Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:39 PM
Connect Directly

Anatomy Of An Electronic Health Record Zero-Day

How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation's most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn't turned up anything out of the ordinary in the code.

But then one day this spring, he spotted something in a second interface he was testing that shocked him: "It was very quickly obvious that it had no real security at all," says Mackey, a student in Georgia Tech's information security program. "I was quite surprised."

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It's one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.

The security flaw Mackey found allowed him to bypass most of the software's security altogether, potentially allowing an attacker to use the system without having to authenticate or provide any proof of what he is authorized to access. It was an EHR system's worst security nightmare: the potential for tampering with patient privacy and medical treatment.

"VistA at its heart is a database -- you have a database of these EMRs and remote workstations where doctors use a protocol to communicate with the central database and access medical records, modify them, and that kind of thing. The remote system has to be authenticated to the central server, and the remote user needs to be authorized: That's in the security policy of the system," says Mackey, who had selected VistA for his thesis on the vulnerability of large critical infrastructure systems to nation-state or other sophisticated threats.

This policy ensures that nurses only access specific information and tools they are authorized to use, for example, not the breadth of treatment and other tools doctors can use. "But this vulnerability allows you to execute any of the thousands of operations in it without any authorization or authentication. It could allow you to view or edit or change patient records" and other tasks, he says.

VistA runs in an intranet, but the flaw could be exploited not only by a malicious or careless insider, but also by an outside attacker who already had gained a foothold in the network via another hack, such as a spear-phish that infected a client machine in the hospital's or clinic's network, he says.

Mackey knew the significance of his bug find was big -- the VA manages the largest health-care system in the U.S., supporting 8 million veterans at 163 hospitals, 800 clinics, and 135 nursing care facilities. About half of all U.S. hospitals are VA hospitals running VistA, and the software also is run in non-VA hospitals and health-care facilities in several states, including California, Florida, New York, and Texas, plus Washington, D.C. Mackey first contacted US-CERT and got no reply, so he tried the VA Office of Inspector General -- still no reply.

"It took months. I finished the semester and tried contacting various groups and waited quite a while [for a response]. I forgot about it for a little while and then thought I really should try to contact someone [else] who might be interested," Mackey says.

So Mackey dug around and found a group of developers in a Google group called the "Hard Hats" -- former VA developers and consultants who have worked with VistA and now support the open-source community development of the code. The group confirmed Mackey's finding after evaluating his proof-of-concept, and alerted VA and Indian Health Service (IHS) security contacts about what they described as the "very serious" security flaw.

A patch for the VistA flaw was released on Oct. 25 by security experts at the VA and the Open Source Electronic Health Record Agent (OSEHRA), the organization that coordinates open-source efforts for VistA. Among the team that developed the patch was Medsphere, the EHR software vendor whose product Mackey had tested in his lab, iCare, Oroville Hospital in California, and members of OSHERA's staff.

"When we got alerted, we alerted our corporate members who offer services to their customers, and also alerted the VA. We all agreed it was sensitive but important information. This was the first time government and private-sector engineers worked together under our auspices to come up with a solution," says Dr. Seong Ki Mun, CEO of OSHERA. "This is the first time a patch was developed and tested involving all of the key community members ... This is different because over the years, people in government were not sure how to engage with the private sector."

Some 2,500 medical sites worldwide were affected by the vulnerability, Mun estimates. "Some parts of VistA are operational in most DoD medical centers" as well, he says.

There were no public reports of attacks exploiting the flaw, but Mun says he can't confirm whether the vulnerability was ever used in any attacks on health-care organizations running VistA. "We don't have any such information," he says. "But it is unlikely it ever got exploited."

The VA, like many federal agencies, already was in the bull's eye of attackers. House Veterans Affairs Committee member Michael Coffman, R-Colo., told members in a hearing this summer that nation-states have breached an unencrypted VA database multiple times, according to a published report by NextGov. The director of IT and security audits for the VA IG told Congress that a nation-state had also hacked a VA domain controller that supports an email system used by VA officials, the report said.

[1.8 million Americans have been victims of medical identity fraud -- including some from their own family members -- new report finds. See Medical ID Theft Spreads.]

Mackey says the flaw he found had been in place in VistA since 2002. "VistA is a massive system. This was just an initial look at one way that system could remotely communicate," he says of his research. "I kind of stopped my research after I found it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.