NHS ePortfolio passwords and the OpenSSL/Heartbleed vulnerability
As you may have heard, on Monday of this week a member of Google’s security team and a software security firm called Codenomicon discovered and publicly disclosed a vulnerability in a software package that is widely used to secure online communications called OpenSSL. The official reference number for the bug is CVE-2014-0160, although it is more widely known by the name “Heartbleed”.
NHS ePortfolio does not use, and has not used, OpenSSL, so we were not affected by the “Heartbleed” vulnerability.
The third party service we use for our support ticketing system does use OpenSSL. This service has subsequently fixed the bug with their system and the provider does not believe that any sensitive data was accessed. We are actively monitoring the situation and will notify you if we discover anything.
As an NHS ePortfolio user you don’t need to take any action. However because of the number of sites and services that are affected, if you use the same password on more than one website, we would recommend that you change your passwords to something new. By changing your NHS ePortfolio password you will ensure that your NHS ePortfolio account remains secure, even if your previously used password(s) are released into the public domain as a result of a compromised 3rd party site.
You can change your NHS ePortfolio password via the Personal Details page, once logged in. If you currently login via a Single Sign On provider (e.g. RCPI / RCPI PCS users), then your NHS ePortfolio password is not generally used and does not need updating.