A software flaw may have opened a new vulnerability in the NHS. The NHS is now reportedly “looking into” allegations that patient data was left vulnerable due to a software flaw at a private medical services company.
The flaw was found last November at Medefer, which handles 1,500 NHS patient referrals a month. According to the source cited by the BBC, it could have been present for as long as six years, but it has only been escalated now.
The issue lies in the system APIs – namely in that there was reportedly a way of glitching the API authorization to gain access to data. Medefer denies any breach or leaks have taken place.
“The external security agency has asserted that the allegation that this flaw could have provided access to large amounts of patients’ data is categorically false,” said Medefer founder and CEO, Dr. Bahman Nedjat-Shokouhi.
Nonetheless, this incident highlights the need for rugged defensive mechanisms to be in place across all levels of your data. This is all the more the case considering that the NHS and identifiable patient data is one of the more highly regulated parts of the online environment.
It also goes to show that cybersecurity measures have to be thorough and all-encompassing; it does not matter if you have a well-encrypted database in place if there is a way to push through authentication measures.
What’s next?
As with all similar cases, it is most probable that the current issue will be identified and, if applicable, quickly fixed. As there is currently no evidence any critical information was actually leaked, the impact may be relatively minimal.
We can expect, however, that there will be more regulatory steps taken in the coming year to try and tighten the screws somewhat on preventing this manner of issue from happening. Cybersecurity in the business sector, where failures cause untold thousands of dollars in damage, is one thing. In the public sectors, where healthcare and the government dwell, there has been longstanding pressure to ensure best practices are adhered to.
Well-set up cybersecurity measures, including zero-trust principles behind the data access and supported by a disaster recovery plan, are no longer an optional extra but a necessity for organizations moving forward.
Your Data In Your Hands – With TECH-ARROW
