Security News
Ten months after attempts first began to extract the medical information of 55 million citizens in England, NHS Digital's former chairman is warning the merger of the agency with NHS England threatens the privacy of people's personal data. The view was that if a patient had chosen to use the NHS they had implicitly agreed that their data could be used for the benefit of the NHS. Writing in trade publication the British Medical Journal, Kingsley Manning said health secretary Sajid Javid's decision to merge NHS Digital into NHS England and NHS Improvement last year was a "Retrograde step not least in the context of this government's clear intent to weaken the constraints on the use of patient data."
The UK's NHS Digital agency is warning organizations to apply new security updates for a remote code execution vulnerability in the Windows client for the Okta Advanced Server Access authentication management platform. "NHS Digital is the national digital, data and technology delivery partner for the NHS and social care system," explains the website for NHS Digital.
The digital security team at the U.K. National Health Service has raised the alarm on active exploitation of Log4Shell vulnerabilities in unpatched VMware Horizon servers by an unknown threat actor to drop malicious web shells and establish persistence on affected networks for follow-on attacks. "The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM via Log4Shell payloads to call back to malicious infrastructure," the non-departmental public body said in an alert.
UK's National Health Service has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits. According to the NHS notice, the actor is leveraging the exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure.
British police have made a series of arrests over the past few months after people with apparent access to NHS databases allegedly sold fake vaccination status entries on the NHS vaccine passport app. Detective Superintendent Helen Rance said: "The staff at both trusts did the right thing and reported their concerns, which has allowed us to fully investigate the circumstances. I want to reassure the public that no systems were hacked into from outside of the NHS networks and the integrity of the NHS systems remains robust."
NHS Digital has scored a classic Mail All own-goal by dispatching not one, not two, not three, but four emails concerning an infosec breakfast briefing, each time copying the entirety of the invite list in on the messages. The first email sent yesterday morning thanked participants for "Registering for NHS Digital's Full Digital Breakfast: Let's talk cyber, scheduled for Thursday 21 October 2021, 8:00-9:00am."
IT pro Rob Dyke says an NHS-backed company not only threatened him with legal action after he flagged up an exposed GitHub repository containing credentials and insecure code, it even called the police on him. What happened next united infosec professionals across the world as well as triggering a crowdfundraiser and a behind-the-scenes legal war: we're told Apperta sent Dyke legal demands, and followed those up by alleging to the cops that he broke Britain's computer security laws.
Folks in England can from next week use the NHS App to confer their vaccination status, in the face of warnings that the technology could lead to identifiable medical information being exposed. The British government has announced that from 17 May, people will be able to demonstrate their COVID-19 vaccination status - a so-called vaccine passport or certificate - using the NHS App, which began its public rollout in January 2019, well before the pandemic.
Folks in England can from next week use the NHS App to confer their vaccination status, in the face of warnings that the technology could lead to identifiable medical information being exposed. The British government has announced that from 17 May, people will be able to demonstrate their COVID-19 vaccination status - a so-called vaccine passport or certificate - using the NHS App, which began its public rollout in January 2019, well before the pandemic.
A very active phishing campaign is underway pretending to be from the UK's National Health Service, alerting recipients that they are eligible to receive the COVID-19 vaccine. The phishing email, shown below, asks the recipient if they want to accept or decline the invitation to schedule their COVID-19 vaccination.