Bad news is better out than in
It probably comes as no surprise that our two most popular stories this week both concern nefarious goings on in the darker recesses of our networked world, but apart from them both involving thankfully unsuccessful attempts by hackers to gain unauthorised access to our healthcare systems, what they both have in common is an unfortunate lack of transparency about what really went on.
On Wednesday, we revealed that Western Health, which runs the Sunshine, Footscray and Williamstown hospitals in Melbourne's west, had been subject to an attack from the WannaCry ransomware cryptoworm that caused such havoc for the NHS last year and disrupted the basic operation of about a third of the UK's hospitals for days.
Security agencies put the blame for that attack at the feet of North Korea, but the actual worm was originally developed long before that by the US's National Security Agency. It promptly escaped its captors and is still out there in the wild, lurking about, but who or what directed it at Western Health is unknown.
And without some insider knowledge on the part of some of Pulse+IT's deep-throated friends, it's success or otherwise would have remained unknown as well, even though the attack took place in January. How many other attempts have similarly escaped public notice is difficult to tell.
Then the very next day, Fairfax Media revealed that Telstra Health also had an episode back in January, when it appears that a problem with password configurations for remote desktop access to the Argus messaging system caused the connections to stay open, allowing hackers to insert malware into a small number of computers.
While Fairfax provided a somewhat confusing explanation involving static default passwords, which we can't make head nor tail of, what is starting to filter out is that the problem seems to have affected an older version of Argus and has now been cleared up. What the actual details are though, we still hope to find out.
To its credit, Telstra Health told Argus customers that there was a problem and how to solve it, but they didn't tell anyone else, and when it was exposed this week, Telstra Health promptly offered up a brief statement admitting to the vulnerability but saying it would not be commenting on the specifics. We pretty much got the same response.
That's not something that bothers us in the slightest and we intend to pursue this story. We might ask some more questions of Western Health as well, such as whether it was a coincidence that at the same time that the health service was trialling new technology to protect its medical devices from hackers, a serious attack was attempted on its core systems. Was someone distracted by shiny new things and took their eye off the ball?
Our motto is better out than in, so in the interests of transparency we'll see if we can get to the bottom of that, and what happened to Argus. These days, good IT companies are forthright about what happens when things go wrong, releasing technical details so everyone can learn from it. We'd like it if Telstra Health and Western Health did the same.
They could take a look at the irreparable reputational damage that Facebook has suffered this week, some of it due to its attempts to play dumb about what it knew about the purpose its customers' data was being put to by dodgy polling and data mining outfit Cambridge Analytica.
The whole point of Facebook of course is to give you a free, ubiquitous platform for communication in return for mining your data and flogging you targeted ads. Most people are aware of that and they weigh up the risks versus the benefits, but what they don't like is being taken for a ride. “It's not the crime, it's the cover-up,” as one US president eventually found out, and with the Cambridge Analytica scandal's tentacles reaching ever further and higher, another one might shortly find out too.
Back in the more prosaic world of health IT, we'd like our public and our private healthcare businesses to be a little more transparent about when stuff-ups happen or if they come under threat. There are now mandatory reporting of data breach laws but they would not have applied to these instances, so we reckon it's best to be upfront from the start, as it will all come out in the end.
That brings us to our poll question for the week: do you think Western Health and Telstra Health should have revealed their security issues earlier?
To vote in our weekly polls, sign up for our weekend edition or leave your comments below.
Our poll last week asked: Is the potential of AI overhyped in healthcare? Most of you thought it was: 71 per cent were overhyped, 29 per cent under.