server. When I say SCHIN "isn't a company", what I mean is, it's not a company that has to make a profit - which (in the case of gevernment IT) often translates as "Does not understand the concept of loss". It'll be a dedicated Windows 2003 Advanced server, I'd guess.
  
  As for what's up with it? Well, NHS code is generally piss-poor, so we shouldn't be that surprised. Plain text SQL injection is very likely,. Another good NHS wheeze, is transferring data in CSV files, over unencrypted connections. In fact, I once had one NHS manager tell me they didn't use stunnel because "no one understands it" (and it was perfectly clear that any attempt to understand it, would be regarded as, effectively, an admission that you hacked computer systems in your spare time).
  
  0 0
Thursday 11th February 2010 11:32 GMT Daniel 1

SCHIN isn't a company

It's the Sowerby Centre for Health Informatics at Newcastle. They're based in Bede House. it's right by the Tyne Bridge - a semi-commercial, not-for-profit organisation that sprang out of Newcastle Uni.

As far as the NHS goes, I think it's one of those "lease it back to the company we bought it" arrangements.

0 0
Friday 12th February 2010 14:25 GMT Adrian Midgley 1

They don't say

what the fault is.

I always immediately distrust people who don't say what the fault is.

SCHIN has on the whole been a force for good, but this is a system operated under NHS admin rules.

Nevertheless, the fault should be named.

0 0