The U.S. Department of Veterans Affairs runs some interesting technology programs, but it is not a nimble or flexible organization. Virginia has been playing a slow but high-stakes drama for years when it comes to electronic medical records.
The department’s platform of record, VistA, was first established in the late 1970s and hailed as effective, reliable and even innovative, but decades of underinvestment have eroded the platform. Throughout the 2010s, the VA said several times that it would replace VitA (short for Veterans Information Systems and Technology Architecture) with a commercial product, and is currently working on the latest iteration of that effort. At the same time, however, safety researchers are uncovering real safety issues in VitA that could impact patient care. They want to disclose these issues to the VA and fix them, but they haven’t found a solution yet because VitA itself is on death row.
At the DefCon Security conference in Las Vegas on Saturday, Zachary Minneker, a security researcher with a background in healthcare IT, presented an order on how VitA encrypts internal credentials Findings of Human Worried Vulnerabilities. Without an additional layer of network encryption (like TLS, which is now ubiquitous on the web), Minneker found that home-made encryption developed for VitA in the 1990s to secure connections between web servers and personal computers was easy to crack. In practice, this could allow an attacker on a hospital network to impersonate a healthcare provider within VitA and potentially modify patient records, submit diagnoses, and even theoretically prescribe medication.
“If you are adjacent on a network without TLS, you can crack passwords, replace packets, modify databases. In the worst case, you can basically pretend to be Doctor,” Minneker told Wired. “It’s not a good access control mechanism for a modern electronic medical record system.”
Minneker, a security engineer at Security Innovation, a software-focused company, is only in his These findings were briefly discussed in the DefCon presentation at , which focused on a broader security assessment of VitA and the database programming language MUMPS that underpins it. He has been trying to share the discovery with the VA since January through the department’s Vulnerability Disclosure Program and Bugcrowd’s third-party disclosure option. But Vista is beyond the scope of these two programs.
This may be because the VA is currently trying to phase out VitA using a new medical records system designed by Cerner Corporation. In June, Virginia announced it would delay the full rollout of the $10 billion Cerner system until 2023, as the pilot deployment has been plagued by disruptions and left nearly 150 patients potentially harmed.
The VA did not respond to WIRED’s multiple requests for comment on Minneker’s findings or the broader disclosure of the VistA vulnerability. Meanwhile, VistA is not only deployed in the VA healthcare system, but also used elsewhere.