the us department of Veterans Affairs runs some interesting tech programs, but it’s not known for being a flexible or nimble organization. And when it comes to electronic medical records, the VA has had a slow but high-stakes drama for years.
The department’s registration platform, VistA, first instituted in the late 1970s, is hailed as efficient, reliable and even innovative, but decades of underinvestment have eroded the platform. On several occasions throughout the 2010s, the VA has stated that it will replace VistA (short for Veterans Information Systems and Technology Architecture) with a commercial product, and the latest iteration of this effort is currently underway. In the meantime, however, security researchers are discovering real security issues in VistA that could affect patient care. They want to disclose them to the VA and fix the issues, but they haven’t found a way to do so as VistA itself is on death row.
At the DefCon security conference in Las Vegas on Saturday, Zachary Minneker, a security researcher with a background in health informatics, presented findings on a concerning weakness in the way VistA encrypts internal credentials. Without an additional layer of network encryption (like TLS, which is now ubiquitous on the web), Minneker discovered that the homemade encryption developed for Vista in the 1990s to protect the connection between the network server and individual computers can be easily defeated. . In practice, this could allow an attacker on a hospital network to impersonate a healthcare provider in VistA, and potentially modify patient records, submit diagnoses, or even theoretically prescribe medications. .
“If you were adjacent on the network without TLS, you could break passwords, overwrite packets, make database changes. Worst-case scenario, you could essentially impersonate a doctor,” Minneker told WIRED. “It’s just not a good access control mechanism for an electronic medical record system in the modern age.”
Minneker, who is a security engineer at software company Security Innovation, only briefly discussed the findings at his DefCon conference, which was mostly focused on a broader evaluation of Vista’s security and the language. programming of database MUMPS which underlies it. He’s been trying to share the discovery with the VA since January through the department’s vulnerability disclosure program and Bugcrowd’s third-party disclosure option. But Vista is out of reach for both programs.
This may be because the VA is currently trying to phase out VistA using a new medical records system designed by Cerner Corporation. In June, the VA announced it would delay the general deployment of the $10 billion Cerner system until 2023, as pilot deployments have been plagued with outages and have led to nearly 150 cases in which patients could have been injured.
The VA did not return WIRED’s multiple requests for comment on Minneker’s findings or the broader situation of vulnerability disclosure in VistA. In the meantime, however, VistA isn’t just being deployed in the VA healthcare system, it’s also being used elsewhere.