Feeds

NHS appraisal toolkit yanked offline

This website is frail and weak

Securing Web Applications Made Simple and Scalable

The UK's Department of Health has taken the highly unusual step of suddenly taking a doctors' appraisal website offline for three weeks over concerns it was vulnerable to hacking attacks.

The NHS Appraisal Toolkit was taken down on Tuesday (9 February) and is not expected to return until 3 March.

The site provides an online database that allowed NHS doctors to prepare for their annual appraisals. The database therefore contains confidential information about all GPs' performance, along with a large amount of named patient data including near diagnosis misses, critical incidents and the like.

www.appraisals.nhs.uk was pulled offline without warning to the 27,000 doctors who use it after a security audit sparked fears that the site was insecure, an NHS statement explains. It stresses that the site takedown is a precautionary move and that no attack has actually taken place.

As part of a routine security check it has been discovered that certain aspects of the electronic NHS Appraisal toolkit, established nine years ago, are not sufficiently robust to withstand modern day hacking. Ministers have immediately instructed that the website is taken offline until the supplier, SCHIN, can address these potential vulnerabilities.

The Department is aware that some of the 27,000 active users of the service will have annual appraisals planned during the period that the system will be suspended and that this will be a matter of concern to them. However, after consulting with the BMA and the RCGP, there was a shared concern to ensure that any level of security risk was dealt with as robustly and as quickly as possible.

There is no evidence of any security breach or loss of data. Given the importance of given the importance of preserving confidentiality of staff and patient information, it is not acceptable to take any risks. The Department of Health is working closely with the supplier to ensure that the service is restored as soon as possible and apologises for any inconvenience this may cause doctors in the meantime. It is hoped that full service can be resumed within three weeks.

A Reg reader and doctor who first told us of the site downtime explained that the site was used by almost all GPs and many hospital doctors, adding that the takedown could hardly have happened at a worse time. "This at a a time when a huge chunk of GPs in particular are due their annual appraisals," he said. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.