The issue first came to public notice when 'Muzzers' posted a comment to Reddit. "So", he warned, "while attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware infested page. Visit at your own risk..."
'NHSChoices' quickly responded on Reddit. "An internal coding error has caused an incorrect re-direct on some pages on NHS Choices since Sunday evening. Routine security checks alerted us to this problem on Monday morning at which point we identified the problem and corrected the code."
It appears that the problem was a simple typo. "Last year, a developer accidentally put 'translate.googleaspis.com' rather than 'translate.googleapis.com' as the source for the JavaScript file", an NHS Choices spokesperson told the Guardian. That in itself caused no problems until a bad actor noticed it, registered the domain googleaspis.com, and populated it with malware. Visitors were subsequently redirected to this new malicious site.
It seems that NHS Choices noticed the problem through its own internal security procedures quite quickly, and responded rapidly. Not rapidly enough, however, to prevent Muzzers being redirect to the malicious site. It isn't known how many other visitors were similarly redirected, nor whether any were subsequently infected with malware.
But there are other issues here. Firstly, that an error could exist in the code for an unspecified number of months and actually be first detected by a hacker rather than the site's own developers. "The lesson for software developers," comments Paco Hope, principal consultant at Cigital, "is to be diligent not just with code, but in testing all the links on every web application. Not every typo ends in an innocent '404' error. Some will end with malware shipped to a user."
But secondly, there is the question of the NHS using off-the-shelf commercial tools for websites that will hold the nation's most personal and private information. Abine, a privacy firm, describes googleapis.com as "a domain used by Google APIs which is an [sic] widget company that is part of a network of sites, cookies, and other technologies used to track you, what you do and what you click on, as you go from site to site, surfing the web."
Ross Anderson from the Cambridge university computer laboratory pointed to a debate on Radio 4 this morning between Phil Booth of MedConfidential and Tim Kelsey of the NHS Information Centre. Kelsey claimed that in 25 years there had never been a single case of patient confidentiality compromise. "This was untrue", Anderson told Infosecurity. "A GP practice manager, Helen Wilkinson, was stigmatized as an alcoholic on HES [hospital episodes statistics] because of [another] coding error. She had to get her MP to call a debate in Parliament in order to get this fixed." Details are available here.
When pressed by Kelsey for an example, Booth replied, 'Gordon Brown.' The ex-prime minister's information, explained Anderson, "was accessed by a Montrose GP who abused his authorized access to the system. He was not prosecuted because this 'was not in the public interest.'"
The issue is of particular relevance now because of the current plan to store all patient data in a single central NHS database, unless patients specifically opt out before April. That data will be made available to third parties such as drug companies and academic researchers – indeed, Anderson told Infosecurity, "I have been offered access though I'm not even a medic."
Anderson believes that the NHS' use of googleapis.com is symptomatic of a wider problem: "In the circumstances, does it strike you as strange that they are just building the system with commercial off-the-shelf tools, rather than going to some trouble to secure it properly? It's not as if your NHS records will be treated like the product of Prism or Tempora is at GCHQ – it will be sold for a few dollars to essentially all comers."
UPDATE
Privacy consultant and activist Alexander Hanff goes further. "In my opinion," he told Infosecurity, "no government web site should be using Google Analytics or other APIs, and in fact it is further my opinion that it is illegal for them to do so under PECR and Article 5.3 of the ePrivacy Directive as the use of these third party resources is not strictly necessary for the provision of the service. Google has already stated that all data it collects (including analytics) goes into one giant profiling pot now (as of the changes to their privacy policy in early 2012) which obviously includes data they collect about people who use government web sites."