Sunday, March 25, 2018
Some Old Security Flaws Catch Up With Some Argus Users. Good To See A Reasonably Pro-Active Response!
This interesting little yarn appeared a few days ago:
Updated22 March 2018 — 8:19amfirst published at 8:09am
A flaw in medical software used by more than 40,000 Australian health specialists and distributed by Telstra has potentially exposed Australians' medical information to hackers, who have been logging into practitioners' computers and servers to carry out illegal activities.
Called Argus, the software is used by hospitals, GPs, specialists, primary health networks and allied health providers. According to Telstra Health, which acquired the software in 2013, these customers "trust Argus to securely communicate confidential patient information quickly and reliably, in-line with privacy standards".
The flaw in the "secure" messaging software is specifically leaving computers with remote desktop software installed wide open, because, a medical industry source told Fairfax Media, it creates a separate username with a static default password that allowed for an easy intrusion.
Telstra alerted medical practitioners to the flaw in early February.
Fairfax Media understands that many doctors use remote desktop software to check results from home and follow up with other practitioners after hours when away from the office. But because they did not know that Argus created a separate user account with a default static password, they had no reason to believe the Argus software was leaving their computers vulnerable to hackers.
"The problem is that their [Telstra's] software created another user account on the computers they were installed on. This account had a static password rather than creating a random password per install. Then this account was used by the external party to logon remotely onto the server via the built-in Microsoft remote desktop protocol", the source said.
While complex, the static password that Argus created was viewable in plaintext inside a file in the folder Argus created once installed.
"Basically they could see the user's screen, files as if they had logged into the machine locally. From there they could do nearly anything, including load malware. If the attacker knew they were on a medical server they could potentially download a copy of the [Argus] database or more."
It appears hackers have so far not used access to computers containing medical records to steal the records themselves. Instead, they are using them to conduct illegal activities online, according to a source, who said that they had seen a breached server themselves that was targeted.
Lots more details here:
Now Argus software has been around in many versions for many years. For reference here is how the company used to describe itself before being bought by Telstra Health:
ArgusConnect is an Australian company that develops, deploys and supports the Argus secure clinical messaging system.
Argus was first developed in 2000 for use by all areas of healthcare throughout the Northern Territory and has since been adopted as the preferred option supported by more than 50% of Divisions of General Practice across the country Australia. As a result of this strong support by General Practice, Argus is now being used by more than 9500 healthcare providers including specialists, allied health workers, aboriginal and community health centres, pharmacists, hospitals, aged care facilities, radiologists, and pathologists to communicate with GPs and each other.
ArgusConnect is also a founding partner in the MediSecure® Electronic Transfer of Prescriptions inititiative which is a groundbreaking venture in electronically transferring prescriptions from doctors to pharmacies.”
The link now points to https://www.telstrahealth.com/home/solutions/secureMessaging/argus.html where you can read the current description.
The software was developed as an open-source effort and way back when used to act as a free to use secure e-mail client. It was used as part of the e-prescribing effort in the NT in the days of HealthConnect. (Remember that?)
It was also involved in a very nasty spat with NEHTA that was reviewed as Senate Estimates in 2011.
The point of all this is that there are some very old installs of Argus around and it looks like some of them had a systemic security hole which Telstra Health is now doing its best to root out.
I am sure that recent installs are fine –and they better be - given there are apparently 40,000 current users of the application!
All in all a search for the word “Argus” (in the Blog's search box down from the Comments) provides a fun trip down memory lane and a reminder of just what jerks some of the old NEHTA operatives were. I hope they have all gone from the ADHA.
Posted by Dr David G More MB PhD at Sunday, March 25, 2018