A Flaw in the VA's Medical Records Platform May Put Patients at Risk

The United States Department of Veterans Affairs has some interesting technology programs, but it's not known for being flexible or quick to react. The VA has had a slow but high-stakes drama in regards to electronic medical records management.

VistA, the department's records platform, has been praised as effective, reliable, and even innovative, but decades of under-investment have eroded its usefulness. The VA has said multiple times that it will replace VistA with a commercial product, and the latest iteration of this effort is still ongoing. Security researchers are looking at real security issues in VistA that may affect patient care. They want to tell the VA about the issues but they can't because VistA is on death row.

At the DefCon security conference in Las Vegas on Saturday, a security researcher with a background in healthcare IT presented findings about a weakness in how VistA secures internal credentials. The home-brewed encryption developed for VistA in the 1990s to protect the connection between the network server and individual computers can be easily defeated. This could allow an attacker on a hospital's network to impersonate a healthcare provider within VistA, and possibly modify patient records, submit diagnoses, or even prescribe medication.

You could make changes to the database if you were adjacent on the network. In the worst case, you would be able to masquerade as a doctor. It's not a good access control mechanism for an electronic medical record system.

During his DefCon talk, which was mostly focused on a broader security assessment of VistA and the database programming languageMUMPS that underlies it, Minneker only briefly discussed the findings. He has been trying to share the finding with the VA through the department's vulnerability disclosure program. VistA can't be used for either program.

The VA is trying to phase our VistA with a new medical records system. In June of this year, the VA announced that it would delay the general roll out of the $10 billion Cerner system because the pilot deployment had been plagued by problems and could have led to patient harm.

The VA didn't respond to WIRED's multiple requests for comment about the situation with disclosure of vulnerabilities in VistA. VistA is deployed across the VA healthcare system as well as other places.