The Power Of Open Source Collaboration Increases VistA EHR Security

Maureen Markey | Open Source Delivers | December 2, 2013

Who would like to hear a great story about the power of open source?  I had just started working at the Open Source Electronic Health Record Agent (OSEHRA) and the concept of open source was new to me.  I had yet to be convinced of its influence and impact, when this happened…

In July, a Georgia Tech graduate student named Doug Mackey was evaluating the US Department of Veterans Affairs’ (VA) VistA (Veterans Health Information Systems and Technology Architecture) Electronic Health Record (EHR) software for a project on computer security.  His original intent was to show the vulnerability of large critical infrastructure systems to attack by nation states and other organized threats.  He chose VistA due to its wide deployment in VA hospitals and clinics and its increasingly widespread global use in the private sector.

After obtaining an open source version of VistA software, the grad student began a systematic examination of the code base and found what appeared to be a significant security hole in an obscure communications broker program.  It appeared a message could be sent,  by applying some creative formatting, that enabled the sender to subsequently execute a wide variety of remote commands without authentication.