Tech student finds hole in VA health records

For Doug Mackey, the discovery was disquieting.

This spring, the 38-year master’s student at Georgia Tech found a gaping hole in the system that safeguards all the Department of Veterans Affairs’ electronic health records.

The vulnerability could have imperiled the private information of millions of people. Instead, after Mackey aired his concerns online, fixes for the problem were developed by both the VA and a nonprofit group dedicated to making electronic health records more secure.

Mackey who spent a decade working as a cyber security analyst for Australia’s Department of Defense, came across the defect in the VA’s system during the spring semester. He was probing the VA’s VistA (Veterans Health Information Systems and Technology Architecture) platform for a network security class.

In April, Mackey said, he tried to alert the VA to the problem. Weeks passed, and he didn’t hear back.

So, at the end of July, he got in touch with a group of VistA developers and consultants through a Google Group forum.

According to the VA, the agency issued a solution to the problem Sept. 30, which was implemented across all its hospitals Oct. 2.

“It’s important to note, no known breaches of VA’s data or systems occurred — and no known data was exposed to external parties — as a result of this issue,” the agency said in an emailed statement. “As soon as the issue was identified a patch was developed and deployed.”

Mackey, a distance-learning student who lives in Washington, said he spent several weeks just learning the in-and-outs of VistA.

“VistA work stations used by doctors and nurses have to communicate through a central server,” he explained. “They do that by a proprietary messaging protocol.”

As he peeled back the layers of that protocol, he said, “I discovered that you could initiate many thousands of database commands without any authentication or authorization, which is complete violation of the (VA’s) information security policy.”

Those commands could include alterations, deletions and viewing of medical records. The vulnerability had existed for roughly a decade, Mackey said, and it affected the VA’s entire electronic health records system.

To be clear, Mackey was never playing with the actual records of soldiers and veterans around the country — which are only accessible through a hospital’s intranet, a special computer network setup only for internal employees.

He was able to deconstruct the VistA source code because it was open sourced, which means that any developer can access it. Because the system was created and is maintained by the federal government, anyone can get the code through an open records request.

In fact, other hospitals outside the government have adopted the system.

In one sense, that’s a weakness, opening a door for bad actors who might want to exploit vulnerabilities in the code. But it’s also a strength, allowing independent programmers to devise ways to strengthen the system.

That’s what happened in this case.

After Mackey raised the alarm, the non-profit Open Source Electronic Health Record Agent jumped in and contributed an additional fix for the VA’s problem.

“We’re very proud of both the process and the outcome here,” Dr. Seong Ki Mun, the chief executive of OSEHRA, said in a press release.

Still, Mackey finds the incident troubling.

Intranet networks are subject to penetration by a variety of tactics. Among them are spear phishing attacks that dupe unwitting users with malware embedded in carefully crafted email messages.

And while ferreting out VistA’s vulnerability was difficult, it only took Mackey six or seven weeks of work. “So if you had a nation-state that was interested in the VA, there was no reason why they couldn’t have found it, as well,” he said.

“I don’t really understand how something like that could happen,” Mackey said. “It clearly violates the VA’s own security policy to have something that there, so I wonder about their management systems.”