November 15, 2016
A Sky News investigation has discovered the NHS trusts putting patients at risk by not protecting their data online.
Seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015.
Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers.
Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts’ emails and passwords, through public searches.
Jennifer Arcuri, co-founder of Hacker House, told Sky News: “I would have to say that the security across the board was weak for many factors.
“Out of date SSLs, out of date software, it was very clear that you could bypass any number of these trusts just by doing the right recon online.
“So if I was an adversary looking to get into any of these trusts or take advantage or change, manipulate or send communications on behalf of a doctor, I could, just because the information was already there.”
Gary Colman, an NHS employee attached to the West Midlands Ambulance Service who conducts penetration testing of trusts, told Sky News: “It’s a game of cat and mouse to be honest.
“It’s ever evolving. And trying to stay on top as both a hacker, an ethical hacker, but also from the point of view of NHS IT teams, is just a huge task.
“We find varying levels of IT security within the NHS, and local government as well. Some organisations are very very secure, others need a little more attention.