Federal officials have released a software patch to fix a flaw in the Department of Veterans Affairs’ VistA electronic health record (EHR system) that was discovered by a Georgia Institute of Technology graduate student, GCN reports (Hickey, GCN, 12/10).
Details of Security Flaw
Graduate student Doug Mackey found the remote access security flaw while working on a final project for his master’s degree.
He said the flaw means “some remote messages are not properly security checked, and a remote unauthenticated or unauthorized user can execute any of thousands of database operations.”
However, Mackey noted that “an adversary would first have to stage an operation to gain access to an internal network” before taking advantage of the flaw because VistA is not connected to the Internet.
Mackey said he was particularly concerned that the vulnerability was introduced in 2002 and not found by anyone for more than a decade (Ouellette, Health IT Security, 12/9).
He said the flaw could have been used to perform “thousands” of remote commands within the VistA system without authorization (GCN, 12/10).
VA, OSEHRA Response
VA and the not-for-profit Open Source Electronic Health Record Agent worked from June to early November to create a software patch to fix the flaw.
Don Hewitt, vice president of business operation at OSEHRA, said Mackey’s discovery “was the first time that we’ve seen a security issue arise from the [open-source] community.”
Hewitt added, “We view this as a validation of the fact that you can get better security with open source as you get more sets of eyes on the code”