It is worth pointing out that the majority of these sites do not store patient data or any privileged information, they are informational brochure type sites for surgeries to show their operning hours or specific health awareness campaigns, hence the lack of interest in centralising or updating them. They could be hacked and defaced I suppose, which wouldn't look so great for the NHS, but they won't be running on NHS servers or controlled by NHS IT. The XSS issue is a real one, and they should probably not allow subdomains of nhs.uk to be used for gp surgeries (the most likely to have terrible websites as they buy them in themselves).
Patient data is typically held in secure systems like emis etc. run by one of a few large firms which have contracts with the NHS, so not on this sort of informational website.
GP sites don't typically ask for patient data (and should not, given the budget they are purchased on), they're usually sites with opening times, a few paras about the GPs etc - if they do ask for patient data it would be by giving a link to a booking system off-site typically, I'm sure you could find an exception, but most of them are fairly harmless. The sites are not exclusively https either - anyone handling patient data should be, that's also a serious flaw if you're going to start talking about sensitive data being transferred.
I'm not sure that surgeries would ever be able to adequately protect patient data on their own sites, so they mostly use externally purchased systems and the NHS provided IT for handling that (from what I know second hand from people in the NHS, I don't work there) - those are separate systems from their brochure websites, which are typically bought from and hosted at some low-budget shop which churns out WP/drupal/PHP sites for £100 a pop and would hopefully have the sense to advise surgeries never to collect private patient data on their website.
The biggest problem here is that these sites have no business being subdomains of nhs.uk, and should be on something else like gp.uk or whatever, and the NHS should make it crystal clear that no patient data touches an informational site (to patients and GPs). It's either that or they need to set up a secure CMS which all GPs/Hospitals can use for their brochure sites, but that's likely to be a big budget project and is of questionable value.
You could say the same of most hospital websites - they will not be secure as they are fire-walled from the actual patient data, and thus it is less of a priority to keep them secure. Sure it's not nice if they are hacked, but it is not as important as what happens to patient data.
The biggest problem here to my mind is that these sites have no business being subdomains of nhs.uk, and should be on something else like gp.uk or whatever, and the NHS should make it crystal clear that no patient data touches an informational site (to patients and GPs).
I think it's the "making crystal clear to patients" part that is important here, because if GPs don't have sufficient security and their sites are compromised, what they were supposed to do with those sites no longer matters.
The idea that there can be privileged domains like nhs.uk where unmaintained and potentially insecure sites are hosted and no-one even knows who's responsible for them is genuinely quite shocking. What next, file your tax return with izurrevenewzuncustomz.gov.uk (t/a HMRC Ltd)?
It's less shocking when you recognise that these are simply sites to tell patients when surgeries are open etc. As I said, you can say exactly the same about other informational sites too like hospitals, universities, etc:
It would not surprise me to find similar vulnerabilities in all of those picked at random, given the budget they are typically run on.
I agree it's far from ideal and a situation they should sort out given these are hosted on .nhs.uk, particularly as we move more and more of our lives online, there need to be clear rules about which sites are secured and safer and which are less important.
It's less shocking when you recognise that these are simply sites to tell patients when surgeries are open etc
The question is, do patients realise that, or will they tend to assume that because a site is part of the privileged .nhs.uk hierarchy, it is properly run by the NHS?
The real problem here is about trust, specifically about what should or should not appear trustworthy to patients because it is or isn't really. Given the increasing moves to do things like making appointments on-line, the much-reported efforts to share sensitive health data more widely, and the ever-changing sources of information and ways to contact the NHS, it seems to me that it is long past time these issues were resolved. IMHO it has to be done properly and from the top to have sufficient credibility and enforcement.
For appointments, just as an example, I believe emis and others offer their own separate systems and apps for this and also provide hosted sites. No idea if they are more secure but that's where the important data lives, on systems like that, not on these wordpress sites. There are 2-3 that almost all gps use, not sure on hospitals.
I do agree with most of what you're saying though, and this is far from an ideal situation. Probably a central system makes most sense long term but gov seems unable (or more recently unwilling) to deliver.
And my XSS replaces the page with something that looks like an appointments system, the average person has no way of knowing that they shouldn't trust this. There's certainly none of the usual indicators.
So the article focuses on out of date wordpress installations, I really think the NHS has wider security implications given the recent admission of uploading their ENTIRE patient database onto googles servers for ease of deriving statistics ... (http://www.theguardian.com/society/2014/mar/03/nhs-england-p...)
Regarding hesitation of posting the information in the blog post; the author appears to have losely followed responsible disclosure methods attempting remediation with the NHS directly before publishing the findings.
NHS, HMRC etc the information security of these organizations is lax at best, and down right horrifying, without full disclosure forcing their hand I don't see any change.
This is why full disclosure / responsible disclosure formed in the first place.
It doesn't. I wrote a whole section on non-WordPress vulnerabilities. But, yes, patient facing sites aren't quite as critical as some of the backend stuff.
I spent the last two months trying to contact the people responsible. When I finally did, they said they wouldn't / couldn't do anything :-/
In the 17th century, John Wilkins wrote of his reasons for full disclosure:
If it be feared that this Discourse may unhappily advantage others in such unlawful Courses; ’tis considerable, that it does not only teach how to deceive, but consequently also how to discover Delusions.
but even then he knew there were liability risks that go along with information security research:
...the chiefe experiments are of such nature, that they cannot be frequently practised, without just cause of suspicion, when it is in the Magistrates power to prevent them.
Ignoring some of the obvious conversation points. As a developer I like posts like this and find them very useful.
Information like this demonstrating ways to discover exploits should be more common knowledge. I feel currently attackers have the advantage over developers. More posts like this where security is an open topic can only lead to more secure websites going forward.
As an aside, it's a shame about the political snipe partway through this piece. It might have been a useful citation to give for those of us planning to write to our MPs in light of the recent disclosures, but I imagine making an overtly political statement like that would seriously damage its credibility.
So frustrating it takes this political tone. It's not helpful in the least to label the administration "corrupt" and then expect to be taken seriously. It's not a partisan problem but an institutional one.
I don't know what the situation in the UK is, but it is probably safe to say that, while possibly legally in the right, such a publication is risky in most jurisdictions.
Personally, what I'd do in such a situation is to contact a well-renowned hacker organization with experience in these matters (as for instance the CCC here in Germany) and ask for their assistance.
Alternatively, a tech publishing company could also be the right choice, preferably one with a legal department and experience in these things. He mentions that you should buy the issue of "Computer Active" that contains this article, so he probably took this route.
An interesting point, but if interpreted by the wrong person, using wpscan (which makes a load of requests to the site) could be considered dubious under the CMA (I definitely wouldn't run in against a site which I wasn't authorised to test)
From what I know vulnerability scanning (which is essentially what wpscan does) is a bit of a grey area under UK law.
It's been likened to someone "rattling the windows" of a house. They may be doing it with the intention of notifying the owner that he's left his house unlocked, or they may be doing it to attempt to gain unauthorised access..
The analogy isn't perfect but it's one I'd step carefully on.
I'm UKian and I'm astonished. Having worked in the UK Civil Service, sounds to me the person making this decision didn't know what it meant and that it was an actual security issue. Probably they thought it was sort of idly interesting, like speculating how many office computers are still beige. Not that you were listing sites with trusted nhs.uk domains that appear to be easy to hack.
I can assure you that we made it abundantly clear how bad the problem was - including sending link, screenshots, etc. Had phone calls with them where they did sound genuinely concerned.
We spoke to HSCIC who manage .nhs.uk. We also spoke to senior civil servants in the Department of Health. We also contacted people who were listed as the owners - but in many cases were no longer responsible for the sites.
With some, we were able to contact the developers behind the sites. Others just didn't respond.
Basically - no one in the NHS or DoH knows who manages the thousands of .nhs.uk websites. We did our best to contact individual site owners and, where that was impossible, alerted the government directly.
There are currently no financial penalties if a website is compromised as long as the data store which has PHIs (Personal Health Information) is encrypted and the encryption keys are also safe. However, any compromised NHS website would lead to bad publicity and insecurity.
However, any compromised NHS website would lead to bad publicity and insecurity.
And horrendous scope for phishing. Who's going to think twice about entering potentially sensitive information into their GP's web site accessed via a .nhs.uk address? Not most people, I suspect.
I would guess that's an issue even without the nhs.uk address, unfortunately. American doctors' websites don't have an 'official' domain they're under, but some people send information via their local doctor's website anyway. So if you compromise the Wordpress install (and it's likely that thousands of American doctors have a vulnerable Wordpress install) you could pull in some potentially sensitive information. The main mitigating factor in the U.S. would be that so much stuff is still done on paper and over the phone that many people wouldn't visit the site in the first place.
Like the NHS, American doctors usually don't store actual patient data on the generic CMS they use for hosting the website. If they have an online "patient portal" or "billing portal" it's usually a hosted solution that goes offsite, via a third-party company that provides such services. But it's nonetheless a huge phishing opportunity. Besides a fake contact form, you could also clone the portals, replacing the links from the main site, which are supposed to go off to places like medfusion.net or eclinicalweb.com, with ones that go off to medfusion.yourdomain.net or whatever, and most people will not think twice as long as your cloned site looks vaguely similar. I mean the genuine domains sound halfway like the domains of phishing sites to begin with...
I've noticed a disturbing trend lately of physicians' office portals connecting silently to credit reporting agencies and using information from there for authentication. While I applaud them for trying to reliably authenticate me when I sign in to get blood test results, it's disconcerting to be faced with questions like this:
Which of the following cars have you NOT owned?
- 1999 Ford Explorer
- 2001 Toyota Tercel
- 2008 Audi
- 1996 Hyundai
Along with a few more questions like that one, it's a dead give-away that my doctor's office is connected to a credit reporting agency. I have seen this happening in other places as well; evidently credit reporting agencies recently got into the business of on-line identification and authentication (I&A).
Patient data is typically held in secure systems like emis etc. run by one of a few large firms which have contracts with the NHS, so not on this sort of informational website.