Open-source community helps with emergency VistA patch

While working on his final project for a master's degree in information security, Georgia Tech graduate student Doug Mackey discovered a security flaw in VistA, the Veterans Health Information Systems and Technology Architecture electronic health records system.

Mackey was using VistA as a test case for outlining the relative vulnerability of large government computer systems to attacks by foreign governments. 

“I wanted to study the security of software used within a real system in a critical economic sector,” he told Network World. “The health sector and VistA were chosen because VistA is open source, and all the source code is easily available. Using the open-source code, I set up an isolated lab test system to study.”

VistA is used by the Department of Veterans Affairs throughout its medical system. The department says it's the single largest integrated health care system in the United States, serving over 8 million patients annually. Nearly 25 percent of the population is potentially eligible for VA benefits and services and could potentially use VistA. It consists of nearly 160 integrated software modules for clinical care, financial functions and infrastructure.

“The vulnerability has been there for many years and likely would have remained there unknown and undiscovered for years to come,” Mackey told Network World. It could have been used to execute “thousands” of remote commands, without any authorization, on these health records databases, creating the potential for tampering with patient privacy and medical treatment, he added.

Whether the breach would have been fixed had Mackey not doggedly pursued the affair is debatable. Mackey first contacted the U.S. Computer Emergency Readiness Team and then the VA Office of Inspector General but received no response from either, he told Network World. Only after posting the issue on an open-source developer's forum for VistA did he get a response.

The nonprofit Open Source Electronic Health Record Agent, whose mission includes the creation of a vendor-neutral community for the creation and support of an open-source EHRs, spearheaded the effort to create an emergency patch, now available to all VistA users. 

OSEHRA described the fix as “a textbook example of how the concept of open source can improve system security” in a statement. “VA decided not only to fast-track its own patch for distribution but also to bring the OSEHRA open-source version into VA as the next step of their process.”

Research projects and public awareness campaigns are focusing attention on health care information security.

Two University of Texas at Arlington researchers are leading a collaborative National Science Foundation project to protect personal, electronic health care data while ensuring that the anonymous records can be used for secondary analysis and improved health care. The Office of the Attorney General in California, in collaboration with the American Health Information Management Association, issued best practice recommendations for providers — and tips for patients — to better safeguard health data from theft, reported Healthcare IT News.

Meanwhile the Defense Department is delaying its EHR deployment to 2017, according NextGov

While the delay is caused by escalating costs — an anticipated $28 billion — rather than security issues, the VA’s security flaw and fix could affect system development.

About the Author

Kathleen Hickey is a freelance writer for GCN.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.