Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

However, any compromised NHS website would lead to bad publicity and insecurity.

And horrendous scope for phishing. Who's going to think twice about entering potentially sensitive information into their GP's web site accessed via a .nhs.uk address? Not most people, I suspect.




I would guess that's an issue even without the nhs.uk address, unfortunately. American doctors' websites don't have an 'official' domain they're under, but some people send information via their local doctor's website anyway. So if you compromise the Wordpress install (and it's likely that thousands of American doctors have a vulnerable Wordpress install) you could pull in some potentially sensitive information. The main mitigating factor in the U.S. would be that so much stuff is still done on paper and over the phone that many people wouldn't visit the site in the first place.

Like the NHS, American doctors usually don't store actual patient data on the generic CMS they use for hosting the website. If they have an online "patient portal" or "billing portal" it's usually a hosted solution that goes offsite, via a third-party company that provides such services. But it's nonetheless a huge phishing opportunity. Besides a fake contact form, you could also clone the portals, replacing the links from the main site, which are supposed to go off to places like medfusion.net or eclinicalweb.com, with ones that go off to medfusion.yourdomain.net or whatever, and most people will not think twice as long as your cloned site looks vaguely similar. I mean the genuine domains sound halfway like the domains of phishing sites to begin with...


I've noticed a disturbing trend lately of physicians' office portals connecting silently to credit reporting agencies and using information from there for authentication. While I applaud them for trying to reliably authenticate me when I sign in to get blood test results, it's disconcerting to be faced with questions like this:

    Which of the following cars have you NOT owned?
        - 1999 Ford Explorer
        - 2001 Toyota Tercel
        - 2008 Audi
        - 1996 Hyundai
Along with a few more questions like that one, it's a dead give-away that my doctor's office is connected to a credit reporting agency. I have seen this happening in other places as well; evidently credit reporting agencies recently got into the business of on-line identification and authentication (I&A).




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: