Anatomy Of An Electronic Health Record Zero-Day
How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage
December 4, 2013
Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation's most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn't turned up anything out of the ordinary in the code.
But then one day this spring, he spotted something in a second interface he was testing that shocked him: "It was very quickly obvious that it had no real security at all," says Mackey, a student in Georgia Tech's information security program. "I was quite surprised."
Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It's one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.
The security flaw Mackey found allowed him to bypass most of the software's security altogether, potentially allowing an attacker to use the system without having to authenticate or provide any proof of what he is authorized to access. It was an EHR system's worst security nightmare: the potential for tampering with patient privacy and medical treatment.
"VistA at its heart is a database -- you have a database of these EMRs and remote workstations where doctors use a protocol to communicate with the central database and access medical records, modify them, and that kind of thing. The remote system has to be authenticated to the central server, and the remote user needs to be authorized: That's in the security policy of the system," says Mackey, who had selected VistA for his thesis on the vulnerability of large critical infrastructure systems to nation-state or other sophisticated threats.
This policy ensures that nurses only access specific information and tools they are authorized to use, for example, not the breadth of treatment and other tools doctors can use. "But this vulnerability allows you to execute any of the thousands of operations in it without any authorization or authentication. It could allow you to view or edit or change patient records" and other tasks, he says.
VistA runs in an intranet, but the flaw could be exploited not only by a malicious or careless insider, but also by an outside attacker who already had gained a foothold in the network via another hack, such as a spear-phish that infected a client machine in the hospital's or clinic's network, he says.
Mackey knew the significance of his bug find was big -- the VA manages the largest health-care system in the U.S., supporting 8 million veterans at 163 hospitals, 800 clinics, and 135 nursing care facilities. About half of all U.S. hospitals are VA hospitals running VistA, and the software also is run in non-VA hospitals and health-care facilities in several states, including California, Florida, New York, and Texas, plus Washington, D.C. Mackey first contacted US-CERT and got no reply, so he tried the VA Office of Inspector General -- still no reply.
"It took months. I finished the semester and tried contacting various groups and waited quite a while [for a response]. I forgot about it for a little while and then thought I really should try to contact someone [else] who might be interested," Mackey says.
So Mackey dug around and found a group of developers in a Google group called the "Hard Hats" -- former VA developers and consultants who have worked with VistA and now support the open-source community development of the code. The group confirmed Mackey's finding after evaluating his proof-of-concept, and alerted VA and Indian Health Service (IHS) security contacts about what they described as the "very serious" security flaw.
A patch for the VistA flaw was released on Oct. 25 by security experts at the VA and the Open Source Electronic Health Record Agent (OSEHRA), the organization that coordinates open-source efforts for VistA. Among the team that developed the patch was Medsphere, the EHR software vendor whose product Mackey had tested in his lab, iCare, Oroville Hospital in California, and members of OSHERA's staff.
"When we got alerted, we alerted our corporate members who offer services to their customers, and also alerted the VA. We all agreed it was sensitive but important information. This was the first time government and private-sector engineers worked together under our auspices to come up with a solution," says Dr. Seong Ki Mun, CEO of OSHERA. "This is the first time a patch was developed and tested involving all of the key community members ... This is different because over the years, people in government were not sure how to engage with the private sector."
Some 2,500 medical sites worldwide were affected by the vulnerability, Mun estimates. "Some parts of VistA are operational in most DoD medical centers" as well, he says.
There were no public reports of attacks exploiting the flaw, but Mun says he can't confirm whether the vulnerability was ever used in any attacks on health-care organizations running VistA. "We don't have any such information," he says. "But it is unlikely it ever got exploited."
The VA, like many federal agencies, already was in the bull's eye of attackers. House Veterans Affairs Committee member Michael Coffman, R-Colo., told members in a hearing this summer that nation-states have breached an unencrypted VA database multiple times, according to a published report by NextGov. The director of IT and security audits for the VA IG told Congress that a nation-state had also hacked a VA domain controller that supports an email system used by VA officials, the report said.
[1.8 million Americans have been victims of medical identity fraud -- including some from their own family members -- new report finds. See Medical ID Theft Spreads.]
Mackey says the flaw he found had been in place in VistA since 2002. "VistA is a massive system. This was just an initial look at one way that system could remotely communicate," he says of his research. "I kind of stopped my research after I found it."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like