GP sites don't typically ask for patient data (and should not, given the budget they are purchased on), they're usually sites with opening times, a few paras about the GPs etc - if they do ask for patient data it would be by giving a link to a booking system off-site typically, I'm sure you could find an exception, but most of them are fairly harmless. The sites are not exclusively https either - anyone handling patient data should be, that's also a serious flaw if you're going to start talking about sensitive data being transferred.
I'm not sure that surgeries would ever be able to adequately protect patient data on their own sites, so they mostly use externally purchased systems and the NHS provided IT for handling that (from what I know second hand from people in the NHS, I don't work there) - those are separate systems from their brochure websites, which are typically bought from and hosted at some low-budget shop which churns out WP/drupal/PHP sites for £100 a pop and would hopefully have the sense to advise surgeries never to collect private patient data on their website.
The biggest problem here is that these sites have no business being subdomains of nhs.uk, and should be on something else like gp.uk or whatever, and the NHS should make it crystal clear that no patient data touches an informational site (to patients and GPs). It's either that or they need to set up a secure CMS which all GPs/Hospitals can use for their brochure sites, but that's likely to be a big budget project and is of questionable value.
You could say the same of most hospital websites - they will not be secure as they are fire-walled from the actual patient data, and thus it is less of a priority to keep them secure. Sure it's not nice if they are hacked, but it is not as important as what happens to patient data.
The biggest problem here to my mind is that these sites have no business being subdomains of nhs.uk, and should be on something else like gp.uk or whatever, and the NHS should make it crystal clear that no patient data touches an informational site (to patients and GPs).
I think it's the "making crystal clear to patients" part that is important here, because if GPs don't have sufficient security and their sites are compromised, what they were supposed to do with those sites no longer matters.
The idea that there can be privileged domains like nhs.uk where unmaintained and potentially insecure sites are hosted and no-one even knows who's responsible for them is genuinely quite shocking. What next, file your tax return with izurrevenewzuncustomz.gov.uk (t/a HMRC Ltd)?
It's less shocking when you recognise that these are simply sites to tell patients when surgeries are open etc. As I said, you can say exactly the same about other informational sites too like hospitals, universities, etc:
It would not surprise me to find similar vulnerabilities in all of those picked at random, given the budget they are typically run on.
I agree it's far from ideal and a situation they should sort out given these are hosted on .nhs.uk, particularly as we move more and more of our lives online, there need to be clear rules about which sites are secured and safer and which are less important.
It's less shocking when you recognise that these are simply sites to tell patients when surgeries are open etc
The question is, do patients realise that, or will they tend to assume that because a site is part of the privileged .nhs.uk hierarchy, it is properly run by the NHS?
The real problem here is about trust, specifically about what should or should not appear trustworthy to patients because it is or isn't really. Given the increasing moves to do things like making appointments on-line, the much-reported efforts to share sensitive health data more widely, and the ever-changing sources of information and ways to contact the NHS, it seems to me that it is long past time these issues were resolved. IMHO it has to be done properly and from the top to have sufficient credibility and enforcement.
For appointments, just as an example, I believe emis and others offer their own separate systems and apps for this and also provide hosted sites. No idea if they are more secure but that's where the important data lives, on systems like that, not on these wordpress sites. There are 2-3 that almost all gps use, not sure on hospitals.
I do agree with most of what you're saying though, and this is far from an ideal situation. Probably a central system makes most sense long term but gov seems unable (or more recently unwilling) to deliver.
And my XSS replaces the page with something that looks like an appointments system, the average person has no way of knowing that they shouldn't trust this. There's certainly none of the usual indicators.
I'm not sure that surgeries would ever be able to adequately protect patient data on their own sites, so they mostly use externally purchased systems and the NHS provided IT for handling that (from what I know second hand from people in the NHS, I don't work there) - those are separate systems from their brochure websites, which are typically bought from and hosted at some low-budget shop which churns out WP/drupal/PHP sites for £100 a pop and would hopefully have the sense to advise surgeries never to collect private patient data on their website.
The biggest problem here is that these sites have no business being subdomains of nhs.uk, and should be on something else like gp.uk or whatever, and the NHS should make it crystal clear that no patient data touches an informational site (to patients and GPs). It's either that or they need to set up a secure CMS which all GPs/Hospitals can use for their brochure sites, but that's likely to be a big budget project and is of questionable value.
You could say the same of most hospital websites - they will not be secure as they are fire-walled from the actual patient data, and thus it is less of a priority to keep them secure. Sure it's not nice if they are hacked, but it is not as important as what happens to patient data.