Though the United States Department of Veterans Affairs runs some interesting technology programs, it’s not known for being a flexible and nimble organization. And when it comes to electronic medical records management, the VA has had a slow but high-stakes drama playing out for years . The department’s records platform, VistA, first instituted in the late 1970s, is lauded as effective, reliable, and even innovative, but decades of under-investment have eroded the platform.
Multiple times throughout the 2010s, the VA has said it will replace VistA (short for Veterans Information Systems and Technology Architecture) with a commercial product, and the latest iteration of this effort is currently ongoing. In the meantime, though, security researchers are finding real security issues in VistA that could affect patient care. They want to disclose them to the VA and get the issues fixed, but they haven’t found a way to do it because VistA is on death row.
At the DefCon security conference in Las Vegas on Saturday, Zachary Minneker, a security researcher with a background in healthcare IT, is presenting findings about a worrying weakness in how VistA encrypts internal credentials. Without an additional layer of network encryption (like TLS, which is now ubiquitous across the web), Minneker found that the home-brewed encryption developed for VistA in the 1990s to protect the connection between the network server and individual computers can be easily defeated. In practice, this could allow an attacker on a hospital’s network to impersonate a healthcare provider within VistA, and possibly modify patient records, submit diagnoses, or even theoretically prescribe medications.
“If you were adjacent on the network without TLS, you could crack passwords, replace packets, make modifications to the database. In the worst-case scenario, you’d essentially be able to masquerade as a doctor,” Minneker tells WIRED. “This is just not a good access control mechanism for an electronic medical record system in the modern era.
” Minneker, who is a security engineer at the software-focused firm Security Innovation, only briefly discussed the findings during his DefCon talk, which was mostly focused on a broader security assessment of VistA and the database programming language MUMPS that underlies it. He has been attempting to share the finding with the VA since January through the department’s vulnerability disclosure program and Bugcrowd third-party disclosure option. But VistA is out of scope for both programs.
This may be because the VA is currently attempting to phase our VistA using a new medical records system designed by Cerner Corporation. In June, the VA announced that it would delay a general rollout of the $10 billion Cerner system until 2023 because pilot deployments have been plagued by outages and have potentially led to almost 150 cases of patient harm . The VA did not return WIRED’s multiple requests for comment about Minneker’s findings or the broader situation with disclosing vulnerabilities in VistA.
In the meantime, though, VistA is not only deployed across the VA healthcare system, it is also used elsewhere. “There are all sorts of problems with the VA, but everybody loves VistA. It’s one of the best EMRs in the world.
It’s just extremely flexible whereas most EMRs are totally inflexible,” Minneker says. “And there are other hospitals that are running VistA that are not VA-related. ” Minneker did his assessment of VistA using the automated software testing technique known as fuzzing as well as manual code review.
He was able to assess VistA’s source code, because the VA regularly posts a “Freedom of Information Act” version which includes all patches released for VistA. Other researchers have attempted to raise awareness about the importance of securing MUMPS and VistA by investing more in the technology instead of less. At the open source software conference OSCON in 2010, healthcare data researcher Fred Trotter argued that VistA shouldn’t be written off given its value.
“One of the things that really frustrates me with criticisms of MUMPS and VistA is, ‘it’s old software,’” Minneker says. “This is confusing to me because it’s not like an old dog. That dog won’t hunt anymore because it’s too old.
Well, if software is merely old but still works really well, we have a name for that: It’s ‘stable. ’” The question for Minneker now is whether his presentation will spur public discussion about VistA security and illustrate the need to continue supporting and defending the massive system as long as it is in use. “VistA is phenomenal, and it could be used more broadly instead of being decommissioned—it’s a beautiful dream,” Minneker says.
“I just couldn’t in good conscience just be quiet about this problem. ”.
From: wired
URL: https://www.wired.com/story/va-vista-medical-records-flaw/