Vulnerabilities / Threats

03:39 PM
Connect Directly

Anatomy Of An Electronic Health Record Zero-Day

How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation's most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn't turned up anything out of the ordinary in the code.

But then one day this spring, he spotted something in a second interface he was testing that shocked him: "It was very quickly obvious that it had no real security at all," says Mackey, a student in Georgia Tech's information security program. "I was quite surprised."

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It's one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.

The security flaw Mackey found allowed him to bypass most of the software's security altogether, potentially allowing an attacker to use the system without having to authenticate or provide any proof of what he is authorized to access. It was an EHR system's worst security nightmare: the potential for tampering with patient privacy and medical treatment.

"VistA at its heart is a database -- you have a database of these EMRs and remote workstations where doctors use a protocol to communicate with the central database and access medical records, modify them, and that kind of thing. The remote system has to be authenticated to the central server, and the remote user needs to be authorized: That's in the security policy of the system," says Mackey, who had selected VistA for his thesis on the vulnerability of large critical infrastructure systems to nation-state or other sophisticated threats.

This policy ensures that nurses only access specific information and tools they are authorized to use, for example, not the breadth of treatment and other tools doctors can use. "But this vulnerability allows you to execute any of the thousands of operations in it without any authorization or authentication. It could allow you to view or edit or change patient records" and other tasks, he says.

VistA runs in an intranet, but the flaw could be exploited not only by a malicious or careless insider, but also by an outside attacker who already had gained a foothold in the network via another hack, such as a spear-phish that infected a client machine in the hospital's or clinic's network, he says.

Mackey knew the significance of his bug find was big -- the VA manages the largest health-care system in the U.S., supporting 8 million veterans at 163 hospitals, 800 clinics, and 135 nursing care facilities. About half of all U.S. hospitals are VA hospitals running VistA, and the software also is run in non-VA hospitals and health-care facilities in several states, including California, Florida, New York, and Texas, plus Washington, D.C. Mackey first contacted US-CERT and got no reply, so he tried the VA Office of Inspector General -- still no reply.

"It took months. I finished the semester and tried contacting various groups and waited quite a while [for a response]. I forgot about it for a little while and then thought I really should try to contact someone [else] who might be interested," Mackey says.

So Mackey dug around and found a group of developers in a Google group called the "Hard Hats" -- former VA developers and consultants who have worked with VistA and now support the open-source community development of the code. The group confirmed Mackey's finding after evaluating his proof-of-concept, and alerted VA and Indian Health Service (IHS) security contacts about what they described as the "very serious" security flaw.

A patch for the VistA flaw was released on Oct. 25 by security experts at the VA and the Open Source Electronic Health Record Agent (OSEHRA), the organization that coordinates open-source efforts for VistA. Among the team that developed the patch was Medsphere, the EHR software vendor whose product Mackey had tested in his lab, iCare, Oroville Hospital in California, and members of OSHERA's staff.

"When we got alerted, we alerted our corporate members who offer services to their customers, and also alerted the VA. We all agreed it was sensitive but important information. This was the first time government and private-sector engineers worked together under our auspices to come up with a solution," says Dr. Seong Ki Mun, CEO of OSHERA. "This is the first time a patch was developed and tested involving all of the key community members ... This is different because over the years, people in government were not sure how to engage with the private sector."

Some 2,500 medical sites worldwide were affected by the vulnerability, Mun estimates. "Some parts of VistA are operational in most DoD medical centers" as well, he says.

There were no public reports of attacks exploiting the flaw, but Mun says he can't confirm whether the vulnerability was ever used in any attacks on health-care organizations running VistA. "We don't have any such information," he says. "But it is unlikely it ever got exploited."

The VA, like many federal agencies, already was in the bull's eye of attackers. House Veterans Affairs Committee member Michael Coffman, R-Colo., told members in a hearing this summer that nation-states have breached an unencrypted VA database multiple times, according to a published report by NextGov. The director of IT and security audits for the VA IG told Congress that a nation-state had also hacked a VA domain controller that supports an email system used by VA officials, the report said.

[1.8 million Americans have been victims of medical identity fraud -- including some from their own family members -- new report finds. See Medical ID Theft Spreads.]

Mackey says the flaw he found had been in place in VistA since 2002. "VistA is a massive system. This was just an initial look at one way that system could remotely communicate," he says of his research. "I kind of stopped my research after I found it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.