The NHS is looking into claims that a software flaw at Medefer left patient data vulnerable.
The NHS is "looking into" allegations that patient data was left vulnerable to hacking due to a software flaw at a private medical services company.The software engineer who discovered the flaw believes the problem had existed for at least six years.
Medefer says there is no evidence the flaw had been in place that long and stressed that patient data has not been compromised.In late February the company commissioned an external security agency to undertake a review of its data management systems. An NHS spokesperson said: "We are looking into the concerns raised about Medefer and will take further action if appropriate." Medefer's system allows patients to book virtual appointments with doctors, and gives those clinicians access to the appropriate patient data. However, the software bug, discovered in November, made Medefer's internal patient record system vulnerable to hackers, the engineer said."When I found it, I just thought 'no, it can't be'." The problem was in bits of software called APIs , which allow different computer systems to talk to each other. The engineer says that at Medefer those APIs were not properly secured, and could potentially have been accessed by outsiders, who would have been able to see patient information. He said it was unlikely that patient information was taken from Medefer, but that without a full investigation, the company could not have known for sure. "I've worked in organisations where, if something like this happened, the whole system would be taken down immediately," he said. On discovering the flaw the engineer told the company that an external cybersecurity expert should be bought in to investigate the problem, which he says the company did not do. Medefer says the external security agency has confirmed that it has found no evidence of any breach of data and that all the company's data systems were currently secure.Medefer said it had reported the issue to the ICO and the CQC , "in the interests of transparency", and that the ICO had confirmed there is no further action to be taken as there is no evidence of a breach. The engineer, who had been contracted in October to test for flaws in the company's software, left the company in January. In a statement Dr Bahman Nedjat-Shokouhi, founder and CEO of Medefer, said: "There is no evidence of any patient data breach from our systems.""The external security agency has asserted that the allegation that this flaw could have provided access to large amounts of patients' data is categorically false."Dr Nedjat-Shokouhi added: "We take our duties to patients and the NHS very seriously. We hold regular external security audits of our systems by independent external security agencies, undertaken on multiple occasions every year."Cybersecurity experts, who have looked at information supplied by the software engineer, have expressed their concern. "There is the possibility that Medefer stored data derived from the NHS not as securely as one would hope it would be," said Prof Alan Woodward, a cybersecurity expert at the University of Surrey. "The database might be encrypted and all the other precautions taken, but if there is a way of glitching the API authorisation, anyone who knows how could potentially gain access," he added. Another expert pointed out that as Medefer deals with highly-sensitive, medical data, the company should have bought in cybersecurity experts as soon as the problem was identified. "Even if the company suspected that no data was stolen, when facing an issue that could have resulted in a data breach, especially with data of the nature in question, an investigation and confirmation from a suitably qualified cybersecurity expert would be advisable," says Scott Helme, a security researcher. Medefer was founded in 2013 by Dr Nedjat-Shokouhi, with a goal to improve outpatient care. Since then its technology has been used by NHS trusts across the country. In a statement the NHS spokesperson said those trusts are responsible for their contracts with the private sector. "Individual NHS organisations must ensure they meet their legal responsibilities and national data security standards to protect patient data when appointing suppliers, and we offer them support and training nationally on how this should be done."Patient 'anxiety' as GP company hands back surgery
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
The amazing animation software behind ‘How To Train Your Dragon 2’DreamWorks Animation started from scratch to give its artists the best of all worlds
Read more »
Vibe Coding: Is AI Taking Over Software Development?Silicon Valley is embracing a new coding paradigm called 'vibe coding,' where AI assists developers in writing code with minimal effort. Andrej Karpathy, a prominent figure in AI, describes this approach as 'giving in to the vibes' and relying on AI to generate code based on simple instructions. While this trend promises to democratize software development, experts caution about potential risks such as overreliance on AI and the possibility of overlooking crucial technical aspects.
Read more »
Samsung Galaxy S25 Series Receives First Software UpdateSamsung begins rolling out its first software update for the newly launched Galaxy S25 series, addressing security vulnerabilities and enhancing performance.
Read more »
Apple May Delay Siri AI Upgrade Due to Bugs and Software IssuesApple's ambitious plans to introduce a groundbreaking AI-powered Siri upgrade in iOS 18.4 are facing major hurdles. Sources close to the project reveal that the company is grappling with persistent engineering problems and software bugs, potentially forcing a delay in the launch.
Read more »
Elon Musk Ally Appointed to Treasury Role While Running Private Software CompanyTom Krause, a close associate of Elon Musk, has been appointed to a key role at the US Treasury Department while simultaneously serving as the CEO of Cloud Software Group. This arrangement raises concerns about potential conflicts of interest, as Krause's private company could benefit from his government position.
Read more »
The foundation of modern software development is under rising cyber attackOrganizations are seeing a rise in cybersecurity attacks against application programming interfaces, or APIs, and aren't always prepared to defend themselves.
Read more »