Ben Morris
Publisher, corporate technology
Getty images
Medefer manages around 1,500 references per month
The NHS “examines” allegations according to which patient data has been vulnerable to hacking due to a software flaw in a private medical service company.
The fault was found last November in Medefer, which manages 1,500 references of NHS patients per month.
The software engineer who discovered the defect believes that the problem has existed for at least six years.
Medefer says there is no evidence that the defect has been in place for so long and stressed that patient data has not been compromised.
The flaw was set a few days after being discovered.
At the end of February, the company ordered an external security agency to undertake an examination of its data management systems.
An NHS spokesperson said: “We are examining the concerns raised about Medefer and will take other measures if necessary.”
The Medefer system allows patients to reserve virtual meetings with doctors and gives these clinicians access to the appropriate patient data.
However, the software bug, discovered in November, has rendered the internal Medefer patient files vulnerable to pirates, the engineer said.
The software engineer, who does not want to be appointed, was shocked by what he discovered.
“When I found it, I just thought” no, it can’t be “.”
The problem was in software bits called API (application programming interfaces), which allow different IT systems to talk to each other.
The engineer says that in Medefer, these APIs were not properly secure and could have been accessible by foreigners, who could have seen information on patients.
He said that it was unlikely that the information on patients was taken from Medefer, but that without a complete investigation, the company could not have known with certainty.
“I worked in organizations where, if something like that was happening, the whole system would be immediately,” he said.
By discovering the defect, the engineer told the company that an external cybersecurity expert should be bought to investigate the problem, which he says that the company has not done.
Medefer said that the external security agency confirmed that it had found no evidence of data violation and that all of the company’s data systems were currently secure.
He indicates that the process of investigating and fixing the API fault was “extremely open”.
Medefer said he had reported the question to the ICO (Office of the Information Commissioner) and to the CQC (Care Quality Commission), “in the interest of transparency”, and that ICO had confirmed that there were no more measures to take because there is no evidence of a violation.
The engineer, who had been contracted in October to test the company’s software faults, left the company in January.
In a statement, Dr. Bahman Nedjat-Shokouhi, founder and CEO of Medefer, said: “There is no evidence of data violation of patients in our systems.”
He confirmed that the flaw was discovered in November and that a fix had been developed in 48 hours.
“The external security agency said that the allegation that this flaw could have given access to large amounts of patient data is categorically false.”
The security agency will end its exam later this week.
Dr. Nedjat-Shokouhi added: “We bring our functions to patients and NHS very seriously. We have regular external audits of our systems by independent external security agencies, companies on several occasions each year.”
Getty images
Huge amounts of medical data must be shared between doctors and hospitals
Cybersecurity experts, who examined the information provided by the software engineer, expressed their concern.
“There is the possibility that Medefer has stored data derived from the NHS not as solidly as we hope that it would be the case,” said Professor Alan Woodward, an expert in cybersecurity at the University of Surrey.
“The database can be encrypted and all other precautions taken, but if there is a means of pepper the authorization of the API, whoever knows how perhaps access,” he added.
Another expert pointed out that as Medefer processes highly sensitive medical data, the company should have bought cybersecurity experts as soon as the problem was identified.
“Even if the company suspected that no data was stolen, faced with a problem that could have caused a data violation, in particular with the nature data in question, an investigation and a confirmation of a suitably qualified cybersecurity expert would be advised,” said Scott Helme, security researcher.
Medefer was founded in 2013 by Dr. Nedjat-Shokouhi, in order to improve ambulatory care. Since then, its technology has been used by NHS Trusts across the country.
In a statement, the NHS spokesman said that these trusts were responsible for their contracts with the private sector.
“Individual NHS organizations must ensure that they meet their legal responsibilities and their national data security standards to protect patient data during the appointment of suppliers, and we offer them national support and training on how it should be done.”
