NHS website compromised… That virus might be more than a leaky nose [Update: 'coding error']
Update (12:43): The NHS Choices people have got in touch to clarify that it turns out it’s not a hack – but is coding error. Here’s what they have to say:
“An internal coding error has caused an incorrect re-direct on some pages on NHS Choices since Sunday evening. Routine security checks alerted us to this problem on Monday morning at which point we identified the problem and corrected the code.
“We are now ‘flushing through’ this correction to ensure that the code on all affected pages is amended and expect this to be completed this afternoon.
“We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked.
“NHS Choices is treating this issue with urgency and once resolved we plan to undertake a thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no reoccurrence.”
Be careful if you’re looking for health information online this morning as apparently the NHS website has been compromised.
Reddit user Muzzers reports that a whole host of URLs have been hacked to serve up malware or redirect to advertisements – that could leave computers that visit the dodgy pages open to all sorts of nastiness.
What the hackers appear to have done is hide their code in something that looks a lot like normal Google code – referring to googleaspis.com (DON’T VISIT THAT!) and not googleapis.com – the latter of which is actually owned by Google.
So far lots of compromised pages have been identified – so it might be worth avoiding visiting the NHS website for the time being, until they’ve sorted it out.
Apart from the hack, what’s also interesting about this is that it’ll inevitably play into the debate over the plans to open up the NHS’s patient data. The care.data programme is planned to release (pseudonymised) patient data to scientists and research companies so they can research treatments with larger sets of data.
The upshot of this plan is that it should increase the speed at which new treatments are brought to patients – as rather than having only tiny samples on which to judge treatments, they’ll be able to compare across many thousands or millions of people.
The downside, say its critics, is related to what has happened here: do we trust the NHS to keep our data safe? (It will be possible to opt out of the programme).
Whether today’s hack is relevant is a subject for debate. On the one hand – it is worrying that hackers can get access to NHS systems, and it does raise difficult questions about whether we can be sure that the servers holding patient data can remain secure.
On the other hand, perhaps it is more of an issue of optics and how it looks for the NHS’s reputation. For example, it could be argued that the website is merely a “shop window”, with the real important data kept securely. It’s a bit like when Anonymous attacked the CIA website – yes, they took down their public facing pages, but America’s security services were still perfectly able to keep track of their spies and so on.
Either way – this is definitely going to be embarrassing for health minister Jeremy Hunt who, inexplicably, is ultimately in charge of the NHS.
Time to update Norton Antivirus.