Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Sunday, March 25, 2018

Some Old Security Flaws Catch Up With Some Argus Users. Good To See A Reasonably Pro-Active Response!

This interesting little yarn appeared a few days ago:

Medical records exposed by flaw in Telstra Health's Argus software

By Ben Grubb
Updated22 March 2018 — 8:19amfirst published at 8:09am
A flaw in medical software used by more than 40,000 Australian health specialists and distributed by Telstra has potentially exposed Australians' medical information to hackers, who have been logging into practitioners' computers and servers to carry out illegal activities.
Called Argus, the software is used by hospitals, GPs, specialists, primary health networks and allied health providers. According to Telstra Health, which acquired the software in 2013, these customers "trust Argus to securely communicate confidential patient information quickly and reliably, in-line with privacy standards".
The flaw in the "secure" messaging software is specifically leaving computers with remote desktop software installed wide open, because, a medical industry source told Fairfax Media, it creates a separate username with a static default password that allowed for an easy intrusion.
Telstra alerted medical practitioners to the flaw in early February.
Fairfax Media understands that many doctors use remote desktop software to check results from home and follow up with other practitioners after hours when away from the office. But because they did not know that Argus created a separate user account with a default static password, they had no reason to believe the Argus software was leaving their computers vulnerable to hackers.
"The problem is that their [Telstra's] software created another user account on the computers they were installed on. This account had a static password rather than creating a random password per install. Then this account was used by the external party to logon remotely onto the server via the built-in Microsoft remote desktop protocol", the source said.
While complex, the static password that Argus created was viewable in plaintext inside a file in the folder Argus created once installed.
"Basically they could see the user's screen, files as if they had logged into the machine locally. From there they could do nearly anything, including load malware. If the attacker knew they were on a medical server they could potentially download a copy of the [Argus] database or more."
It appears hackers have so far not used access to computers containing medical records to steal the records themselves. Instead, they are using them to conduct illegal activities online, according to a source, who said that they had seen a breached server themselves that was targeted.
Lots more details here:
Now Argus software has been around in many versions for many years. For reference here is how the company used to describe itself before being bought by Telstra Health:
“About ArgusConnect
ArgusConnect is an Australian company that develops, deploys and supports the Argus secure clinical messaging system.
Argus was first developed in 2000 for use by all areas of healthcare throughout the Northern Territory and has since been adopted as the preferred option supported by more than 50% of Divisions of General Practice across the country Australia. As a result of this strong support by General Practice, Argus is now being used by more than 9500 healthcare providers including specialists, allied health workers, aboriginal and community health centres, pharmacists, hospitals, aged care facilities, radiologists, and pathologists to communicate with GPs and each other.
ArgusConnect is also a founding partner in the MediSecure® Electronic Transfer of Prescriptions inititiative which is a groundbreaking venture in electronically transferring prescriptions from doctors to pharmacies.”
The link now points to https://www.telstrahealth.com/home/solutions/secureMessaging/argus.html where you can read the current description.
The software was developed as an open-source effort and way back when used to act as a free to use secure e-mail client. It was used as part of the e-prescribing effort in the NT in the days of HealthConnect. (Remember that?)
It was also involved in a very nasty spat with NEHTA that was reviewed as Senate Estimates in 2011.
See here:
and here:
The point of all this is that there are some very old installs of Argus around and it looks like some of them had a systemic security hole which Telstra Health is now doing its best to root out.
I am sure that recent installs are fine –and they better be - given there are apparently 40,000 current users of the application!
All in all a search for the word “Argus” (in the Blog's search box down from the Comments) provides a fun trip down memory lane and a reminder of just what jerks some of the old NEHTA operatives were. I hope they have all gone from the ADHA.
David.

4 comments:

Anonymous said...

I hope people are following the Facebook/Cambridge Analityca scandal.

The big lesson is that if you give your data away, it will be misused. The fact that as far as we know it is private companies that are involved is not much comfort. Australian governments (both political colours, state and federal) want to get their hands on as much health data as they can. Can they guarantee it won't misuse it? No. Can they guarantee it won't be (legally) downloaded to other systems and misused? No. Can they guarantee anything? No.

There's likely to be one big social media shit fight coming up. Do you really think that the dysfunctional ADHA is up to the fight? Dream on folks. They won't be the ones to pay the price, the pollies will. Serves them right for being such gullible dimwits.

Anonymous said...

The Government really needs to look at this issue. Perhaps some encouragement can be taken from the recent moves by Europe

Anonymous said...

I believe most have dispersed to other areas and not directly employeed. I believe we have a new set of operatives. They are different by name but cast from the same mould.

To quote you David from one of the links - It is clear there is an absolute determination to minimise openness and transparency and that there are some of these answers which sail pretty close to being just untrue.

How much has really changed?

It is becoming clear that there are elements of ADHA that are quite happy to live outside good corporate governance and public services rules. Makes you wonder how many contracts have been served up in a closed process, how many contracts were lost opportunities and how many people have fallen victim to this ADHA and at what long-term cost to Australian eHealth

Anonymous said...

The people to some extent may have changed, but has anything changed?

To quote you in the second like David - "It is clear there is an absolute determination to minimise openness and transparency and that there are some of these answers which sail pretty close to being just untrue."

The ADHA puts a lot of press out there but how much is really of much use? Can we trust this organisation?

I am less and less trusting, they seem now to be dishonest with operating a Commonwealth entity, I am not convinced they are being honest with the general public