Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:39 PM
Connect Directly

Anatomy Of An Electronic Health Record Zero-Day

How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation's most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn't turned up anything out of the ordinary in the code.

But then one day this spring, he spotted something in a second interface he was testing that shocked him: "It was very quickly obvious that it had no real security at all," says Mackey, a student in Georgia Tech's information security program. "I was quite surprised."

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It's one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.

The security flaw Mackey found allowed him to bypass most of the software's security altogether, potentially allowing an attacker to use the system without having to authenticate or provide any proof of what he is authorized to access. It was an EHR system's worst security nightmare: the potential for tampering with patient privacy and medical treatment.

"VistA at its heart is a database -- you have a database of these EMRs and remote workstations where doctors use a protocol to communicate with the central database and access medical records, modify them, and that kind of thing. The remote system has to be authenticated to the central server, and the remote user needs to be authorized: That's in the security policy of the system," says Mackey, who had selected VistA for his thesis on the vulnerability of large critical infrastructure systems to nation-state or other sophisticated threats.

This policy ensures that nurses only access specific information and tools they are authorized to use, for example, not the breadth of treatment and other tools doctors can use. "But this vulnerability allows you to execute any of the thousands of operations in it without any authorization or authentication. It could allow you to view or edit or change patient records" and other tasks, he says.

VistA runs in an intranet, but the flaw could be exploited not only by a malicious or careless insider, but also by an outside attacker who already had gained a foothold in the network via another hack, such as a spear-phish that infected a client machine in the hospital's or clinic's network, he says.

Mackey knew the significance of his bug find was big -- the VA manages the largest health-care system in the U.S., supporting 8 million veterans at 163 hospitals, 800 clinics, and 135 nursing care facilities. About half of all U.S. hospitals are VA hospitals running VistA, and the software also is run in non-VA hospitals and health-care facilities in several states, including California, Florida, New York, and Texas, plus Washington, D.C. Mackey first contacted US-CERT and got no reply, so he tried the VA Office of Inspector General -- still no reply.

"It took months. I finished the semester and tried contacting various groups and waited quite a while [for a response]. I forgot about it for a little while and then thought I really should try to contact someone [else] who might be interested," Mackey says.

So Mackey dug around and found a group of developers in a Google group called the "Hard Hats" -- former VA developers and consultants who have worked with VistA and now support the open-source community development of the code. The group confirmed Mackey's finding after evaluating his proof-of-concept, and alerted VA and Indian Health Service (IHS) security contacts about what they described as the "very serious" security flaw.

A patch for the VistA flaw was released on Oct. 25 by security experts at the VA and the Open Source Electronic Health Record Agent (OSEHRA), the organization that coordinates open-source efforts for VistA. Among the team that developed the patch was Medsphere, the EHR software vendor whose product Mackey had tested in his lab, iCare, Oroville Hospital in California, and members of OSHERA's staff.

"When we got alerted, we alerted our corporate members who offer services to their customers, and also alerted the VA. We all agreed it was sensitive but important information. This was the first time government and private-sector engineers worked together under our auspices to come up with a solution," says Dr. Seong Ki Mun, CEO of OSHERA. "This is the first time a patch was developed and tested involving all of the key community members ... This is different because over the years, people in government were not sure how to engage with the private sector."

Some 2,500 medical sites worldwide were affected by the vulnerability, Mun estimates. "Some parts of VistA are operational in most DoD medical centers" as well, he says.

There were no public reports of attacks exploiting the flaw, but Mun says he can't confirm whether the vulnerability was ever used in any attacks on health-care organizations running VistA. "We don't have any such information," he says. "But it is unlikely it ever got exploited."

The VA, like many federal agencies, already was in the bull's eye of attackers. House Veterans Affairs Committee member Michael Coffman, R-Colo., told members in a hearing this summer that nation-states have breached an unencrypted VA database multiple times, according to a published report by NextGov. The director of IT and security audits for the VA IG told Congress that a nation-state had also hacked a VA domain controller that supports an email system used by VA officials, the report said.

[1.8 million Americans have been victims of medical identity fraud -- including some from their own family members -- new report finds. See Medical ID Theft Spreads.]

Mackey says the flaw he found had been in place in VistA since 2002. "VistA is a massive system. This was just an initial look at one way that system could remotely communicate," he says of his research. "I kind of stopped my research after I found it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...