Home page logo
/

bugtraq logo Bugtraq mailing list archives

Infocure "Exact Dental" Practice Management System - awful security policy
From: Dixieland <dixieland () SNIP NET>
Date: Mon, 8 Jan 2001 12:11:33 -0500

Intro:
-----
Although painfully obvious to even intermediate users, I could not allow
myself to not pass this information along to the public so that at least a
handful of doctor's offices might be more secure.

"Exact Dental" is a practice management system for dental offices that
tracks typical data such as patient databases, appointment schedules, and
financial information (billing and accounting).  The Exact Dental software
was originally distributed by National Data Corp.  Currently it the software
is property of Infocure.  (http://www.infocure.com/)  When offices grew and
users requested a way to work with multiple systems, the ability to leverage
MS Windows networking was used in a manner that client workstations could
communicate via a LAN and the Exact Dental system would use mapped shares to
direct data and communication.

Issue:
-----
The following sent shivers down my spine when I installed the system (one
Main server and two workstations) in a Dental office recently:

It is the policy of Infocure to recommend that users deploy their Exact
Dental "server" machine with Windows 9x.  The user is then directed to share
the c: drive will FULL ACCESS permissions and NO PASSWORD.  I was certain
that this step in the process was a mistake, and I contacted Infocure's
support staff to inquire about the matter.

After much questioning back and forth, a (somewhat indignant) tech support
representative informed me that i was completely wrong, and that sharing the
server's c: drive will full access permissions was the only way that they
system would work, since the client software looks for a mapped drive
(typically the letter K is used) and that this mapped drive MUST be the
server's system drive.

Synopsis:
--------
Due to minimal documentation and anticipation of user incompetence, it has
become the policy of Infocure to make the default configuration of the Exact
Dental software so devoid of permissions and restrictions that virtually no
one will encounter difficulty using the system.

Client workstations look to deposit data on a network resource.  These
network resources are specified in the exact.ini file (installed to
c:\windows on client machines) as being "K:\NDCDENT\..."  Inasmuch as the
client anticipates that the k: drive is a mapping of the server's c: drive,
one needs only to realize that the Exact Dental software (which resides in
c:\NDCDent on the server) does not need a full path and a share compromising
security on the server to function.  A relative path works fine.

Solution:
--------
Do NOT share the c: drive on the server in any way.  Instead, share the
"NDCDENT" directory on the server computer.  (Full access permissions are
required for the clients to deposit data correctly, but username/password or
password-protected shares can easily be used).  Modification of the
EXACT.INI file on the clients is necessary to direct the client software to
the proper path.  (essentially, change all lines reading
"K:\NDCDENT\DIR_NAME" to "K:\DIR_NAME" and the system works very well.)

Company Contact:
----------------
The Infocure representative to whom i spoke did not seem interested in my
view of the security issue and simply reminded me of the fact that "this is
how the system is configured."  He expressed his opinion (or possibly he was
relaying to me the official opinion of Infocure) to be that "most dental
offices do not encounter security issues, really."

Company Information:
-------------------
"Exact Dental" is a practice management system for dental offices that
tracks typical data such as patient databases, appointment schedules, and
financial information (billing and accounting).  With connectivity
enablement, this system transmits insurance claims in batch to claims
processing clearinghouses.  Overall, the system houses and maintains ALL of
the office's critical data. (This includes information such as patient
records and financial payment records.)

I am not aware as to whether or not the database format is proprietary, or
if once compromised the information could be parsed and readable.  The Exact
Dental software was originally distributed by National Data Corp.  Currently
it the software is property of Infocure.  (http://www.infocure.com/)

The implications of a person using a Windows-based LAN to connect
anonymously to a server in this sort of environment are staggering.  One
could easily corrupt the dental office's database, or (possibly worse yet)
take for their own observation the office's COMPLETE patient records and
financial information.  I will not even discuss in this email the
possibility of an office with a Cable or DSL connection with which Windows
Networking protocols are bound improperly.  In such an instance, a remote
user could compromise all data of the practice, then either disable or
destroy the database, and leave without a trace.

It is frightening to me that this sort of no-security approach is presented
to users in an attempt, as i see it, to reduce technical problems during
setup and installation of this Practice Management Software.

Overall, it should not go unmentioned that the Exact Dental software is a
fine product that, when properly configured, can provide dental offices with
fantastic functionality and service.

At this time I am not familiar with any other products from Infocure or
National Data Corp.  I cannot comment on the vulnerability of their other
systems.


  By Date           By Thread  

Current thread:
  • Infocure "Exact Dental" Practice Management System - awful security policy Dixieland (Jan 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]