Although the United States Department of Veterans Affairs runs a number of interesting technology programs, it is not known as a flexible and agile organization. And when it comes to managing electronic health records, the VA has had a slow but big drama been playing for years.
The department’s archive platform, VistA, first established in the late 1970s, has been hailed as effective, reliable and even innovative, but decades of underinvestment have eroded the platform. Several times in the 2010s, the VA has said it will replace VistA (short for Veterans Information Systems and Technology Architecture) with a commercial product, and the latest version of this effort is currently underway. In the meantime, however, security researchers find real security vulnerabilities in VistA that could impact patient care. They want to disclose them to the VA and fix the issues, but they haven’t found a way to do it because VistA is on death row.
At the DefCon security conference in Las Vegas on Saturday, Zachary Minneker, a security researcher with a background in healthcare IT, presents findings about a worrisome weakness in the way VistA encrypts internal credentials. Without an extra layer of network encryption (such as TLS, which is now ubiquitous on the Internet), Minneker found that the homemade encryption developed for VistA in the 1990s to protect the connection between the network server and individual computers can easily be broken. In practice, this could allow an attacker on a hospital’s network to impersonate a healthcare provider within VistA, potentially altering patient records, submitting diagnoses, or even theoretically prescribing drugs.
“If you were adjacent to the network without TLS, you could crack passwords, replace packets, and make changes to the database. In the worst case, you could actually pretend to be a doctor,” Minneker tells WIRED. “This is just not a good access control mechanism for an electronic medical record system in the modern age.”
Minneker, a security engineer at the software-focused company Security Innovation, only briefly discussed the findings during his DefCon lecture, which focused primarily on a broader security assessment of VistA and the database programming language MUMPS that underpins it. He has been trying to share the finding with the VA through the department since January Vulnerability Disclosure Program and bug crowd third party disclosure option. But VistA is beyond the scope of either program.
This could be because the VA is currently trying to phase our VistA using a new medical records system designed by Cerner Corporation. In June, the VA announced that it would delay a general rollout of the $10 billion Cerner system through 2023, as pilot deployments were plagued with outages and may have resulted in nearly 150 cases of patient damage.
The VA did not return WIRED’s multiple requests for comment about Minneker’s findings or the broader situation with vulnerabilities disclosed in VistA. In the meantime, however, VistA is not only deployed in the VA care system, it is also used elsewhere.