Feeds

NHS appraisal toolkit yanked offline

This website is frail and weak

Website security in corporate America

The UK's Department of Health has taken the highly unusual step of suddenly taking a doctors' appraisal website offline for three weeks over concerns it was vulnerable to hacking attacks.

The NHS Appraisal Toolkit was taken down on Tuesday (9 February) and is not expected to return until 3 March.

The site provides an online database that allowed NHS doctors to prepare for their annual appraisals. The database therefore contains confidential information about all GPs' performance, along with a large amount of named patient data including near diagnosis misses, critical incidents and the like.

www.appraisals.nhs.uk was pulled offline without warning to the 27,000 doctors who use it after a security audit sparked fears that the site was insecure, an NHS statement explains. It stresses that the site takedown is a precautionary move and that no attack has actually taken place.

As part of a routine security check it has been discovered that certain aspects of the electronic NHS Appraisal toolkit, established nine years ago, are not sufficiently robust to withstand modern day hacking. Ministers have immediately instructed that the website is taken offline until the supplier, SCHIN, can address these potential vulnerabilities.

The Department is aware that some of the 27,000 active users of the service will have annual appraisals planned during the period that the system will be suspended and that this will be a matter of concern to them. However, after consulting with the BMA and the RCGP, there was a shared concern to ensure that any level of security risk was dealt with as robustly and as quickly as possible.

There is no evidence of any security breach or loss of data. Given the importance of given the importance of preserving confidentiality of staff and patient information, it is not acceptable to take any risks. The Department of Health is working closely with the supplier to ensure that the service is restored as soon as possible and apologises for any inconvenience this may cause doctors in the meantime. It is hoped that full service can be resumed within three weeks.

A Reg reader and doctor who first told us of the site downtime explained that the site was used by almost all GPs and many hospital doctors, adding that the takedown could hardly have happened at a worse time. "This at a a time when a huge chunk of GPs in particular are due their annual appraisals," he said. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.