You mean...
... this isn't just something else the Tories have flogged off to their mates...?
It seems that organisations using the nhs.uk domain need a generous gulp of medicine and plenty of bed rest after an investigation of the health service's online estate uncovered what appeared to be a worrying hacking epidemic. The Register was alerted by reader David to the fact that a number of NHS websites - including some …
"The HSCIC’s role is to process applications to use the domain name from NHS organisations and provide permission for its use, where appropriate. However, responsibility for the maintenance and security of sites using the nhs.uk domain sits with the organisation running each website or service."
So, HSCIC sees these organisations as separate and responsible for their own IT security. Not occurring to them that the fact they are part of the NHS and perceived as such looks REALLY bad to the general public then? All they'll see is NHS = security nightmare. Which is, err... probably fair enough.
(No, I can't quite believe I just typed that...)
Anyway, to be fair, the NHS is less of a monolithic and cohesive beast than many people think. It's more like a loosely-affiliated herd of organisations all moving in approximately the same direction. Quite often at a glacial pace.
So while standards, policies etc might be centralised, operational responsibility for a lot of things rests with the individual sub-organisation. This includes IT security, whether wards are clean, and the office paperclip count.
In this case, criticising the domain registrar (HSCIC) because of the ineptitude of some NHS web people seems a bit like attacking GoDaddy because someone's .com domain got hacked.
Anon because I'm an NHS web person myself. And I've seen quite a bit of ineptitude at close quarters.
washed their hands, so to speak. In plain English: foxtrot oscar and don't come back, because keeping patient's data secure is NOT out job. Our job is keeping patient's data secure. In all OTHER circumstances. Until they prevail, at which point their job becomes keeping patient's data secure in other other circumstances.
All the individual medical practices are allowed to farm out their "{practicename}.nhs.uk" domains and operation to any Tom Dick or Harry webfarm.
Code quality and security practices are as you'd expect and for a while last year it was impossible for swathes of Talktalk users to make online appointments as the biggest contractor firewalled out IP ranges seemingly at random.