Wednesday, April 25, 2007

NHS doctors application website exposes completed application forms

Channel 4 News has just run an exclusive story about the NHS Doctor Application system has been exposing every application form completed by trainee doctors. Victoria McDonald and Ben Cohen discovered this morning what appear to be files containing all the details from the application including name, address, age, religion, sexuality, criminal records (if they had and), and they're references etc on an Internet facing address.

Thus far there is little being said about how it happened, and by that I mean whether it was the system or a person misusing the system. Theoretically speaking, it could be the system itself which creates an extractions from a database of applications, puts them in a file for later delievry to an HR team maybe? The implication being that the system is writing those files to an insecure place, which is poor if it's the case.

The other possibility is that an administrator, for some reason, ran an ad hoc extraction of data, dumped the file somewhere and wasn't thinking. In which case they should probably be disciplined for being a prat, a bit like what happened last year when AOL managed to publish its customer's searches on the Net for everyone to see.

What bothers me most is how - if it was the system - the application managed to get through operational acceptance procedures. Any sysadmin worth his salt would spot a security flaw like that and stop it going live. Having said that, this is a Government IT project in the NHS, so what do I know? I work in the private sector.

Update: Ben Cohen's report here seems to suggest that it was a person that decided to store the information on an external Internet facing server (did they want to do work at home?). The mind boggles at what sort of idiot would do such a thing if that is the case. Didi they hope no one would find it thereby going for the "security by obscurity" principle?

12 comments:

Anonymous said...

Despite all the recent revelations of the incompetence of the smug Patsy this tops them all. The report took my breath away and will surely become big news.I feel so sorry for all the medics. I hope Dizzy will be able to fill us in on more of the detail

Anonymous said...

Mmmmmmm ... and what about identity theft for years to come ?

This is a cock up of huge proportions but will any member of the Government be made to pay??

I cannot remember a Government fall apart so rapidly before..

lilith said...

Britain needs Dizzy

Anonymous said...

I wonder who developed such a system. Not another outsourced project by any chance? Maybe if mature and experience British professionals were engaged to do the work we would have less of these IT problems. However, cheap, young inexperienced overseas former street beggars are hired to do the work instead.

Anonymous said...

Anonymouse 8.44

Here here.

Anonymous said...

WICKED !!! This is fantastic - do you have more details ???????

I am so glad I applied to have my details kept off the Single Care Register !!!

This needs / wants / would benefit from a far wider audience....

Anonymous said...

perhaps those good chaps at the NHS should have read this.

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_074142

published today.This is a guide to the methods and required standards of practice in the management of information security for those who work within or under contract to, or in business partnership with, NHS organisations in England. It is based on current legal requirements, relevant standards and professional best practice.

Chris Paul said...

Seems pretty crap. But then again most of this information (not sexuality and CR) is already in the public domain in a little directory of names, numbers, addresses, quals etc of ALL doctors in the UK. Readily available.

How many people had downloaded the DB? (a) before the publicity? (b) after? I suspect the numbers are (a) next to none and (b) hopefully none because the media aren't twats and got the site taken down ahead of running it.

dizzy said...

I can't believe you just said that Chris, don't be such a tit, this a major information security breach of catastrophic incompetence. It's not about what informatiion is in the public domain already, there is the id theft consideration to be had, plus the data protection breaches. Trying to play this down as insignificant is complete crap.

Chris Paul said...

Sorry Dizzy

I'm not saying it's insignificant. When I said "Seems pretty crap" I didn't mean the story. I meant the ICT skills in the NHS Training set up.

But what is the quantum of damage? How long was this stuff online and how many people accessed it that should not have. This information should be obtainable from the server(s) should it not?

As a sometime Equal Opps professional (many years ago) it is significant to me that information such as sexuality and religion (relevant for deciding who gets training contracts? I don't think so) and probably race and ethnicity and age and all sorts of other EO no nos are in the same part of the DB as the names and quals.

It seems to me a fair question to ask:
"How bad is this?"

Which is not the same as saying it's nothing.

Perhaps I should have been clearer. But this is only a blog comment. I am liking the use of "tit" on this civilised blog btw, rather than the impolitenesses of others on the blogright.

Incidentally when I was a student (for an awfully long time) I had a lot of mates who were medics and the "system" for allocating training jobs has always been shitty and haphazard.

Sometimes trying to drag something intrinsically bad into a better place is going to take a few tries. It's not like direct govt projects are the only ones to get ICT wrong or expose data is it?

The recent Building Society instance was - it seems from reports - far, far worse in quantum and mistakes than this one.

Best w

Chris "Tit" Paul

dizzy said...

Tit is term of endearment, and who said this was civilised blog?

Chris Paul said...

Fair enough. This is a proper monsterly uncivilised blog. Comment withdrawn!

Another thing though. This breach was known about from 9am and the Information Commissioner was told first. Channel 4 do not reveal when they were told. But I think it's safe to say this was soon after the enquirer at the IC was rebuffed with "not much we can do".

Then Channel 4 say:

At 4.35pm we told the Department of Health. The chair of the British Medical Association's Junior Doctors Committee also called the department - at 5.05 they closed the breach - it took them just half an hour.

So this is let's say seven hours - perhaps 90% of the time that this thing was open - that C4 did not get it fixed. Did they believe this was very low risk or they were prepared to let this run for a few hours to beef up their story?

At least they got it fixed before running the story.

Should Channel 4 pay for the ongoing costs of any breaches in the c seven hours when they had the story but didn't close the breach?

Favourite bugbears:

1. - media and "experts" not giving any real indication of risk or proportion. Especially round medicine and science.

2. - media or injured parties rushing to publish and making things worse in a cavalier way.