http://australianit.news.com.au/articles/0,7204,7206125%5E15306%5E%5Enbv%5E,00.html Ron Hicks SEPTEMBER 09, 2003 AUSTRALIA'S national blood management system is vulnerable to hacker attacks that could cause chaos and potentially endanger lives, according to a Red Cross IT insider. The new IT system for Australia's first national blood service is also tenfold over budget and four years behind schedule, at a time when the Red Cross has made an urgent appeal for blood because supplies have dropped dangerously low. But the greatest concern is the security risk caused by the fact that programmers who do the updates and corrections for Australia's blood management system are based overseas, including in Macedonia. This is because the contract for the new National Blood Authority's blood management service -- run through the Australian Red Cross Blood Service -- was awarded to MAK-SYSTEM, which is registered in France. MAK president and chief executive Simon Kiskovski is originally from Eastern Europe and many programmers for the Australian system are in Macedonia, which has cheaper IT wages than most Western countries. Programmers have encrypted super-user accounts, which mean IT workers in charge of the program here cannot always view the code for the blood management system, called Progesa. "The fact is that they will not let us see what is going on when they load patches (to correct a problem or upgrade the system)," said a concerned member of the Red Cross IT team. "My worry is that the system could be hacked and something could be slipped into the code and we would never know. "Many of the programs are written in the Visual Basic language, which goes back some time, so we are not talking about (needing) phenomenal (hacking) skills here. "For instance, a Trojan horse could be slipped into the code. It would be simple to slip in an algorithm that said, for instance, that every prime number blood donation for a multiple of five was HIV-positive. "Our relationship with the AIDS community is very good, but you would not pick up those false positives immediately, and you would have to check each false positive manually. It would cause chaos." It also could be coded to give false positives for other potentially fatal blood diseases or, false negatives for a life-threatening blood-borne disease. "If it happened when high volumes of blood were needed, it would slow down the vital blood supply," he said. The reality is that, apart from exceptional circumstances, there is often only a two-to-three day supply of blood readily available. In fact, this week the Red Cross had to make a special public appeal because blood reserves were so low. Some of these vital blood supplies could be lost during a hack attack. Some blood products can be stored for long periods, but other crucial blood products, such a platelets, can only be stored for about five days, and other specialised products only last hours. The IT expert said the chances of this type of hack attack may be low, but "the world has changed so much over the past few years". "If September 11 and Bali had not happened -- and now we have Korea -- I probably would not be so concerned, but this project is bleeding the organisation and it is a security risk." A spokesman for MAK SYSTEM in France, Stephane Sajot, said the system was "very secure and had not been affected by the latest virus scares". He said the company's super-user accounts did not allow access to the confidential donor and patient databases. And he said any patches to update the system were provided to the ARCBS to implement. "We have no privilege to look at the production side. If they deny us access to an area, we do not go in," he said. Australia's first national blood-management system has been plagued with problems. It is about four years behind schedule and the cost has blown out from between $3 to $4 million to $38.9 million. It still it has not gone national and those closely associated with it saying it will not do so in its present form. The move towards a national blood-management system began about five years ago after the federal Government called an inquiry after the death of a young girl after a blood transfusion. The inquiry, chaired by former governor-general Sir Ninian Stephen, recommended the loosely federated Red Cross associations come under a federally funded National Blood Authority, which finally came into being on July 1. The inquiry concluded there should be standardisation of all processes, including donor recruitment and administration, collection, testing and processing, and the establishment of a national donor database. The first step was to introduce an IT system to run the system. The ARC Blood Service came into existence in the mid-1990s and one of its earliest tasks was to scour the world for an appropriate blood-management system. Initially, the ARCBS decided on the US Safe Track system, but negotiations broke down and it was abandoned. It then decided on the Progesa system, owned by the MAK-SYSTEM company. But the new blood-management system ran into trouble in Australia virtually from the start when existing servers were incapable of running the system and three $2 million servers had to be bought. This immediately blew the budget of the project, which the ARC had promised the federal Government would cost $3 to $4 million and go live in 1999. The project's total cost is now officially estimated at $38.9 million and a trial of the system has only just begun -- in July -- in Adelaide, although it is supposed to go live nationally later in the year. The insider said, in its present form, Progesa was just not capable of running our national blood-management system. It was supposed to be based on an Oracle 8 relational database management system, but much of the program was written in Visual Basic language. The insider said: "It was meant to have data centres in Adelaide and Sydney, a failover server in Sydney and real-time replication between Adelaide and Sydney, so that if it went out in Adelaide, magically the whole system would flip over to Sydney and users would not know the difference. But it's not possible." But Mr Sajot, of MAK, said the delays had not been of MAK's making. He said: "This kind of project is not only an IT implementation. Many of the different business practices of the Red Cross have been renovated, which ... will help in the long term. Most of the problems that have extended the time line are not related to the IT system itself, but the practices of the ARCBS. Our costs have been according to our contract." A spokesman for the federal Health Department confirmed the $38.9 million cost of the project but referred comments on the matter to the ARCBS. An ARCBS spokesman was yesterday unable to give technical details about security, but said: "The (federal Health Department's) Therapeutic Goods Administration has been involved and I am sure they would not have allowed the trial to go ahead unless they were happy." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 09 2003 - 03:54:54 PDT