In November last year, a bug in the Modefer application, which manages around 1,500 patients a month for the UK's National Health Service (NHS). The software has left patient data vulnerable to hacker attacks, says the BBC and according to the software engineer who discovered it, it has existed for at least six years. Modefer says it has no proof that the vulnerability has existed for so long and says that patient data has not been compromised. Days after the discovery bug has been corrected, the company assures. An NHS spokesperson said it was taking note of the concerns raised about Medefer and will take the necessary action.
It was explained that Medefer's system allows patients to make virtual appointments with doctors, who have access to the associated clinical data. The engineer who discovered the vulnerability said that the APIs Medefer used were not properly secured and could be accessed by malicious third parties and have access to patient information. The engineer also accuses Medefer of not taking appropriate action as soon as the vulnerability was discovered. "I've worked in organizations where if something like this happened, the whole system would be shut down immediately" - he adds that an external cybersecurity specialist should have been called in to investigate the problem, something Medefer failed to do.
On the other hand, the company says that an external security agency has analyzed the problem and that the data is safe. This was confirmed by the company's founder, Bahman Nedjat-Shokouhi, who said that the fix was released within 48 hours of the vulnerability being discovered. He also points out that the claim that the bug gave access to large amounts of patient data is false. "We take our duties to patients and the NHS very seriously. We have regular external security audits of our systems, on several occasions annually."
Because Medefer deals with highly sensitive patient data, such as medical information, cybersecurity experts who analyzed the case presented by the engineer from softwareThe report, which was published in the Official Journal of the European Union, points out that NHS data was not as secure as it should have been and that external cybersecurity experts should have been called in immediately to ascertain the true scale of the problem.
The original article via Sapo24 can be read here.