Department of Health and Connecting for Health security flaws

There seems to be a belief in some parts of the Department of Health that truth in modern-day public communications is passé.

The Department’s Medical Training Application Service for junior doctors was taken out of service soon after Channel Four News showed that doctors could easily see each other’s personal information on the system.

When you go to the MTAS website nowhere today [27 April 2007] does it say that the site has been taken down to investigate breaches of confidentiality. Instead it says:

“Due to planned essential maintenance work, this site is currently unavailable.” Is this really the truth?

A spokesman for the Department of Health confirmed that the website of the Medical Training Application Service [MTAS] was taken down to investigate the security breaches. He said the message on the website that it was taken down for planned essential maintenance was a standard message.

“We’ve nothing to hide,” he said.

Yes, we replied, but is it correct to say you were taking the website down anyway?

He said that the use of the word “planned” in the website message was true because it did not go down accidentally.

He said the MTAS website is run by an IT company on behalf of the Department of Health. He did not name it. He said he would let us know the reasons for the security breaches when the internal investigation has finished which he hoped would be “days not weeks”.

Separately Channel Four News alleges that there have been breaches of the confidentiality of personal information on the website of Connecting for Health, an agency that runs the NHS’s National Programme for IT [NPfIT].

A film on alleged breaches of security at the Department of Health and Connecting for Health is today [27 April 2007] the lead item on Channel Four News website – see “Watch the report“. It’s claimed that in February doctors attended a conference hosted by Connecting for Health and that their details were put on the CfH website, including home addresses and mobile phone numbers. Channel Four News says the information is no longer on the CfH website but still exists via Google.

Dr Jo Hilborne, chairman of the British Medical Association’s Junior Doctors Committee, says of the weaknesses in security on the website of the MTAS.

“What little faith anyone had left in this shambolic system has just evaporated. It is a breach of security on an appalling scale. The ease with which anyone could have accessed highly sensitive information about thousands of people is frankly shocking. The BMA has raised concerns about the security of the MTAS website on more than one occasion. The Department of Health had months to put it right and failed. There can be no excuse for this.”

Emily Rigby, chair of the BMA Medical Students Committee, adds:

“Many of the people affected are currently taking their finals and this just adds to the stress they’re under. We’re incredibly concerned about the extent of the breach and the surrounding security issues. We demand a full and thorough investigation and to know what steps will be taken to assure this can never happen again.”

“What has happened is appalling and it’s inexcusable. We raised concerns about online security for medical students’ applications last year after the system was hacked into. We were given explicit assurances it wouldn’t happen again. Despite improvements this year in the MTAS system for students there are still areas of concern and confidence is fragile. The breach has led to many students questioning the validity of the system.”

Smartcard sharing by an NHS trust – a breach of security?