Although the United States The U.S. Department of Veterans Affairs operates a number of exciting Technology program, it is not known to be a flexible and agile organization. And when it comes to electronic medical record management, the VA has hit a slow but high stakes playbook play for many years.
The division’s filing platform, VistA, first founded in the late 1970s, is hailed as efficient, reliable and even innovative, but decades of lack of investment have eroded it. this platform. Several times throughout the 2010s, the VA has said it will replace Vista (short for Veterans Information Systems and Technology Architecture) with a commercial product and the latest version of the effort. This is currently in progress. In the meantime, however, security researchers are uncovering real security issues in Vista that could impact patient care. They want to reveal them to the VA and fix the problem, but they haven’t figured out how to do that since Vista is on death row.
At the DefCon security conference in Las Vegas on Saturday, Zachary Minneker, a security researcher with a background in healthcare IT, is presenting findings of a disturbing weakness in the way Vista encrypts logins internally. Without an additional layer of network encryption (like TLS, which is now ubiquitous on the web), Minneker found that encryption developed by the manufacturer for Vista in the 1990s to protect the connection between network servers and personal computers can be easily defeated. In fact, this could allow an attacker on a hospital’s network to impersonate a healthcare provider in VistA and possibly modify patient records, submit diagnoses, or even prescribe medications. according to theory.
“If you’re contiguous on a network that doesn’t have TLS, you can crack passwords, replace packets, modify databases. In the worst case scenario, you can essentially dress up as a doctor,” Minneker told WIRED. “This is not a good access control mechanism for an electronic medical record system in the modern era.”
Minneker, a security engineer at software company Security Innovation, only briefly discussed the findings in a talk with DefCon, which mainly focused on VistA’s broader security assessment and the underlying programming language. MUMPS data underpins it. He has been trying to share the finding with the VA since January through the department vulnerability disclosure program and Bugcrowd third-party disclosure options. But Vista is beyond the scope of both programs.
This may be because the VA is currently trying to get rid of our VistA using a new medical records system designed by Cerner Corporation. In June, the VA announced that they will delay a joint rollout of the Cerner system worth $10 billion through 2023 as the pilot rollout was hampered by outages and likely resulted in nearly 150 cases patient harm.
The VA did not return multiple requests for comment from WIRED about Minneker’s findings or the broader situation with the VistA vulnerability disclosure. Meanwhile, however, VistA is not only being rolled out across the VA healthcare system, but is being used elsewhere as well.
