Telstra Health has taken steps to close cybergaps and help out its healthcare customers after the company became aware that medical records were being left exposed by a flaw in its Argus software.
Used by more than 40,000 providers, including hospitals, GPs, specialists, primary health networks and allied health providers, a flaw in the electronic messaging service’s software could have left Australians' health information vulnerable to cyberattack, according to a Fairfax Media report.
Argus created a separate username and a static default password for computers installed with remote desktop access software, which could allow hackers to penetrate the system.
In a statement to Fairfax Media yesterday, the company said the vulnerability was contained.
"We will not comment on the specifics of the incident other than to say that a very small group of customers with unsecured remote desktop configurations with open internet access were impacted."
Former and current healthcare customers were alerted to the vulnerability by Telstra early last month in emails.
"We have identified a potential vulnerability in legacy versions of the Argus product that could be exploited in circumstances where a customer's remote desktop connections are open to unauthorised parties outside of their network," Telstra Health said.
"If you are no longer using Argus, you have not had regular software updates and we recommend that you uninstall the application and ensure that all the accounts associated with the Argus applications are removed from the computers where Argus has been installed.”
Telstra Health offered to assist healthcare providers in uninstalling the software.
According to an unnamed Fairfax Media source, hackers had accessed computers but had not stolen medical records, instead using the systems to carry out other illegal activities.
"The problem is that their software created another user account on the computers they were installed on. This account had a static password rather than creating a random password per install. Then this account was used by the external party to log on remotely onto the server via the built-in Microsoft remote desktop protocol," the source said.
"Basically they could see the user's screen, files as if they had logged into the machine locally. From there they could do nearly anything, including load malware. If the attacker knew they were on a medical server they could potentially download a copy of the [Argus] database or more."
In a statement, the Australian Digital Health Agency confirmed that secure messaging software including Argus does not connect to the My Health Record.
“The Agency understands that a vulnerability existed for a very small number of Telstra Health’s Argus customers operating without appropriate system security. The vulnerability has been addressed with a security patch and customers have been provided with the steps necessary to ensure they have the basic security settings in place,” the ADHA said.